name: security-audit
description: "Self-security scan of SuperPAI configuration with graded report"
triggers:
- security audit
- audit security
- self scan
- shield scan
- check security

Security Audit Skill (SuperPAI Shield)

Scan the SuperPAI plugin for security issues and produce a graded report.

Scan Categories

1. Secrets (scan skills, hooks, memory, configs)

• API keys, tokens, passwords (regex patterns)
• Base64-encoded secrets > 50 chars
• Private keys (SSH, GPG, TLS markers)
• Connection strings with credentials

2. Permissions

• Overly broad allowedTools in settings
• dangerouslySkipPermissions enabled anywhere
• Unrestricted agent tool access

3. Hook Safety

• Unquoted variables in shell scripts (command injection risk)
• eval usage in hooks
• Hooks that download/execute remote code
• Missing input validation

4. MCP Security

• Unverified MCP server sources
• MCP servers without authentication
• Excessive tool permissions

5. Memory Integrity

• Instruction-like patterns in memory files ("you must", "ignore previous", "system:")
• Zero-width Unicode characters (U+200B, U+200C, U+200D, U+FEFF)
• Hidden HTML comments with instructions
• Base64-encoded strings in markdown

6. Supply Chain

• Outdated npm dependencies with known issues
• Unverified external URLs in skills/agents

7. Agent Safety

• Agents with unrestricted tool access
• Missing output validation
• Recursive spawning without depth limits

Scan Procedure

For each category:
1. Use Grep to scan relevant files for patterns
2. Classify findings by severity: CRITICAL, HIGH, MEDIUM, LOW
3. Score: start at 100, subtract per finding (CRITICAL=-15, HIGH=-8, MEDIUM=-3, LOW=-1)

Output Format

SuperPAI Shield Scan Report
===========================
Date: {date} | Version: {version}

Grade: {A-F} ({score}/100)

CRITICAL ({count}): {details}
HIGH ({count}):     {details}
MEDIUM ({count}):   {details}
LOW ({count}):      {details}

Recommendations:
1. {actionable fix for highest severity}
2. ...

Grading: A(90-100) B(80-89) C(70-79) D(60-69) F(<60)