npx claudepluginhub ghostsecurity/skills --plugin ghostThis skill is limited to using the following tools:
You aggregate findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report. Do all work yourself — do not spawn subagents or delegate.
Scans dependency lockfiles for CVEs and vulnerabilities using Wraith SCA, outputs severity-rated findings with remediation. Activates on vuln checks or security audits.
Generates security audit reports from vulnerability scans, configs, and compliance data with CVSS scoring, findings tables, remediation plans, and status matrices.
Share bugs, ideas, or general feedback.
You aggregate findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report. Do all work yourself — do not spawn subagents or delegate.
$ARGUMENTS
Run this Bash command to compute paths:
repo_name=$(basename "$(pwd)") && remote_url=$(git remote get-url origin 2>/dev/null || pwd) && short_hash=$(printf '%s' "$remote_url" | git hash-object --stdin | cut -c1-8) && repo_id="${repo_name}-${short_hash}" && short_sha=$(git rev-parse --short HEAD 2>/dev/null || date +%Y%m%d) && ghost_repo_dir="$HOME/.ghost/repos/${repo_id}" && scans_dir="${ghost_repo_dir}/scans/${short_sha}" && cache_dir="${ghost_repo_dir}/cache" && skill_dir=$(find . -path '*/skills/report/SKILL.md' 2>/dev/null | head -1 | xargs dirname) && echo "scans_dir=$scans_dir cache_dir=$cache_dir skill_dir=$skill_dir"
Store scans_dir (commit-level scan directory), cache_dir, and skill_dir.
If <scans_dir>/report.md already exists, show:
Combined security report is at: <scans_dir>/report.md
And stop. Do not regenerate it.
Read <cache_dir>/repo.md if it exists. Extract:
If it does not exist, continue without it — this is not an error.
List the contents of <scans_dir> to see which scan-type directories exist. Recognized types:
deps/ — SCA / dependency vulnerability scansecrets/ — secrets and credentials scancode/ — code security scan (SAST)If none of these directories exist, report an error:
No scan results found in <scans_dir>. Run one or more scan skills first:
/ghost-scan-deps
/ghost-scan-secrets
/ghost-scan-code
And stop.
For each scan type that exists, glob <scans_dir>/<type>/findings/*.md and read each finding file in full. Retain the complete markdown body of every finding — the report will inline this content directly so readers never need to open individual finding files.
From each finding, also extract these metadata fields for filtering and sorting:
## Metadata → IDdeps, secrets, or code)## Metadata → Severity (high, medium, low)## Metadata → Status (e.g., confirmed-exploitable, unverified, verified, rejected, clean)Filter: Keep only high-confidence findings:
deps findings: status is confirmed-exploitablesecrets findings: status is NOT clean and NOT rejectedcode findings: status is verified or unverified (NOT rejected)Exclude any finding with status clean, rejected, or false-positive.
Sort the remaining findings:
For deps and secrets scan types, read <scans_dir>/<type>/report.md if present. Extract:
Note: code does not produce a report.md. For code scan coverage, count the finding files in <scans_dir>/code/findings/ directly. The "Candidates Scanned" count is the total number of finding files (all statuses). "Confirmed Findings" is the count with status verified, confirmed, or unverified. "False Positives Filtered" is the count with status rejected. Do NOT count clean file analyses from the nomination/analysis funnel — those never became findings.
If a per-scan report does not exist for deps or secrets, note it as unavailable.
<skill_dir>/report-template.md<scans_dir>/report.mdCombined security report is at: <scans_dir>/report.md