Medusa Security Skill

Identity

Capabilities

1. Full Scan — All 76 scanners, comprehensive security analysis
2. AI-Only Scan — Prompt injection, MCP security, agent security, RAG security
3. Quick Scan — Git-changed files only for rapid development feedback
4. Targeted Scan — Specific scanner categories (mcp, secrets, prompt-injection, etc.)
5. SARIF Output Parsing — Standard SARIF v2.1.0 structured findings
6. JSON Output Parsing — Medusa-native JSON format
7. OWASP Mapping — Maps findings to OWASP Agentic AI (ASI01-10) and OWASP Top 10 (A01-10)
8. Remediation Guidance — Links findings to agent-studio skills and agents
9. CI/CD Integration — Fail-on thresholds, SARIF upload for GitHub Code Scanning

Prerequisites

Python 3.10+
pip install medusa-security

python -m medusa --version

Workflow: Full Security Scan

# Step 1: Verify installation
python -m medusa --version

# Step 2: Run scan
medusa scan . --format sarif --fail-on high

# Step 3: Parse output (use scripts/main.cjs)
node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

# Step 4: Review findings by severity
# CRITICAL → immediate fix required
# HIGH → fix before release
# MEDIUM → fix in next sprint
# LOW → track and address

Workflow: AI-Only Scan

medusa scan . --format sarif --ai-only

Workflow: Quick Scan (Development)

medusa scan . --format sarif --quick

Workflow: Targeted Scan

# MCP security only
medusa scan . --format sarif --scanners mcp-server,mcp-config

# Secrets only
medusa scan . --format sarif --scanners secrets,gitleaks,env

# AI context files only
medusa scan . --format sarif --scanners ai-context

Output Processing

.claude/skills/medusa-security/scripts/

sarif-parser.cjs

json-parser.cjs

finding-formatter.cjs

main.cjs

cli-wrapper.cjs

security-review.cjs

Using the Pipeline

# Full scan with structured output
node .claude/skills/medusa-security/scripts/main.cjs --mode full --target .

# AI-only scan
node .claude/skills/medusa-security/scripts/main.cjs --mode ai-only --target .

# Quick scan (git-changed files)
node .claude/skills/medusa-security/scripts/main.cjs --mode quick --target .

Deterministic Security Review (Recommended in Claude sessions)

Glob

node .claude/skills/medusa-security/scripts/security-review.cjs

/.claude/context/reports/security-review-medusa-scan-2026-02-17.md

• .claude/hooks/

• .claude/lib/

• .claude/skills/medusa-security/scripts/

• .claude/CLAUDE.md

Important Runtime Guardrail

• Avoid recursive glob patterns like

  .claude/skills/medusa-security/**/*

  in long sessions.
• Prefer direct file reads and deterministic script entry points.

OWASP Mapping

• OWASP Agentic AI Top 10 (ASI01-10): Goal Hijacking, Tool Misuse, Context Poisoning, etc.
• OWASP Top 10 (A01-10): Broken Access Control, Injection, Cryptographic Failures, etc.

Severity Triage

Agent Integration

security-architect

penetration-tester

code-reviewer

CI/CD Integration

# GitHub Actions example
- name: Security Scan
  run: |
    pip install medusa-security
    medusa scan . --format sarif --fail-on high -o reports/
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: reports/medusa-results.sarif

Memory Protocol

• Record new vulnerability patterns in

  patterns.json

• Log significant findings in

  issues.md

• Track scan history for trend analysis
• Use

  recordGotcha()

  for recurring false positives

const manager = require('.claude/lib/memory/memory-manager.cjs');

manager.recordGotcha({
  text: 'False positive: medusa flags X pattern in Y context',
  area: 'security-scanning',
});

manager.recordPattern({
  text: 'Prompt injection found in CLAUDE.md context files',
  area: 'ai-security',
});

Related Skills

• security-architect

  — Threat modeling and OWASP analysis

• static-analysis

  — CodeQL and Semgrep SARIF analysis

• semgrep-rule-creator

  — Create custom Semgrep rules

• insecure-defaults

  — Detect hardcoded credentials

• variant-analysis

  — Discover vulnerability variants