Skills

security-ops

Installation
SKILL.md

Security Operations

Orchestrator for security auditing. Detects project stack inline, dispatches three parallel audit agents (dependency, SAST, auth/config review), consolidates into a severity-ranked OWASP-mapped report.

Architecture

User requests security audit or mentions security concern
    |
    +---> T1: Detect (inline, fast)
    |       +---> Identify languages/frameworks in project
    |       +---> Check installed audit tools
    |       +---> Determine scope (changed files vs full codebase)
    |       +---> Present: detection summary + recommended audit
    |
    +---> T2: Audit (3 parallel agents, background)
    |       +---> Agent 1: Dependency Audit
    |       |       +---> Run pip-audit, npm audit, govulncheck, cargo audit, trivy
    |       |       +---> Report: CVE IDs, severity, affected + fix versions
    |       |
    |       +---> Agent 2: Code Pattern Scan (SAST)
    |       |       +---> Hardcoded secrets, injection, XSS, eval, shell, weak crypto
    |       |       +---> Report: file:line, pattern, severity, fix suggestion
    |       |
    |       +---> Agent 3: Auth & Config Review
    |       |       +---> Session, CSRF, CORS, CSP, JWT, OAuth, rate limiting, env vars
    |       |       +---> Report: finding, severity, OWASP category, remediation
    |       |
    |       +---> Consolidate: deduplicate, rank by severity, map to OWASP Top 10
    |
    +---> T3: Remediate (dispatch to language expert, foreground + confirm)
            +---> Expert proposes specific fixes
            +---> Preflight: what changes, security impact, risk of breaking
            +---> User confirms
            +---> Apply fixes

Safety Tiers

Operation Tier Execution
Detect languages/frameworks T1 Inline
Check installed audit tools T1 Inline
Determine scope (changed vs all) T1 Inline
Dependency vulnerability scan T2 Agent 1 (bg)
Code pattern scan (SAST) T2 Agent 2 (bg)
Auth & config review T2 Agent 3 (bg)
Consolidate findings T2 Inline (after agents return)
Fix vulnerability in code T3 Expert agent + confirm
Update vulnerable dependency T3 Expert agent + confirm
Add security headers T3 Expert agent + confirm

T1: Detect - Run Inline

Check Command / Method
Python project Check for requirements.txt, pyproject.toml, Pipfile
Node.js project Check for package.json, package-lock.json
Go project Check for go.mod
Rust project Check for Cargo.toml
Docker Check for Dockerfile, docker-compose.yml
pip-audit available which pip-audit 2>/dev/null
npm audit available which npm 2>/dev/null
govulncheck available which govulncheck 2>/dev/null
cargo-audit available which cargo-audit 2>/dev/null
trivy available which trivy 2>/dev/null
Scope: changed files git diff --name-only HEAD
Scope: full codebase fd -e py -e js -e ts -e go -e rs

T2: Audit - Dispatch 3 Parallel Agents

All audit agents use model="sonnet", run_in_background=True. All are read-only - instruct them explicitly to never edit files.

Agent 1: Dependency Audit

You are a security dependency auditor. Your job is to find vulnerable dependencies.

## Domain Knowledge
First, read this script for audit commands:
- Read: skills/security-ops/scripts/dependency-audit.sh

## Scope
- Languages detected: {languages from T1}
- Audit tools available: {tools from T1}

## Instructions
1. Run the appropriate audit tool for each detected language:
   - Python: `pip-audit` or `safety check`
   - Node.js: `npm audit --audit-level=moderate`
   - Go: `govulncheck ./...`
   - Rust: `cargo audit`
   - Docker: `trivy config Dockerfile`
2. For each vulnerability found, report:
   - Package name and version
   - CVE ID (if available)
   - Severity (Critical/High/Medium/Low)
   - Fixed version (if available)
   - Brief description
3. If an audit tool is not installed, note which tool is missing and what command installs it

IMPORTANT: Do NOT edit any files. This is a read-only audit.

## Output Format
Report findings as a severity-ranked table.

Agent 2: Code Pattern Scan (SAST)

You are a security code scanner. Your job is to find vulnerability patterns in source code.

## Domain Knowledge
First, read these files for scan patterns and OWASP context:
- Read: skills/security-ops/scripts/security-scan.sh
- Read: skills/security-ops/references/owasp-detailed.md

## Scope
- Files to scan: {scope from T1 - changed files or full codebase}
- Languages: {languages from T1}

## Scan Categories
For each language detected, search for these patterns using ripgrep:

**Injection (OWASP A03):**
- SQL injection: f-strings/format in execute(), string concatenation in queries
- Command injection: os.system(), subprocess with shell=True, exec(), eval()
- XSS: innerHTML assignment, document.write(), dangerouslySetInnerHTML without sanitization

**Hardcoded Secrets (OWASP A02):**
- API keys, passwords, tokens assigned as string literals
- .env files tracked in git
- Private keys in source

**Insecure Crypto (OWASP A02):**
- MD5 or SHA1 for passwords (use bcrypt/argon2)
- ECB mode encryption
- Hardcoded encryption keys

**Insecure Deserialization (OWASP A08):**
- pickle.loads on untrusted data (Python)
- JSON.parse without validation
- yaml.load without SafeLoader

## Instructions
1. Use `rg` (ripgrep) for pattern matching across the codebase
2. Use `ast-grep` for structural patterns if available
3. For each finding, report: file:line, pattern matched, OWASP category, severity, fix suggestion
4. Distinguish between confirmed issues and potential false positives

IMPORTANT: Do NOT edit any files. This is a read-only scan.

## Output Format
Group findings by OWASP category, sorted by severity within each group.

Agent 3: Auth & Config Review

You are a security reviewer specializing in authentication, authorization, and security configuration.

## Domain Knowledge
First, read these files for auth patterns and header requirements:
- Read: skills/security-ops/references/auth-patterns.md
- Read: skills/security-ops/references/secure-headers.md

## Scope
- Files to review: {scope from T1}
- Framework: {detected framework}

## Review Checklist

**Authentication (OWASP A07):**
- Password hashing: bcrypt/argon2 with cost factor 12+?
- Session tokens: cryptographically random, sufficient length?
- Cookie flags: HttpOnly, Secure, SameSite set?
- Rate limiting on login endpoints?
- Account lockout after failed attempts?
- MFA support for sensitive operations?

**Authorization (OWASP A01):**
- Server-side permission checks on all endpoints?
- Default deny policy?
- IDOR protection (verify ownership before access)?
- Role-based or attribute-based access control?

**Security Configuration (OWASP A05):**
- CSP header configured?
- HSTS enabled with appropriate max-age?
- X-Frame-Options or frame-ancestors in CSP?
- CORS policy restrictive (not wildcard)?
- Debug mode disabled in production config?
- Error messages don't leak internal details?

**Session Management:**
- Session timeout configured?
- Session invalidation on logout?
- Session regeneration on privilege change?
- Tokens not exposed in URLs?

## Instructions
1. Read auth-related files (login, session, middleware, config)
2. Check each item on the review checklist
3. For each finding: describe the issue, rate severity, cite OWASP category, suggest fix
4. Note items that pass as well as items that fail

IMPORTANT: Do NOT edit any files. This is a read-only review.

## Output Format
Checklist-style report with PASS/FAIL/N-A for each item, findings grouped by category.

Consolidation

After all 3 agents return, consolidate inline:

  1. Deduplicate - Remove findings that appear in multiple agents (e.g., hardcoded secret found by both Agent 1 and Agent 2)
  2. Rank by severity:
    • Critical: Remote code execution, SQL injection, exposed secrets in production
    • High: XSS, broken auth, missing access control, known CVE with exploit
    • Medium: Weak crypto, missing security headers, insecure defaults
    • Low: Informational, best practice suggestions, TODO items
  3. Map to OWASP Top 10 - Tag each finding with its OWASP category
  4. Generate report (see Report Format below)

T3: Remediate - Expert Dispatch with Confirmation

When user wants to fix findings, dispatch to the appropriate language expert.

Language routing (same as perf-ops):

Finding Type Expert Agent
Python vulnerability python-expert
Node.js/JS vulnerability javascript-expert
TypeScript vulnerability typescript-expert
Go vulnerability go-expert
Rust vulnerability rust-expert
SQL injection / DB security postgres-expert
General / config / headers general-purpose

Dispatch template (T3 preflight):

You are handling a security remediation dispatched by the security-ops orchestrator.

## Domain Knowledge
First, read for context:
- Read: skills/security-ops/references/owasp-detailed.md

## Finding to Fix
{specific finding from audit report}

IMPORTANT: Do NOT apply changes yet. Produce a Preflight Report:
1. Exactly what code/config changes you will make
2. Security impact of the fix
3. Risk of breaking existing functionality
4. How to verify the fix works
5. How to revert if the fix causes issues

After user confirms, re-dispatch with execute authority.

Report Format

# Security Audit Report

**Scope:** {X files changed | Full codebase}
**Languages:** {detected}
**Scan Time:** {duration}

## Summary

| Category | Findings | Critical | High | Medium | Low |
|----------|----------|----------|------|--------|-----|
| Dependencies | X | X | X | X | X |
| Code Patterns | X | X | X | X | X |
| Auth & Config | X | X | X | X | X |

## Critical Findings
{details with file:line, OWASP mapping, fix suggestion}

## High Findings
{details}

## Medium Findings
{details}

## Low Findings
{details}

## Passed Checks
{items that passed the auth/config review}

Fallback: When Agents Are Unavailable

If agent dispatch fails, fall back to inline scanning:

  1. Run scripts/dependency-audit.sh directly via Bash
  2. Run scripts/security-scan.sh directly via Bash
  3. Manually check auth patterns using ripgrep
  4. Present combined results (less structured than agent-based audit)

Quick Reference

Task Tier Execution
Detect project stack T1 Inline
Check audit tools T1 Inline
Dependency scan T2 Agent 1 (bg)
Code pattern scan T2 Agent 2 (bg)
Auth & config review T2 Agent 3 (bg)
Consolidate report T2 Inline
Fix vulnerability T3 Expert + confirm
Update dependency T3 Expert + confirm

Reference Files

File Contents
references/audit-quickref.md OWASP table, input validation, output encoding, auth checklist, secrets rules
references/owasp-detailed.md Full OWASP Top 10 with examples and prevention strategies
references/auth-patterns.md JWT, OAuth2, session management, bcrypt, argon2, MFA
references/crypto-patterns.md AES-GCM, RSA, key management, hashing, digital signatures
references/secure-headers.md CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy

Scripts

Script Purpose
scripts/dependency-audit.sh Multi-language dependency vulnerability scanner
scripts/security-scan.sh ripgrep-based code pattern security scanner

See Also

Skill When to Combine
auth-ops Deep authentication/authorization implementation patterns
testing-ops Security-focused test case generation
monitoring-ops Security event logging and alerting
debug-ops Investigating security incidents
Related skills

More from 0xdarkmatter/claude-mods

Installs
16
Repository
0xdarkmatter/claude-mods
GitHub Stars
17
First Seen
Mar 9, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail