npx claudepluginhub srstomp/pokayokay --plugin pokayokay<area-to-audit># Security Audit Workflow Security audit: `$ARGUMENTS` ## Agent Delegation **Delegate the security scanning to the `yokay-security-scanner` agent** for isolated execution. This keeps verbose scan output separate and enforces read-only constraints. The agent will: 1. Scan for OWASP Top 10 vulnerabilities 2. Check for secrets exposure, injection risks, XSS 3. Review authentication/authorization patterns 4. Return findings classified by severity (Critical/High/Medium/Low) After receiving the agent's findings, continue with remediation task creation below. ## Steps ### 1. Define Audit ...
/securityRuns autonomous security audit using STRIDE threat model, OWASP Top 10, and red-team simulation with 4 adversarial personas. Supports --diff, --fix, --scope, --depth flags.
/securityConducts enhanced multi-LLM adversarial security audit: gathers threat model, compliance, and risk details via questions, then dispatches to external providers like Codex and Gemini.
/securityPerforms security review and vulnerability assessment on code modules or files following OWASP standards, classifying issues by severity and generating reports. Also supports --owasp flag.
/securityConducts security reviews of apps, APIs, scripts, and configs using OWASP Top 10 best practices and threat modeling; detects vulnerabilities and suggests fixes.
/securityAuto-detects Drupal or Next.js project type and runs multi-layer security scans with Semgrep, Trivy, Gitleaks, and more. Produces JSON report and Markdown summary grouped by severity with remediation guidance.
/securityRuns local security review on git changes vs base branch (default: main), scanning for OWASP Top 10 vulnerabilities, secrets exposure, and anti-patterns. Outputs PASS/WARN/CRITICAL_FAIL verdict, findings, and JSON.
Security audit: $ARGUMENTS
Delegate the security scanning to the yokay-security-scanner agent for isolated execution. This keeps verbose scan output separate and enforces read-only constraints.
Use the yokay-security-scanner agent to scan: $ARGUMENTS
Return the severity summary and critical/high findings to this conversation.
The agent will:
After receiving the agent's findings, continue with remediation task creation below.
From $ARGUMENTS, identify:
# Dependency vulnerabilities
npm audit
# or
pnpm audit
# Secret detection
git secrets --scan
OWASP Top 10:
| Severity | Description | Action |
|---|---|---|
| Critical | Immediate exploit risk | Fix now |
| High | Significant vulnerability | Fix this sprint |
| Medium | Moderate risk | Plan fix |
| Low | Minor issue | Backlog |
| Info | Best practice | Consider |
Document findings with:
Automatically create ohno tasks for each finding using MCP tools based on severity:
| Severity | Priority | Task Type | Action |
|---|---|---|---|
| Critical | P0 | bug | Always create |
| High | P1 | bug | Always create |
| Medium | P2 | bug | Create if actionable |
| Low | P3 | bug | Skip (or create if explicitly requested) |
For each Critical/High/Medium finding, use ohno MCP create_task:
create_task({
title: "Security: [vulnerability name]",
description: "[Description]\n\nLocation: [file:line]\nCWE: [CWE-XXX]\nRemediation: [steps]",
task_type: "bug",
estimate_hours: [1-4 based on complexity]
})
Example task creation for findings:
create_task("Security: Fix SQL injection in user search", type: bug) with P0 priority note in descriptioncreate_task("Security: Fix XSS in comment rendering", type: bug) with P1 priority notecreate_task("Security: Upgrade password hashing algorithm", type: bug) with P2 priority noteAfter creating tasks, report summary:
Created [N] remediation tasks:
- [task-id]: Security: [name] (Critical/High/Medium)
- ...
/pokayokay:api - Secure API design/pokayokay:cicd - Security in pipelines/pokayokay:work - Implement fixesWhen security audit involves:
api-design skilldatabase-design skillci-cd skill