Security Skill

Security validation, vulnerability scanning, and compliance checking.

Activation

Auto-activates on keywords: security, vulnerability, audit, OWASP, encryption, GPG, SSH, signing, secrets, scan, bandit

Workflows

Environment Validation

validate-env.md: GPG/SSH key validation

Scanning

scan.md: Security vulnerability scanning

Encryption

encrypt.md: Secret encryption and management

Commands

# Validate GPG key
gpg --list-secret-keys

# Validate SSH key
ssh-add -l

# Check git signing configuration
git config --get user.signingkey

# Run Bandit security scanner
uv run bandit -r src/ -c pyproject.toml

# Check dependencies for vulnerabilities
uv run pip-audit
uv run safety check

# Run Semgrep security rules
uv run semgrep scan --config auto src/

Security Checklist

Pre-Commit

No secrets in code (checked by gitleaks)
Dependencies scanned for vulnerabilities
Bandit security scan passes

Pre-Release

All known vulnerabilities addressed
Security advisory published (if applicable)
Dependencies updated to secure versions

OWASP Top 10 Considerations

Injection: Use parameterized queries, validate input
Broken Authentication: Use secure session management
Sensitive Data Exposure: Encrypt sensitive data at rest and in transit
XML External Entities: Disable external entity processing
Broken Access Control: Implement proper authorization checks
Security Misconfiguration: Use secure defaults
XSS: Escape output, use Content Security Policy
Insecure Deserialization: Validate and sanitize serialized data
Using Components with Known Vulnerabilities: Keep dependencies updated
Insufficient Logging: Log security events, monitor for anomalies

aiskillstore-security

Security Skill

Activation

Workflows

Environment Validation

Scanning

Encryption

Commands

Security Checklist

Pre-Commit

Pre-Release

OWASP Top 10 Considerations