Security audit workflow - vulnerability scan β verification
security-scan
1
1
# Install this skill:
npx skills add Jacopalas/agentic-ai-palas --skill "security-scan"
Install specific skill from multi-skill repository
# Description
Basic security scanning for common vulnerabilities. Use when the user wants to check security, scan for vulnerabilities, find secrets, audit security, revisar seguridad, escanear vulnerabilidades, or check for exposed credentials.
# SKILL.md
name: security-scan
description: Basic security scanning for common vulnerabilities. Use when the user wants to check security, scan for vulnerabilities, find secrets, audit security, revisar seguridad, escanear vulnerabilidades, or check for exposed credentials.
metadata:
skillport:
category: security
tags: [security, scanning, vulnerabilities, secrets, audit]
/security-scan β Basic Security Scanning
Scan codebase for common security issues: exposed secrets, vulnerable patterns, and risky configurations.
Usage
/security-scan [target]
Arguments:
target(Optional): File or directory to scan. Defaults to current directory.
What Gets Scanned
1. Exposed Secrets
Patterns that indicate leaked credentials:
| Pattern | Examples |
|---|---|
| API Keys | api_key, apikey, api-key |
| Secrets | secret, password, passwd, pwd |
| Tokens | token, auth_token, access_token |
| Private Keys | private_key, -----BEGIN.*PRIVATE KEY----- |
| AWS | AKIA, aws_access_key_id, aws_secret_access_key |
| Database | DATABASE_URL, DB_PASSWORD, connection_string |
2. Dangerous Files
Files that should never be committed:
| File | Risk |
|---|---|
.env |
Environment variables with secrets |
.env.local |
Local environment overrides |
credentials.json |
Service account credentials |
*.pem, *.key |
Private keys |
id_rsa, id_ed25519 |
SSH private keys |
.npmrc with tokens |
npm authentication |
secrets.yaml |
Kubernetes secrets |
3. Risky Code Patterns
| Pattern | Language | Risk |
|---|---|---|
eval() |
JS/Python | Code injection |
exec() |
Python | Command injection |
dangerouslySetInnerHTML |
React | XSS vulnerability |
innerHTML = |
JS | XSS vulnerability |
shell=True |
Python subprocess | Command injection |
| SQL string concatenation | Any | SQL injection |
disable_ssl_verification |
Any | MITM vulnerability |
Behavior
- Scan for secrets: Search for exposed credentials
- Check dangerous files: Look for files that shouldn't exist
- Detect risky patterns: Find vulnerable code patterns
- Check .gitignore: Verify sensitive files are ignored
- Report findings: Summarize issues by severity
Commands
# Search for API keys and secrets (case insensitive)
rg -i "(api[_-]?key|secret|password|token|private[_-]?key)" --type-not binary -g "!node_modules" -g "!.git" -g "!*.lock"
# Search for AWS credentials
rg "AKIA[A-Z0-9]{16}" --type-not binary -g "!node_modules" -g "!.git"
rg -i "aws_(access_key|secret)" --type-not binary -g "!node_modules" -g "!.git"
# Search for private key blocks
rg "BEGIN.*PRIVATE KEY" --type-not binary -g "!node_modules" -g "!.git"
# Find dangerous files
find . -name ".env" -o -name ".env.*" -o -name "*.pem" -o -name "*.key" -o -name "id_rsa" -o -name "credentials.json" 2>/dev/null | grep -v node_modules | grep -v .git
# Search for eval/exec patterns
rg "eval\s*\(" --type js --type ts --type py -g "!node_modules"
rg "dangerouslySetInnerHTML" --type js --type ts -g "!node_modules"
rg 'innerHTML\s*=' --type js --type ts -g "!node_modules"
# Check if .env is in .gitignore
grep -E "^\.env" .gitignore 2>/dev/null || echo "WARNING: .env not in .gitignore"
Output Format
Clean Scan
π Security Scan: ./src
Secrets: 0 found
Dangerous files: 0 found
Risky patterns: 0 found
.gitignore: β
.env is ignored
β
No security issues detected
Issues Found
π Security Scan: ./src
β οΈ SECRETS FOUND (3):
src/config.js:12 β api_key = "sk-..."
src/database.js:5 β password: "hardcoded"
.env.example:3 β Contains actual API key
π¨ DANGEROUS FILES (2):
.env β Contains credentials, check .gitignore
credentials.json β Service account file
β οΈ RISKY PATTERNS (1):
src/utils.js:45 β eval() usage
π RECOMMENDATIONS:
1. Move secrets to environment variables
2. Add .env to .gitignore
3. Remove credentials.json from repo
4. Replace eval() with safer alternative
Severity Levels
| Level | Icon | Examples |
|---|---|---|
| Critical | π¨ | Private keys, AWS credentials, database passwords |
| Warning | β οΈ | Generic API keys, eval usage, .env exposure |
| Info | βΉοΈ | Potential false positives, best practice suggestions |
False Positive Handling
Some matches are expected:
passwordin form field namestokenin JWT handling code- Example values in documentation
- Test fixtures with fake credentials
Review each finding in context before taking action.
Examples
/security-scan
β Scans current directory
/security-scan src/
β Scans only src/ directory
/security-scan package.json
β Checks single file for embedded secrets
Limitations
This is a basic security scan. For comprehensive security:
- Use dedicated tools (Snyk, Dependabot, Trivy)
- Run dependency audits (
npm audit,pip-audit) - Perform penetration testing
- Follow OWASP guidelines
Notes
- Excludes
node_modules/,.git/, and lock files by default - Uses ripgrep (
rg) for fast searching - Review findings manually β context matters
- Consider adding pre-commit hooks to prevent secret commits
# Related Skills
Security-first PR review checklist for this repo. Use when reviewing diffs/PRs, especially...
Professional network reconnaissance and port scanning using nmap. Supports various scan types...
ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.