skill-file-security

Skill by ara.so — Security Skills collection.

skill-file-security installs 29 battle-tested security instruction files into your project that teach AI coding assistants to identify and fix vulnerabilities across OWASP Top 10, CWE Top 25, ASVS Level 3, and more — without leaving your IDE.

What This Does

skill-file-security is a CLI tool that:

Installs security knowledge files to
```
.skills/security/
```
in your project
Auto-configures all major AI coding assistants (Claude, Cursor, Copilot, Windsurf, Cline, etc.)
Creates
```
memory-security.md
```
to track your security score over time
Hardens
```
.gitignore
```
with 6 security-focused entries

Provides 6 slash commands:

/security-scan

/security-audit

/security-fix

/security-status

/security-history

/security-incident

The AI assistant reads these instruction files and applies 29 security categories to YOUR specific stack (Next.js, Django, Laravel, Express, Docker, Supabase, Firebase, etc.).

Installation

Interactive Mode (Recommended)

bash

npx @netxeo/security-skill

This launches a smart 5-question setup that:

Auto-detects your stack (Next.js, Supabase, Docker, etc.)
Asks about auth, database, API, deployment, and custom rules
Installs only the security rules you need

Fast Mode (Silent Install)

bash

# Install everywhere (all AI assistants)
npx @netxeo/security-skill --yes

# Install for specific assistants
npx @netxeo/security-skill --claude
npx @netxeo/security-skill --cursor
npx @netxeo/security-skill --copilot
npx @netxeo/security-skill --windsurf
npx @netxeo/security-skill --cline

Install as a Dev Dependency

bash

npm install --save-dev @netxeo/security-skill

# Then run via package.json script
npx security-skill

What Gets Installed

your-project/
├── .skills/
│   └── security/
│       ├── skill.md                      # Main security orchestrator
│       ├── 01-secrets-and-files.md
│       ├── 02-network-and-cors.md
│       ├── 03-http-headers.md
│       ├── 04-auth-and-sessions.md
│       ├── 05-cryptography.md
│       ├── 06-jwt-security.md
│       ├── 07-database-security.md
│       ├── 08-deployment-ci-cd.md
│       ├── 09-docker-security.md
│       ├── 10-protocols-graphql-websocket.md
│       ├── 11-advanced-attacks.md
│       ├── 12-all-injections.md
│       ├── 13-race-conditions.md
│       ├── 14-file-upload.md
│       ├── 15-dns-email.md
│       ├── 16-supply-chain.md
│       ├── 17-mobile-security.md
│       ├── 18-compliance-gdpr.md
│       ├── 19-monitoring-honeytokens.md
│       ├── 20-serverless-edge.md
│       ├── 21-source-code-analysis.md
│       ├── 22-ai-llm-security.md
│       ├── 23-bot-ddos.md
│       ├── 24-browser-apis.md
│       └── 25-modern-security.md
├── memory-security.md                     # Score tracker
├── CLAUDE.md                              # Claude / Antigravity config
├── .cursorrules                           # Cursor config
├── .cursor/rules/security.mdc             # Cursor new format
├── .github/copilot-instructions.md        # GitHub Copilot config
├── .windsurfrules                         # Windsurf config
├── .clinerules                            # Cline config
├── AGENTS.md                              # OpenAI Codex CLI config
├── GEMINI.md                              # Gemini Code Assist config
└── .gitignore                             # Updated with security entries

Key Commands

After installation, use these slash commands in your AI coding assistant:

/security-scan

Quick 30-second scan focusing on critical issues only.

javascript

// Example output:
// 🔴 CRITICAL #1 — Hardcoded Supabase service role key in .env.local
// 🔴 CRITICAL #2 — RLS disabled on 3 tables (users, orders, messages)
// 🟠 HIGH #3 — Missing rate limiting on /api/auth/login
// ⏱️ Scan completed in 28s

/security-audit

Full audit that generates a security score (/100) and detailed report file.

javascript

// Example output:
// ╔══════════════════════════════════════════════════╗
// ║      🔐  SECURITY AUDIT — myproject              ║
// ║         Stack: Next.js · Supabase · Vercel        ║
// ╠══════════════════════════════════════════════════╣
// ║  SECURITY SCORE  :  61 / 100  🟠                  ║
// ╠══════════════════════════════════════════════════╣
// ║  🔴  Secrets & Files          12/20  ← FIX NOW   ║
// ║  🟢  Auth & Sessions          16/20              ║
// ║  🔴  Database (Supabase RLS)   8/20  ← FIX NOW   ║
// ║  🟡  HTTP Headers             12/20              ║
// ...
// 📄 Full report → security-report.md

/security-fix

Applies fixes with your approval. Always shows diffs before modifying code.

javascript

// Example interaction:
// You: /security-fix rls
// AI: I'll enable RLS on 3 tables. Here's what will change:
//
// --- a/supabase/migrations/add_rls.sql
// +++ b/supabase/migrations/add_rls.sql
// @@ -0,0 +1,12 @@
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
// +ALTER TABLE messages ENABLE ROW LEVEL SECURITY;
//
// Apply these changes? (y/n)

/security-status

Shows your score history from

memory-security.md

javascript

// Example output:
// | Date       | Score  | Critical | High | Notes              |
// |------------|--------|----------|------|--------------------|
// | 2025-05-01 | 61/100 | 2        | 3    | First audit        |
// | 2025-05-03 | 84/100 | 0        | 1    | Fixed RLS + secret |
// | 2025-05-10 | 97/100 | 0        | 0    | 🟢 Excellent       |

/security-history

Shows before→after comparison to prove value.

/security-incident

Full incident response playbook for when something goes wrong.

Real-World Usage Examples

Example 1: Next.js + Supabase Project

bash

# Install security skill
npx @netxeo/security-skill

# In your AI assistant:
# You: /security-scan

AI Response:

🔴 CRITICAL #1 — Supabase service role key exposed in frontend
   File: .env.local:3
   Found: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY=eyJhbG...
   Risk:  Full database access exposed to browser
   Fix:   Move to server-only env var (no NEXT_PUBLIC_ prefix)

🔴 CRITICAL #2 — RLS disabled on users table
   File: supabase/migrations/001_create_users.sql
   Risk:  Any authenticated user can read all user data
   Fix:   /security-fix rls

🟠 HIGH #3 — Missing rate limiting on auth endpoints
   File: app/api/auth/login/route.ts
   Risk:  Brute force attacks on login
   Fix:   Add @upstash/ratelimit middleware

Apply a fix:

javascript

// You: /security-fix rls

// AI shows diff and asks for approval:
// --- a/supabase/migrations/002_enable_rls.sql
// +++ b/supabase/migrations/002_enable_rls.sql
// +ALTER TABLE users ENABLE ROW LEVEL SECURITY;
// +
// +CREATE POLICY "Users can read own data"
// +  ON users FOR SELECT
// +  TO authenticated
// +  USING (auth.uid() = id);
// +
// +CREATE POLICY "Users can update own data"
// +  ON users FOR UPDATE
// +  TO authenticated
// +  USING (auth.uid() = id);

// You: yes
// AI: ✅ Applied RLS policy. Run migration with: supabase db push

Example 2: Express API with PostgreSQL

javascript

// You: /security-audit

// AI detects SQL injection vulnerability
// 🔴 CRITICAL — SQL Injection in user search endpoint
//    File: routes/users.js:23
//    Code: db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`)
//    Fix:  Use parameterized queries

// You: /security-fix sql-injection routes/users.js:23

// AI shows the fix:
// --- a/routes/users.js
// +++ b/routes/users.js
// @@ -20,7 +20,7 @@
//  router.get('/search', async (req, res) => {
// -  const results = await db.query(`SELECT * FROM users WHERE name = '${req.query.name}'`);
// +  const results = await db.query('SELECT * FROM users WHERE name = $1', [req.query.name]);
//    res.json(results.rows);
//  });

// You: yes
// AI: ✅ Fixed. SQL injection prevented using parameterized query.

Example 3: Docker + CI/CD Security

dockerfile

# You: /security-scan

# AI finds Docker security issues:
# 🔴 CRITICAL — Running as root in production container
#    File: Dockerfile:15
#    Code: USER root
#    Fix:  Create non-root user

# 🟠 HIGH — Secrets in environment variables
#    File: .github/workflows/deploy.yml:34
#    Code: DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
#    Fix:  Use secret management service (AWS Secrets Manager, Vault)

# You: /security-fix dockerfile

# AI rewrites Dockerfile:
# --- a/Dockerfile
# +++ b/Dockerfile
# @@ -12,5 +12,8 @@
#  COPY . .
#  RUN npm run build
#  
# -USER root
# +RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# +RUN chown -R appuser:appgroup /app
# +USER appuser
# +
#  CMD ["npm", "start"]

Configuration

Environment Variables

No environment variables required. skill-file-security works entirely through instruction files.

Custom Rules

Add custom security rules by creating

.skills/security/26-custom.md

markdown

---
name: custom-security-rules
category: Custom
priority: high
---

# Custom Security Rules

## Rule 1: No console.log in production
- Check all `console.log()` calls
- Verify `NODE_ENV === 'production'` removes them
- Suggest using structured logging (winston, pino)

## Rule 2: API keys must be rotated every 90 days
- Check `memory-security.md` for last rotation date
- Alert if > 90 days since rotation

Stack-Specific Configuration

skill-file-security auto-detects your stack from:

```
package.json
```
(Next.js, Express, React, Vue)
```
requirements.txt
```
/
```
Pipfile
```
(Django, Flask)
```
composer.json
```
(Laravel, Symfony)
```
Gemfile
```
(Rails)
```
pom.xml
```
/
```
build.gradle
```
(Spring Boot)
```
Dockerfile
```
(Docker)
```
supabase/
```
directory (Supabase)
```
firebase.json
```
(Firebase)

No manual configuration needed.

Coverage

OWASP Top 10 (2025)

A01: Broken Access Control
A02: Cryptographic Failures
A03: Injection
A04: Insecure Design
A05: Security Misconfiguration
A06: Vulnerable Components
A07: Auth & Session Management Failures
A08: Software & Data Integrity Failures
A09: Logging & Monitoring Failures
A10: SSRF

CWE Top 25

All 25 covered, including:

CWE-79 (XSS)
CWE-89 (SQL Injection)
CWE-22 (Path Traversal)
CWE-352 (CSRF)
CWE-434 (Unrestricted File Upload)
CWE-862 (Missing Authorization)
CWE-798 (Hard-coded Credentials)
CWE-918 (SSRF)
And 17 more...

ASVS Level 3

Session Management (V3)
Access Control (V4)
Cryptography (V6)
Error Handling (V7)
Data Protection (V8)
Communications (V9)
Business Logic (V11)
Files & Resources (V12)
API & Web Services (V13)
Configuration (V14)

Troubleshooting

AI doesn't respond to /security-scan

Cause: AI assistant config file not properly loaded.

Fix:

bash

# Reinstall for specific AI
npx @netxeo/security-skill --claude
# or
npx @netxeo/security-skill --cursor

# Restart your AI assistant after installation

Security score not updating in memory-security.md

Cause: AI hasn't written to memory file yet.

Fix:

javascript

// You: Update my security score after this audit
// AI will append new row to memory-security.md

False positives in security scan

Cause: Context-specific code patterns that are actually safe.

Fix:

javascript

// You: /security-scan --ignore-false-positives

// Or add exception comment in code:
const html = userInput; // security-skill-ignore: sanitized by DOMPurify on line 12

Skill files not found

Cause: Installation didn't complete or files were deleted.

Fix:

bash

# Reinstall
npx @netxeo/security-skill --yes

# Verify installation
ls -la .skills/security/
# Should show 25+ .md files

Conflicts with existing .cursorrules or CLAUDE.md

Cause: You already have custom AI instructions.

Fix:

bash

# Backup existing files
cp .cursorrules .cursorrules.backup
cp CLAUDE.md CLAUDE.md.backup

# Reinstall (will merge with existing)
npx @netxeo/security-skill --cursor

# Manually merge if needed

Advanced Patterns

CI/CD Integration

Add security checks to GitHub Actions:

yaml

# .github/workflows/security.yml
name: Security Audit

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
      - run: npx @netxeo/security-skill --yes
      - run: |
          # Use AI CLI to run audit
          # (requires AI with CLI support like aider or continue.dev)
          echo "/security-audit" | npx continue

Pre-commit Hook

bash

# .husky/pre-commit
#!/bin/sh
npx @netxeo/security-skill --yes
echo "/security-scan" | npx aider --yes-always

Custom Security Categories

Extend with your own categories:

bash

# Create custom category
cat > .skills/security/26-internal-compliance.md << 'EOF'
---
name: internal-compliance
category: Custom
priority: high
---

# Internal Compliance Rules

## PCI DSS Requirements
- Credit card numbers must be masked in logs
- Payment forms must use tokenization
- No credit card data in URLs or GET requests

## SOC 2 Requirements
- All database queries must be logged
- User actions must be auditable
- Access controls must be reviewed quarterly
EOF

# AI will now check these rules during scans

Integration with Other Tools

skill-file-security complements (doesn't replace):

ESLint/Prettier: Code style and basic checks
SonarQube: Static analysis for code quality
Snyk/Dependabot: Dependency vulnerability scanning
OWASP ZAP: Dynamic application security testing

skill-file-security focuses on semantic security analysis that understands business logic and context — things static analyzers miss.

Learn More

Official Website: https://skill-file-security-website.vercel.app
NPM Package: https://www.npmjs.com/package/@netxeo/security-skill
GitHub: https://github.com/Netxeo/skill-file-security

Made by developers who got tired of pushing secrets to production. 🔐

skill-file-security

NPX Install

Tags

SKILL.md Content

skill-file-security

What This Does

Installation

Interactive Mode (Recommended)

Fast Mode (Silent Install)

Install as a Dev Dependency

What Gets Installed

Key Commands

/security-scan

/security-audit

/security-fix

/security-status

/security-history

/security-incident

Real-World Usage Examples

Example 1: Next.js + Supabase Project

Example 2: Express API with PostgreSQL

Example 3: Docker + CI/CD Security

Configuration

Environment Variables

Custom Rules

Stack-Specific Configuration

Coverage

OWASP Top 10 (2025)

CWE Top 25

ASVS Level 3

Troubleshooting

AI doesn't respond to /security-scan

Security score not updating in memory-security.md

False positives in security scan

Skill files not found

Conflicts with existing .cursorrules or CLAUDE.md

Advanced Patterns

CI/CD Integration

Pre-commit Hook

Custom Security Categories

Integration with Other Tools

Learn More

`/security-scan`

`/security-audit`

`/security-fix`

`/security-status`

`/security-history`

`/security-incident`