From appsec
This skill should be used when the user asks for "security status", "show findings", "security dashboard", "security posture", or invokes /appsec:status. Shows current security posture overview.
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Read the `.appsec/` state directory and present a concise security posture
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Read the .appsec/ state directory and present a concise security posture
dashboard. Shows what has been scanned, what was found, what has changed
since the last scan, and what to do next.
This skill runs entirely in the main agent context. It does NOT dispatch
subagents. It reads state files produced by /appsec:run and
/appsec:full-audit.
| Flag | Behavior |
|---|---|
--format text | ASCII dashboard (default). |
--format json | Structured JSON summary. |
--format md | Markdown summary. |
--quiet | Findings count only, no details. |
Read these files from the .appsec/ directory:
| File | Content | Required |
|---|---|---|
.appsec/findings.json | Consolidated findings from last run | Yes |
.appsec/last-run.json | Timestamp, scope, depth, tools used | Yes |
.appsec/start-assessment.json | Stack detection, scanner availability | Optional |
.appsec/config.yaml | User preferences (from /appsec:config) | Optional |
Use Glob to check for .appsec/findings.json and .appsec/last-run.json.
If NO state files exist, output:
=====================================================
APPSEC STATUS -- No Data
=====================================================
No security scan data found. Run a scan first:
/appsec:start Assess project and get recommendations
/appsec:run Run smart security scan
/appsec:full-audit Exhaustive audit with report
=====================================================
Read .appsec/findings.json and .appsec/last-run.json. Optionally read
.appsec/start-assessment.json and .appsec/config.yaml if they exist.
Run git diff --name-only against the timestamp in last-run.json to
determine which files have changed since the last scan. Classify changes:
Count the changed files and note the high-risk ones (files that had findings in the last scan).
From the findings data, compute:
=====================================================
APPSEC STATUS -- Dashboard
=====================================================
LAST SCAN: <timestamp> (<relative time, e.g., "2 hours ago">)
SCOPE: <scope from last run>
DEPTH: <depth from last run>
FINDINGS:
+-------+----------+------+--------+-----+-------+
| | Critical | High | Medium | Low | Total |
+-------+----------+------+--------+-----+-------+
| Count | N | N | N | N | N |
+-------+----------+------+--------+-----+-------+
TOP PRIORITIES:
1. <ID> <severity> <title> (<file>:<line>)
2. <ID> <severity> <title> (<file>:<line>)
3. <ID> <severity> <title> (<file>:<line>)
4. <ID> <severity> <title> (<file>:<line>)
5. <ID> <severity> <title> (<file>:<line>)
CHANGES SINCE LAST SCAN:
Files modified: N
New files: N
Files with existing findings modified: N
Stale findings (file changed): N
SCANNER STATUS:
<scanner> installed <N findings>
<scanner> installed <N findings>
<scanner> missing (would cover: <categories>)
FRAMEWORKS RUN:
OWASP Top 10 <N findings>
STRIDE <N findings>
PASTA <N findings> (or "not run")
LINDDUN <N findings> (or "not run")
SANS/CWE 25 <N findings> (or "not run")
HOTSPOT FILES:
<file> <N findings> (<severities>)
<file> <N findings> (<severities>)
<file> <N findings> (<severities>)
=====================================================
/appsec:run Re-scan (detects changes)
/appsec:explain <ID> Explain a finding
/appsec:run --scope changed Scan only changed files
=====================================================
{
"last_scan": {
"timestamp": "2026-02-14T10:30:00Z",
"scope": "full",
"depth": "standard",
"tools_used": ["secrets", "injection", "access-control"]
},
"findings": {
"total": 12,
"by_severity": { "critical": 1, "high": 3, "medium": 5, "low": 3 },
"by_framework": { "owasp": 8, "stride": 3, "secrets": 1 },
"top_priorities": [
{ "id": "INJ-001", "severity": "critical", "title": "...", "file": "..." }
]
},
"changes_since_scan": {
"modified_files": 5,
"new_files": 2,
"files_with_findings_modified": 1,
"stale_findings": 3
},
"scanners": {
"semgrep": { "installed": true, "findings": 4 },
"gitleaks": { "installed": false }
}
}
--scope changed on 3 files, note that coverage
is limited.