with one click
security
Rapid security assessment focused on OWASP Top 10 vulnerabilities
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Rapid security assessment focused on OWASP Top 10 vulnerabilities
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Clean up stale git worktrees with merged branch detection and disk usage report
Safely remove a git worktree with branch cleanup and safety checks
Create isolated git worktrees for feature development without switching branches
Check status of background verification tasks running in a git worktree
Perform a comprehensive code review of a pull request
Display native sandbox status, configuration, and recent violations
| name | security |
| description | Rapid security assessment focused on OWASP Top 10 vulnerabilities |
| argument-hint | [path] [--depth quick|full] |
| effort | medium |
| when_to_use | Use when reviewing code for security vulnerabilities or before merging sensitive changes. |
| disable-model-invocation | true |
Rapid security assessment focused on OWASP Top 10 vulnerabilities.
Perform a quick security scan to identify common vulnerabilities:
# Common secret patterns
grep -rn --include="*.{js,ts,py,go,java,rb,php,env}" \
-E "(password|secret|api_key|apikey|token|auth|credential).*[=:].*['\"][^'\"]{8,}['\"]" \
--exclude-dir={node_modules,vendor,.git,dist,build} . 2>/dev/null | head -20
# .env files that might be committed
find . -name ".env*" -not -path "*/node_modules/*" -type f 2>/dev/null
# Check if secrets are gitignored
[ -f ".gitignore" ] && grep -q "\.env" .gitignore && echo "✅ .env in .gitignore" || echo "⚠️ .env NOT in .gitignore"
# SQL injection patterns (raw queries with string concat)
grep -rn --include="*.{js,ts,py,go,java,php}" \
-E "(query|execute|raw|sql).*\+.*\$|f['\"].*SELECT|\.format\(.*SELECT" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15
# Command injection patterns
grep -rn --include="*.{js,ts,py,go,rb,php}" \
-E "(exec|spawn|system|shell_exec|popen)\s*\(" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -15
# Dangerous innerHTML/dangerouslySetInnerHTML usage
grep -rn --include="*.{js,ts,jsx,tsx,vue}" \
-E "(innerHTML|dangerouslySetInnerHTML|v-html)" \
--exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -15
# Unescaped template literals in HTML context
grep -rn --include="*.{js,ts,jsx,tsx}" \
-E "\`.*\$\{.*\}.*<" \
--exclude-dir={node_modules,.git,dist} . 2>/dev/null | head -10
# Check for known vulnerabilities in npm packages
[ -f "package-lock.json" ] && npm audit --json 2>/dev/null | jq '{vulnerabilities: .metadata.vulnerabilities}' 2>/dev/null
# Check for outdated packages with security issues
[ -f "package.json" ] && npm outdated --json 2>/dev/null | jq 'to_entries | map(select(.value.current != .value.latest)) | length' 2>/dev/null
# Hardcoded JWT secrets
grep -rn --include="*.{js,ts,py,go}" \
-E "(jwt|JWT).*secret.*[=:].*['\"].{8,}['\"]" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null
# Missing CSRF protection patterns
grep -rn --include="*.{js,ts,py}" \
-E "(POST|PUT|DELETE|PATCH).*fetch|axios\.(post|put|delete|patch)" \
--exclude-dir={node_modules,vendor,.git} . 2>/dev/null | head -10
Scan Date: [timestamp] Scope: [directory scanned]
| Issue | Location | Description |
|---|---|---|
| [type] | [file:line] | [brief description] |
| Issue | Location | Recommendation |
|---|---|---|
| [type] | [file:line] | [fix suggestion] |
| Issue | Location | Note |
|---|---|---|
| [type] | [file:line] | [context] |
| Level | Examples | Action |
|---|---|---|
| 🔴 Critical | Hardcoded prod secrets, SQL injection | Fix immediately |
| 🟠 High | Missing auth, XSS vectors | Fix before deploy |
| 🟡 Medium | Outdated deps, missing CSRF | Plan remediation |
| 🟢 Low | Best practice violations | Track for improvement |
Full audit:
/security
Focus on specific area:
/security auth
/security deps
/security injection
Specific file/directory:
/security src/api/
examples/hooks/security-hooks.sh for automated pre-commit security checks$ARGUMENTS