{"id":"a54872f4-b25a-48c8-84f4-2e90acb38b9d","shortId":"dVvXUT","kind":"skill","title":"code-security","tagline":"Security audit and vulnerability detection. Use when reviewing code for security issues, scanning dependencies, or addressing security concerns. Triggers on \"security\", \"vulnerability\", \"audit\", \"CVE\", \"injection\", \"XSS\", \"SQL injection\", \"auth\", or when the user asks to check fo","description":"# Code Security\n\nSecurity audit workflow and checklist.\n\n## The Workflow\n\n### 1. Scan\n\nRun automated security tools.\n\n```bash\n# Check dependencies\nnpm audit\npip audit\ncargo audit\n\n# Run security scanner\ntrivy fs .\nsnyk test\n```\n\n### 2. Review\n\nManual code review against checklist.\n\nSee references/owasp-top-10.md for common vulnerabilities.\n\n### 3. Fix\n\nRemediate vulnerabilities found.\n\n### 4. Verify\n\nRe-scan to confirm fixes.\n\n---\n\n## Security Checklist\n\n### Injection\n\n| Check | Pattern |\n|-------|---------|\n| SQL | Parameterized queries |\n| Command | No shell execution with user input |\n| XSS | Escape/validate output |\n| LDAP | Escape DN components |\n\n### Authentication\n\n| Check | Pattern |\n|-------|---------|\n| Passwords | Hash with bcrypt/argon2 |\n| Sessions | Secure, httpOnly cookies |\n| Tokens | Short-lived, proper validation |\n| MFA | Consider for sensitive ops |\n\n### Data Protection\n\n| Check | Pattern |\n|-------|---------|\n| Secrets | Never in code |\n| PII | Encrypt at rest |\n| Transport | HTTPS only |\n| Logs | No sensitive data |\n\n### Dependencies\n\n| Check | Pattern |\n|-------|---------|\n| Vulnerabilities | Scan regularly |\n| Outdated | Update promptly |\n| Sources | Trusted packages only |\n\n---\n\n## Common Vulnerabilities\n\nSee references/vulnerability-patterns.md for detailed patterns:\n\n### SQL Injection\n\n```python\n# BAD\nquery = f\"SELECT * FROM users WHERE id = {user_id}\"\n\n# GOOD\nquery = \"SELECT * FROM users WHERE id = %s\"\ncursor.execute(query, (user_id,))\n```\n\n### XSS\n\n```javascript\n// BAD\nelement.innerHTML = userInput;\n\n// GOOD\nelement.textContent = userInput;\n// or\nelement.setAttribute('title', sanitize(userInput))\n```\n\n### Command Injection\n\n```python\n# BAD\nos.system(f\"ping {host}\")\n\n# GOOD\nsubprocess.run(['ping', host])\n```\n\n### Hardcoded Secrets\n\n```javascript\n// BAD\nconst apiKey = \"sk_live_12345\";\n\n// GOOD (environment variable)\nconst apiKey = process.env.API_KEY;\n```\n\n---\n\n## Tools\n\nSee references/security-tools.md for setup and usage:\n\n| Tool | Ecosystem | Purpose |\n|------|-----------|---------|\n| npm audit | Node.js | Dependency vulnerabilities |\n| pip-audit | Python | Dependency vulnerabilities |\n| cargo-audit | Rust | Dependency vulnerabilities |\n| Snyk | Multi | Vulnerability scanning |\n| Trivy | Multi | Container/infra scanning |\n| OWASP ZAP | Multi | Web app scanning |\n| bandit | Python | Static analysis |\n| ESLint security | JS/TS | Static analysis |\n\n---\n\n## Output Format\n\nAfter security audit:\n\n```markdown\n## Security Audit\n\n### Scan Results\n- Dependencies: 0 vulnerabilities\n- Static analysis: 1 issue found\n\n### Issues Found\n\n| Severity | Issue | Location | Fix |\n|----------|-------|----------|-----|\n| High | SQL injection | users.py:42 | Use parameterized query |\n| Medium | Hardcoded secret | config.js:5 | Use env var |\n\n### Recommendations\n1. Enable 2FA for admin accounts\n2. Rotate API keys quarterly\n3. Set up automated dependency scanning\n```\n\n---\n\n## Skill Loading\n\n- For database issues → load python-sqlalchemy or typescript-drizzle-orm\n- For auth issues → load relevant auth patterns\n- For deployment security → load infra skills if available","tags":["code","security","atelier","martinffx","agent-skills","agentic-coding","anthropic","claude-code","claude-skills","code-review","codex","codex-skill"],"capabilities":["skill","source-martinffx","skill-code-security","topic-agent-skills","topic-agentic-coding","topic-anthropic","topic-claude-code","topic-claude-skills","topic-code-review","topic-codex","topic-codex-skill","topic-opencode","topic-prompt-engineering","topic-sdd","topic-spec-driven-development"],"categories":["atelier"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/martinffx/atelier/code-security","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add martinffx/atelier","source_repo":"https://github.com/martinffx/atelier","install_from":"skills.sh"}},"qualityScore":"0.461","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 23 github stars · SKILL.md body (3,127 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:05:22.421Z","embedding":null,"createdAt":"2026-05-10T07:03:11.329Z","updatedAt":"2026-05-18T19:05:22.421Z","lastSeenAt":"2026-05-18T19:05:22.421Z","tsv":"'0':307 '1':50,311,335 '12345':238 '2':72,341 '2fa':337 '3':84,346 '4':89 'account':340 'address':19 'admin':339 'analysi':290,295,310 'api':343 'apikey':235,243 'app':285 'ask':37 'audit':5,26,44,60,62,64,257,263,269,300,303 'auth':32,367,371 'authent':119 'autom':53,349 'avail':380 'bad':183,207,221,233 'bandit':287 'bash':56 'bcrypt/argon2':125 'cargo':63,268 'cargo-audit':267 'check':39,57,100,120,143,161 'checklist':47,78,98 'code':2,12,41,75,148 'code-secur':1 'command':105,218 'common':82,173 'compon':118 'concern':21 'config.js:5':330 'confirm':95 'consid':137 'const':234,242 'container/infra':279 'cooki':129 'cursor.execute':201 'cve':27 'data':141,159 'databas':355 'depend':17,58,160,259,265,271,306,350 'deploy':374 'detail':178 'detect':8 'dn':117 'drizzl':364 'ecosystem':254 'element.innerhtml':208 'element.setattribute':214 'element.textcontent':211 'enabl':336 'encrypt':150 'env':332 'environ':240 'escap':116 'escape/validate':113 'eslint':291 'execut':108 'f':185,223 'fix':85,96,319 'fo':40 'format':297 'found':88,313,315 'fs':69 'good':193,210,226,239 'hardcod':230,328 'hash':123 'high':320 'host':225,229 'httpon':128 'https':154 'id':190,192,199,204 'infra':377 'inject':28,31,99,181,219,322 'input':111 'issu':15,312,314,317,356,368 'javascript':206,232 'js/ts':293 'key':245,344 'ldap':115 'live':133,237 'load':353,357,369,376 'locat':318 'log':156 'manual':74 'markdown':301 'medium':327 'mfa':136 'multi':274,278,283 'never':146 'node.js':258 'npm':59,256 'op':140 'orm':365 'os.system':222 'outdat':166 'output':114,296 'owasp':281 'packag':171 'parameter':103,325 'password':122 'pattern':101,121,144,162,179,372 'pii':149 'ping':224,228 'pip':61,262 'pip-audit':261 'process.env.api':244 'prompt':168 'proper':134 'protect':142 'purpos':255 'python':182,220,264,288,359 'python-sqlalchemi':358 'quarter':345 'queri':104,184,194,202,326 're':92 're-scan':91 'recommend':334 'references/owasp-top-10.md':80 'references/security-tools.md':248 'references/vulnerability-patterns.md':176 'regular':165 'relev':370 'remedi':86 'rest':152 'result':305 'review':11,73,76 'rotat':342 'run':52,65 'rust':270 'sanit':216 'scan':16,51,93,164,276,280,286,304,351 'scanner':67 'secret':145,231,329 'secur':3,4,14,20,24,42,43,54,66,97,127,292,299,302,375 'see':79,175,247 'select':186,195 'sensit':139,158 'session':126 'set':347 'setup':250 'sever':316 'shell':107 'short':132 'short-liv':131 'sk':236 'skill':352,378 'skill-code-security' 'snyk':70,273 'sourc':169 'source-martinffx' 'sql':30,102,180,321 'sqlalchemi':360 'static':289,294,309 'subprocess.run':227 'test':71 'titl':215 'token':130 'tool':55,246,253 'topic-agent-skills' 'topic-agentic-coding' 'topic-anthropic' 'topic-claude-code' 'topic-claude-skills' 'topic-code-review' 'topic-codex' 'topic-codex-skill' 'topic-opencode' 'topic-prompt-engineering' 'topic-sdd' 'topic-spec-driven-development' 'transport':153 'trigger':22 'trivi':68,277 'trust':170 'typescript':363 'typescript-drizzle-orm':362 'updat':167 'usag':252 'use':9,324,331 'user':36,110,188,191,197,203 'userinput':209,212,217 'users.py:42':323 'valid':135 'var':333 'variabl':241 'verifi':90 'vulner':7,25,83,87,163,174,260,266,272,275,308 'web':284 'workflow':45,49 'xss':29,112,205 'zap':282","prices":[{"id":"4d0ef671-d8d7-43d7-b656-5c6ba7925eeb","listingId":"a54872f4-b25a-48c8-84f4-2e90acb38b9d","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"martinffx","category":"atelier","install_from":"skills.sh"},"createdAt":"2026-05-10T07:03:11.329Z"}],"sources":[{"listingId":"a54872f4-b25a-48c8-84f4-2e90acb38b9d","source":"github","sourceId":"martinffx/atelier/code-security","sourceUrl":"https://github.com/martinffx/atelier/tree/main/skills/code-security","isPrimary":false,"firstSeenAt":"2026-05-10T07:03:11.329Z","lastSeenAt":"2026-05-18T19:05:22.421Z"}],"details":{"listingId":"a54872f4-b25a-48c8-84f4-2e90acb38b9d","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"martinffx","slug":"code-security","github":{"repo":"martinffx/atelier","stars":23,"topics":["agent-skills","agentic-coding","anthropic","claude-code","claude-skills","code-review","codex","codex-skill","opencode","prompt-engineering","sdd","spec-driven-development"],"license":"mit","html_url":"https://github.com/martinffx/atelier","pushed_at":"2026-05-18T06:56:45Z","description":"An atelier for Opencode, Claude Code, and other coding agents: spec-driven workflows, deep thinking, and code quality.","skill_md_sha":"b9b3cdb403ca5ba1cc47415b9afdab0c2dbfa275","skill_md_path":"skills/code-security/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/martinffx/atelier/tree/main/skills/code-security"},"layout":"multi","source":"github","category":"atelier","frontmatter":{"name":"code-security","description":"Security audit and vulnerability detection. Use when reviewing code for security issues, scanning dependencies, or addressing security concerns. Triggers on \"security\", \"vulnerability\", \"audit\", \"CVE\", \"injection\", \"XSS\", \"SQL injection\", \"auth\", or when the user asks to check for security issues."},"skills_sh_url":"https://skills.sh/martinffx/atelier/code-security"},"updatedAt":"2026-05-18T19:05:22.421Z"}}