This skill should be used when the user asks to "scan for vulnerabilities", "check for security issues", "find secrets in code", "audit dependencies", "detect SQL injection", "find XSS vulnerabilities", "check for OWASP issues", "scan for hardcoded credentials", or mentions security analysis of code.
Scans codebases for vulnerabilities, secrets, and security anti-patterns across multiple languages.
/plugin marketplace add eyadsibai/ltk/plugin install ltk@ltk-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Comprehensive security analysis skill for detecting vulnerabilities, secrets, and security anti-patterns in codebases.
Scan for accidentally committed secrets and credentials:
Patterns to detect:
Common file locations:
.env files committed to repoSearch patterns:
# API Keys
grep -rE "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{20,}"
# AWS Keys
grep -rE "AKIA[0-9A-Z]{16}"
# Private Keys
grep -rE "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
# Generic Secrets
grep -rE "(password|secret|token)\s*[:=]\s*['\"][^'\"]{8,}"
Identify common web application vulnerabilities:
SQL Injection:
Cross-Site Scripting (XSS):
Command Injection:
Path Traversal:
Insecure Deserialization:
Check for known vulnerabilities in dependencies:
Python:
# Using pip-audit
pip-audit -r requirements.txt
# Using safety
safety check -r requirements.txt
# Check outdated packages
pip list --outdated
JavaScript/Node:
npm audit
yarn audit
General approach:
Detect insecure coding patterns:
Weak Cryptography:
Authentication Issues:
Authorization Flaws:
Data Exposure:
To perform a comprehensive security scan:
For rapid assessment of recent changes:
Present findings with severity levels:
Critical: Immediate exploitation risk
High: Significant security risk
Medium: Potential security concern
Low: Best practice violations
# SQL Injection - BAD
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# SQL Injection - GOOD
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# Command Injection - BAD
os.system(f"ls {user_input}")
# Command Injection - GOOD
subprocess.run(["ls", user_input], shell=False)
# Insecure Deserialization - BAD
data = pickle.loads(user_data)
# Secure Alternative
data = json.loads(user_data)
// XSS - BAD
element.innerHTML = userInput;
// XSS - GOOD
element.textContent = userInput;
// SQL Injection - BAD
db.query(`SELECT * FROM users WHERE id = ${userId}`);
// SQL Injection - GOOD
db.query('SELECT * FROM users WHERE id = ?', [userId]);
When security issues are found, coordinate with:
For each finding, provide:
For detailed vulnerability patterns:
This skill should be used when the user asks about libraries, frameworks, API references, or needs code examples. Activates for setup questions, code generation involving libraries, or mentions of specific frameworks like React, Vue, Next.js, Prisma, Supabase, etc.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.