skill-file-security
skill
Basarisiz
Health Uyari
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 12 GitHub stars
Code Basarisiz
- eval() — Dynamic code execution via eval() in templates/continue/config.yaml
- network request — Outbound network request in templates/security-headers/cloudflare-workers.js
Permissions Gecti
- Permissions — No dangerous permissions requested
Purpose
This tool installs a set of configuration and instruction files into your project via `npx` to teach AI coding assistants (like Cursor, Copilot, or Claude) to automatically flag security vulnerabilities while you code.
Security Assessment
The overall risk is Medium. The tool works locally by injecting rule files into your development environment, but the static audit raised some significant flags. It fails a critical code check due to the use of dynamic code execution via `eval()` found in one of its template configuration files (`.continue/config.yaml`). Additionally, it makes outbound network requests within its Cloudflare workers template. It does not require dangerous system permissions, and no hardcoded secrets were detected.
Quality Assessment
The project appears to be actively maintained, with its last repository push occurring today. It has a small but growing community footprint with 12 GitHub stars. However, the repository lacks an actual license file on GitHub, despite claiming to be MIT-licensed in the README. This discrepancy means the legal terms of use are technically unclear, which is a notable oversight for a tool designed to enforce security and best practices.
Verdict
Use with caution — while the concept is highly useful and actively maintained, developers should investigate the `eval()` usage and missing license file before fully integrating it.
This tool installs a set of configuration and instruction files into your project via `npx` to teach AI coding assistants (like Cursor, Copilot, or Claude) to automatically flag security vulnerabilities while you code.
Security Assessment
The overall risk is Medium. The tool works locally by injecting rule files into your development environment, but the static audit raised some significant flags. It fails a critical code check due to the use of dynamic code execution via `eval()` found in one of its template configuration files (`.continue/config.yaml`). Additionally, it makes outbound network requests within its Cloudflare workers template. It does not require dangerous system permissions, and no hardcoded secrets were detected.
Quality Assessment
The project appears to be actively maintained, with its last repository push occurring today. It has a small but growing community footprint with 12 GitHub stars. However, the repository lacks an actual license file on GitHub, despite claiming to be MIT-licensed in the README. This discrepancy means the legal terms of use are technically unclear, which is a notable oversight for a tool designed to enforce security and best practices.
Verdict
Use with caution — while the concept is highly useful and actively maintained, developers should investigate the `eval()` usage and missing license file before fully integrating it.
One command. 29 battle-tested security checks built into every AI coding assistant you already use without leaving your IDE.
README.md
███████╗███████╗ ██████╗██╗ ██╗██████╗ ██╗████████╗██╗ ██╗
██╔════╝██╔════╝██╔════╝██║ ██║██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝
███████╗█████╗ ██║ ██║ ██║██████╔╝██║ ██║ ╚████╔╝
╚════██║██╔══╝ ██║ ██║ ██║██╔══██╗██║ ██║ ╚██╔╝
███████║███████╗╚██████╗╚██████╔╝██║ ██║██║ ██║ ██║
╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
🔐 S K I L L
Your AI coding assistant just became a security engineer.
Install it. Right now.
Interactive mode (asks which AI you use):
npx @netxeo/security-skill
Fast mode (skips the prompt and only injects the file you need):
npx @netxeo/security-skill --claude
npx @netxeo/security-skill --cursor
npx @netxeo/security-skill --windsurf
npx @netxeo/security-skill --cline
npx @netxeo/security-skill --copilot
That's it. Run this in any project. Then type /security-scan in your AI.
What just happened?
📦 Installing security-skill...
✅ Skill files installed → .skills/security/
✅ memory-security.md created
✅ .gitignore updated (6 security entries added)
Configuring AI assistants...
✅ CLAUDE.md created ← Claude / Antigravity
✅ AGENTS.md created ← OpenAI Codex CLI
✅ GEMINI.md created ← Gemini Code Assist
✅ .cursorrules created ← Cursor
✅ .cursor/rules/security.mdc ← Cursor (new format)
✅ .windsurfrules created ← Windsurf
✅ .clinerules created ← Cline
✅ .github/copilot-instructions.md ← GitHub Copilot+
✅ .continue/config.yaml created ← Continue.dev
⚡ Run /security-scan in your AI to get started!
Your AI now knows 25 security categories. It will flag vulnerabilities while you code, not after.
See it in action
You: /security-audit
╔══════════════════════════════════════════════════╗
║ 🔐 SECURITY AUDIT — myproject ║
║ Stack: Next.js · Supabase · Vercel ║
╠══════════════════════════════════════════════════╣
║ ║
║ SECURITY SCORE : 61 / 100 🟠 ║
║ ║
╠══════════════════════════════════════════════════╣
║ 🔴 Secrets & Files 12/20 ← FIX NOW ║
║ 🟢 Auth & Sessions 16/20 ║
║ 🔴 Database (Supabase RLS) 8/20 ← FIX NOW ║
║ 🟡 HTTP Headers 12/20 ║
║ 🟢 Source Code 18/20 ║
║ ... 20 more categories... ║
╠══════════════════════════════════════════════════╣
║ 🔴 2 critical 🟠 3 high 🟡 4 medium ║
╚══════════════════════════════════════════════════╝
🔴 CRITICAL #1 — Supabase service role key in frontend code
Found: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY in .env.local
Risk: Full database access exposed to browser
Fix: /security-fix supabase-key
🔴 CRITICAL #2 — RLS disabled on 3 tables
Found: users, orders, messages (no row-level security)
Risk: Any authenticated user can read all data
Fix: /security-fix rls
📄 Full report → security-report.md
Commands
| Command | What it does |
|---|---|
/security-scan |
30-second scan, critical issues only |
/security-audit |
Full audit + score /100 + report file |
/security-fix |
Applies fixes — always asks before touching code |
/security-status |
Score history from memory-security.md |
/security-history |
Shows before→after audit comparison to prove value |
/security-incident |
Full incident response playbook |
Coverage
📋 CWE Top 25 — Full list100% of OWASP, 100% of CWE Top 25 — without installing a single extra tool.
| # | CWE | What we check |
|---|---|---|
| 1 | CWE-787 Out-of-bounds Write | Buffer.alloc(), safe allocation |
| 2 | CWE-79 XSS | textContent vs innerHTML, CSP nonces |
| 3 | CWE-89 SQL Injection | Parameterized queries everywhere |
| 4 | CWE-416 Use After Free | Event listener cleanup, memory lifecycle |
| 5 | CWE-78 OS Command Injection | execFile() with argument arrays |
| 6 | CWE-20 Improper Input Validation | Allowlists, schema validation (Zod) |
| 7 | CWE-125 Out-of-bounds Read | Buffer bounds, user-controlled sizes |
| 8 | CWE-22 Path Traversal | Path normalization, filename sanitization |
| 9 | CWE-352 CSRF | SameSite cookies + Sec-Fetch headers |
| 10 | CWE-434 Unrestricted Upload | MIME from bytes, size limits, web root |
| 11 | CWE-862 Missing Authorization | All routes checked for auth middleware |
| 12 | CWE-476 NULL Pointer Dereference | Null safety patterns on DB results |
| 13 | CWE-287 Improper Authentication | bcrypt cost, timing attacks, lockout |
| 14 | CWE-190 Integer Overflow | Price/quantity bounds validation |
| 15 | CWE-502 Deserialization | pickle.loads, yaml.load → safe_load |
| 16 | CWE-77 Command Injection | No shell: true, no string commands |
| 17 | CWE-119 Buffer Overflow | Buffer.alloc vs new Buffer |
| 18 | CWE-798 Hard-coded Credentials | Secret scanning in all files |
| 19 | CWE-918 SSRF | URL allowlist before any fetch() |
| 20 | CWE-306 Missing Auth Check | Route-level auth middleware scan |
| 21 | CWE-362 Race Condition | Atomic ops, distributed locks |
| 22 | CWE-269 Privilege Mismanagement | Least privilege, no root in Docker |
| 23 | CWE-94 Code Injection | No eval(), new Function(), dynamic require |
| 24 | CWE-863 Incorrect Authorization | Ownership check on every resource |
| 25 | CWE-276 Incorrect Permissions | File/DB/container permissions |
- ✅ OWASP Web Top 10 (2025)
- ✅ OWASP API Security Top 10
- ✅ OWASP Mobile Top 10
- ✅ OWASP LLM/AI Top 10
- ✅ OWASP Docker Top 10
- ✅ OWASP Serverless Top 10
- ✅ OWASP Cloud-Native Top 10
01 Secrets & Files 08 Deployment & CI/CD 15 DNS & Email
02 Network & CORS 09 Docker Security 16 Supply Chain
03 HTTP Headers 10 Protocols (GQL/WS) 17 Mobile Security
04 Auth & Sessions 11 Advanced Attacks 18 Compliance & GDPR
05 Cryptography 12 All Injections 19 Monitoring & Honeytokens
06 JWT Security 13 Race Conditions 20 Serverless & Edge
07 Database Security 14 File Upload 21 Source Code Analysis
22 AI/LLM Security
23 Bot & DDoS
24 Browser APIs
25 Modern Security
Compatible with your AI
Works out-of-the-box with every major AI coding assistant. No manual setup.
| AI Assistant | Auto-configured via |
|---|---|
| Claude / Antigravity | CLAUDE.md |
| Cursor | .cursorrules + .cursor/rules/security.mdc |
| GitHub Copilot+ | .github/copilot-instructions.md |
| Windsurf | .windsurfrules |
| Cline | .clinerules |
| OpenAI Codex CLI | AGENTS.md |
| Continue.dev | .continue/config.yaml |
| Aider | .aider.conf.yml |
| Gemini Code Assist | GEMINI.md |
How it works
1. npx @netxeo/security-skill
└─ installs 29 security instruction files to .skills/security/
└─ creates memory-security.md (tracks your score over time)
└─ creates AI config files for every assistant on your machine
└─ hardens .gitignore
2. /security-scan
└─ AI reads skill.md
└─ auto-detects your stack (Next.js? Express? Docker? Firebase?)
└─ runs the right checks for YOUR specific setup
└─ gives you a prioritized list, most critical first
3. /security-fix
└─ shows you the diff
└─ always asks before modifying anything
└─ zero breaking changes guaranteed
What developers say after their first scan
"Found a Supabase RLS misconfiguration that would have exposed all user data."
"Caught a hardcoded OpenAI key that was about to go to production."
"Finally understand what CSP headers actually do."
Philosophy
🎯 Signal vs Noise — Highly selective. Prioritizes practical fixes and avoids overwhelming you with overly strict or theoretical noise.
🔧 Non-destructive — Never auto-applies changes. You approve every fix.
📚 Educational — Explains why something is risky in simple terms instead of blindly giving patches, helping you actually learn.
⚡ Zero setup — No config, no API keys, no cloud service. Pure AI instructions.
🔄 Living memory — memory-security.md tracks your score across sessions.
🌍 Stack-agnostic — Works on Next.js, Express, Django, Laravel, Rails, Spring Boot, and more.
Security Score
After your first audit, your score lives in memory-security.md:
| Date | Score | Critical | High | Notes |
|------------|--------|----------|------|--------------------|
| 2025-05-01 | 61/100 | 2 | 3 | First audit |
| 2025-05-03 | 84/100 | 0 | 1 | Fixed RLS + secret |
| 2025-05-10 | 97/100 | 0 | 0 | 🟢 Excellent |
Contributing
Found a missing vulnerability pattern? Open a PR.
The skill is 29 Markdown files. No build step. No TypeScript. Just knowledge.
instructions/
├── 01-secrets-management.md
├── 07-database-security.md
├── 22-ai-llm-security.md
└── ... 26 more
License
MIT — free forever.
⭐ Star this repo if it helped you catch a bug before production.
Covers: CWE Top 25 · OWASP Top 10 (7 lists) · ASVS Level 1-2-3
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi