Security Vulnerability Analysis | gemini-cli-security | ClaudePluginHub

Skill

Community

Security Vulnerability Analysis

From gemini-cli-security

0

Description

Identify security vulnerabilities using SAST methodology with MCP tools for code scanning. Use when reviewing code security, analyzing vulnerabilities, auditing changes, or when user mentions security, vulnerabilities, SQL injection, XSS, authentication, secrets, or security audit.

AI Summary

Performs security vulnerability analysis using SAST methodology to identify hardcoded secrets, injection flaws, broken access control, and authentication issues. Triggers when reviewing code security, analyzing vulnerabilities, auditing changes, or when user mentions security, vulnerabilities, SQL injection, XSS, authentication, secrets, or security audit.

Install

1

Add the repository(one-time)

$

/plugin marketplace add pleaseai/security-plugin

2

Install the plugin

$

/plugin install gemini-cli-security@pleaseai

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobmcp__securityServer__scan_filemcp__securityServer__analyze_code

Skill Content

Security Vulnerability Analysis

Expert security analysis following senior security engineer methodology.

Core Principles

Assume All External Input is Malicious
Principle of Least Privilege
Fail Securely: Never expose sensitive info in errors

Vulnerability Categories

1. Hardcoded Secrets

API keys, passwords, private keys
Database connection strings
Decode base64 strings for hidden credentials

2. Broken Access Control

IDOR: Verify ownership checks on user-supplied IDs
Missing Authorization: Check admin/permission guards
Privilege Escalation: User shouldn't modify own role
Path Traversal: Sanitize file paths from user input

3. Insecure Data Handling

Weak crypto (DES, MD5, SHA1, RSA < 2048)
PII in logs or transmitted over HTTP
Insecure deserialization from untrusted sources

4. Injection Vulnerabilities

SQL Injection: String concatenation in queries
XSS: dangerouslySetInnerHTML with unsanitized input
Command Injection: User input in shell commands
SSRF: User-provided URLs without allowlist
SSTI: User input in server templates

5. Authentication Flaws

Weak session tokens (predictable, insufficient randomness)
Insecure password reset flows
Missing brute-force protection

6. LLM Safety

Prompt Injection: User input in LLM prompts
Unsafe Output: LLM to eval(), exec(), SQL, HTML
Flawed Logic: Security decisions based on LLM output
Excessive Tool Permissions: File writes, network, shell

Severity Assessment

Level	Impact	Examples
Critical	RCE, full compromise, data exfiltration	SQL→RCE, hardcoded root creds
High	Read/modify sensitive data, DoS	Stored XSS, IDOR on critical data
Medium	Limited data access, requires interaction	Reflected XSS, PII in logs
Low	Minimal impact, complex exploit	Verbose errors, limited path traversal

Reporting Requirements

Each finding must include:

Vulnerability: Brief name (e.g., "SQL Injection")
Severity: Critical/High/Medium/Low
Location: File path and line numbers
Line Content: Exact vulnerable code
Description: Impact and explanation
Recommendation: Clear remediation steps

High-Fidelity Principles

Before reporting, verify:

✅ Executable, non-test code?
✅ Can point to specific lines?
✅ Direct evidence, not speculation?
✅ Developer can fix in this code?
✅ Plausible negative impact in production?

ALL must be YES to report.

Tool Usage

Offer users:

/security:analyze for automated comprehensive scan
Manual review based on conversation

Use MCP tools (scan_file, analyze_code) or READ-ONLY tools for analysis.

For complete methodology, see GEMINI.md

Links

GitHub Stats

0 forks

Updated 2 months ago

Similar Skills

auth-implementation-patterns

Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.

developer-essentials

24.7k

bazel-build-optimization

Optimize Bazel builds for large-scale monorepos. Use when configuring Bazel, implementing remote execution, or optimizing build performance for enterprise codebases.

developer-essentials

24.7k

code-review-excellence

Master effective code review practices to provide constructive feedback, catch bugs early, and foster knowledge sharing while maintaining team morale. Use when reviewing pull requests, establishing review standards, or mentoring developers.

developer-essentials

24.7k