Scan code content for CWE-22 (path traversal) and CWE-78 (command injection) vulnerabilities before PR submission. Lightweight pattern-based detection for Python, PowerShell, Bash, and C# files. Use when preparing code for review or as a pre-commit gate.
Scans code for path traversal and command injection vulnerabilities before PR submission using lightweight pattern detection.
/plugin marketplace add rjmurillo/ai-agents/plugin install project-toolkit@ai-agentsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Proactive vulnerability detection for common security issues before PR submission.
| Trigger Phrase | Operation |
|---|---|
scan for vulnerabilities | scan_vulnerabilities.py on staged/specified files |
check for path traversal | scan_vulnerabilities.py with CWE-22 focus |
check for command injection | scan_vulnerabilities.py with CWE-78 focus |
pre-PR security scan | scan_vulnerabilities.py on staged files |
run security scan | scan_vulnerabilities.py with full scan |
Use this skill when:
Use security-detection instead when:
Use codeql-scan instead when:
Use threat-modeling instead when:
| Input | Output | Performance |
|---|---|---|
| Staged files | JSON findings + console summary | 2-5s |
| Specific files | JSON findings + console summary | 1-3s |
| Directory scan | JSON findings + console summary | 5-15s |
| Script | Purpose |
|---|---|
scripts/scan_vulnerabilities.py | Main scanner for CWE-22 and CWE-78 patterns |
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py --git-staged
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py path/to/file.py another/script.ps1
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py --directory src/
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py --git-staged --format json
# Path traversal only
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py --cwe 22 --git-staged
# Command injection only
python .claude/skills/security-scan/scripts/scan_vulnerabilities.py --cwe 78 --git-staged
When vulnerabilities are detected, the scanner outputs findings with file location, pattern matched, and severity. Each finding includes the specific code line and a recommendation for remediation.
Machine-readable JSON format including scan timestamp, files scanned, vulnerability details (CWE, file, line, code, severity, recommendation), and summary statistics.
| Code | Meaning | CI Behavior |
|---|---|---|
| 0 | No vulnerabilities found | Pass |
| 1 | Scan error (file not found, etc.) | Fail |
| 10 | Vulnerabilities detected | Fail |
| Language | Pattern | Risk |
|---|---|---|
| Python | Path join with user input without validation | HIGH |
| Python | File open with unvalidated path | HIGH |
| Python | pathlib.Path without containment check | HIGH |
| PowerShell | Join-Path with user input without validation | HIGH |
| PowerShell | Get-Content with unvalidated path | HIGH |
| Bash | File operations with unvalidated path variables | HIGH |
| Bash | Source command with external input | CRITICAL |
| C# | Path.Combine with user input without validation | HIGH |
| C# | File operations with unvalidated path | HIGH |
Detection Heuristics:
user*, input*, param*, arg*, request*.. traversal checks| Language | Pattern | Risk |
|---|---|---|
| Python | Subprocess with string formatting and user data | CRITICAL |
| Python | Shell command execution with concatenated input | CRITICAL |
| Python | Subprocess with shell=True and user data | HIGH |
| PowerShell | Invoke-Expression with variable interpolation | CRITICAL |
| PowerShell | Dynamic command execution with unvalidated input | HIGH |
| PowerShell | Start-Process with unvalidated arguments | HIGH |
| Bash | eval with user input | CRITICAL |
| Bash | Command substitution with user data | CRITICAL |
| Bash | Unquoted variables in commands | MEDIUM |
| C# | Process.Start with dynamic command | HIGH |
| C# | String interpolation in process arguments | HIGH |
Detection Heuristics:
Add to .githooks/pre-commit to run security scan before commits (blocking mode).
Add a workflow step to run the scanner with JSON output and upload results as artifacts.
Recommended workflow order:
Security Scan Workflow
======================
┌─────────────────┐
│ Collect Files │ <- --git-staged, --directory, or explicit paths
└────────┬────────┘
│
▼
┌─────────────────┐
│ Detect Language │ <- .py, .ps1, .sh, .cs, .bash
└────────┬────────┘
│
▼
┌─────────────────┐
│ Apply CWE-22 │ <- Path traversal patterns by language
│ Patterns │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Apply CWE-78 │ <- Command injection patterns by language
│ Patterns │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Aggregate │ <- Deduplicate, sort by severity
│ Findings │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Output Results │ <- Console or JSON format
└─────────────────┘
| Avoid | Why | Instead |
|---|---|---|
| Skipping scan before PR | Vulnerabilities caught in review waste cycles | Run scan before every PR submission |
| Ignoring MEDIUM severity | Can escalate to exploitable | Review all findings, document accepted risks |
| Only scanning changed files | Misses vulnerabilities in dependencies | Periodic full directory scans |
| Suppressing without documentation | Loses context for future audits | Document suppressions in code comments |
| Using this instead of codeql-scan for SAST | Pattern matching misses data flow issues | Use both: this for quick feedback, CodeQL for deep analysis |
To suppress false positives, add inline comments with justification:
# security-scan: ignore CWE-22 - path validated by validate_upload_path()
Suppressions are tracked in scan output for audit purposes.
After running security scan:
| Skill | Relationship |
|---|---|
security-detection | Detects which files need review (path-based routing) |
codeql-scan | Full SAST analysis (heavyweight, CI-focused) |
threat-modeling | Design-level STRIDE analysis |
analyze | General code analysis with security focus option |
.agents/analysis/closed-pr-reviewer-patterns-2026-02-08.md| Extension | How to Add |
|---|---|
| New CWE patterns | Add to PATTERNS dict in scan_vulnerabilities.py |
| New language support | Add language detection and patterns |
| Custom severity rules | Modify severity calculation logic |
| Integration with other tools | Add output format adapters |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.