vc-security

GitHub

基于STRIDE和OWASP标准的安全审计技能,扫描代码漏洞并按严重程度分类。支持仅审计报告或自动迭代修复模式,涵盖依赖检查与密钥泄露检测,适用于发布前、核心功能变更后及合规审查场景。

.claude/skills/vc-security/SKILL.md withkynam/vibecode-pro-max-kit

Trigger Scenarios

发布或重大部署前安全审查 新增认证、支付或数据处理功能后 定期(月/季)安全巡检 SOC 2、GDPR等合规性检查准备

Install

npx skills add withkynam/vibecode-pro-max-kit --skill vc-security -g -y
More Options

Non-standard path

npx skills add https://github.com/withkynam/vibecode-pro-max-kit/tree/main/.claude/skills/vc-security -g -y

Use without installing

npx skills use withkynam/vibecode-pro-max-kit@vc-security

指定 Agent (Claude Code)

npx skills add withkynam/vibecode-pro-max-kit --skill vc-security -a claude-code -g -y

安装 repo 全部 skill

npx skills add withkynam/vibecode-pro-max-kit --all -g -y

预览 repo 内 skill

npx skills add withkynam/vibecode-pro-max-kit --list

SKILL.md

Frontmatter
{
    "name": "vc-security",
    "layer": "helper",
    "metadata": {
        "author": "claudekit",
        "license": "MIT",
        "version": "1.0.0",
        "attribution": "Security audit pattern adapted from autoresearch by Udit Goenka (MIT)"
    },
    "description": "STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using vc-autoresearch pattern.",
    "argument-hint": "<scope glob or 'full'> [--fix] [--iterations N]",
    "trigger_keywords": "security, vulnerability, auth, XSS, SQL injection"
}

vc-security — Security Audit

Output style: Follow process/development-protocols/communication-standards.md — answer-first, plain language, no unexplained jargon, TL;DR on long responses.

Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With --fix, applies fixes iteratively using the vc-autoresearch guard pattern.

When to Use

  • Before a release or major deployment
  • After adding auth, payment, or data-handling features
  • Periodic security review (monthly/quarterly)
  • Compliance check (SOC 2, GDPR, PCI-DSS prep)

When NOT to Use

  • Purely cosmetic changes (CSS, copy edits)
  • No user-facing code or data handling involved

Modes

Mode Invocation Behavior
Audit only /vc-security <scope> Scan → categorize → report
Audit + Fix /vc-security <scope> --fix Scan → categorize → fix iteratively
Bounded fix /vc-security <scope> --fix --iterations N Limit fix iterations to N

Audit Methodology

1. Scope Resolution

Expand the provided glob or full keyword into a file list. Read all in-scope files before analysis.

2. STRIDE Analysis

Evaluate each threat category systematically:

  • Spoofing — identity/authentication weaknesses
  • Tampering — input validation, integrity controls
  • Repudiation — audit logging gaps
  • Information Disclosure — data leakage, secret exposure
  • Denial of Service — rate limits, resource exhaustion
  • Elevation of Privilege — broken access control, RBAC gaps

3. OWASP Top 10 Check

Map findings to OWASP categories (A01–A10). See references/stride-owasp-checklist.md for per-category checks.

4. Dependency Audit

Run the appropriate package audit tool for the detected stack:

  • Node.js: pnpm audit
  • Python: pip-audit
  • Go: govulncheck
  • Ruby: bundle audit

5. Secret Detection

Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See references/stride-owasp-checklist.md → Secret Patterns.

6. Finding Categorization

Assign each finding a severity level (see Severity Definitions below).


Output Format

## Security Audit Report

### Summary
- Files scanned: N
- Findings: X critical, Y high, Z medium, W low, V info

### Findings

| # | Severity | Category | File:Line | Description | Fix Recommendation |
|---|----------|----------|-----------|-------------|-------------------|
| 1 | Critical  | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
| 2 | High      | Auth      | auth/login.ts:12 | No rate limiting | Add express-rate-limit |

Fix Mode (--fix)

When --fix is provided, apply fixes iteratively after the audit:

  1. Sort all findings by severity (Critical → High → Medium → Low)
  2. For each finding: a. Apply one targeted fix b. Run guard (tests or lint) to verify no regression c. Commit: security(fix-N): <short description> d. Advance to next finding
  3. Stop early if guard fails — report the failure instead of proceeding
  4. Uses vc-autoresearch guard pattern for regression prevention

Tip: Use --iterations N to cap total fix iterations when scope is large.


Severity Definitions

Severity Description Fix Priority
Critical Exploitable now, data breach or RCE risk Immediate — block release
High Exploitable with moderate effort, significant impact This sprint
Medium Limited exploitability or impact Next sprint
Low Theoretical risk, defense-in-depth improvement Backlog
Info Best practice suggestion, no direct risk Optional

Integration with Other Skills

  • Run after vc-predict when the security persona flags concerns
  • Feed Critical/High findings into vc-autoresearch --fix for automated remediation
  • Use vc-scenario with --focus authorization for deeper auth flow testing
  • Pair with generate-plan / plan-agent to schedule Medium/Low findings as sprint tasks

Example Invocations

# Audit API layer only
/vc-security src/api/**/*.ts

# Audit entire src/ and auto-fix, max 15 iterations
/vc-security src/ --fix --iterations 15

# Full codebase audit (no fix)
/vc-security full

See references/stride-owasp-checklist.md for the detailed per-category checklist and secret detection regex patterns.

Version History

  • 3bcb2f9 Current 2026-07-05 14:36

Same Skill Collection

.claude/skills/vc-agent-browser/SKILL.md
.claude/skills/vc-agent-strategy-compare/SKILL.md
.claude/skills/vc-audit-context/SKILL.md
.claude/skills/vc-audit-plans/SKILL.md
.claude/skills/vc-audit-vc/SKILL.md
.claude/skills/vc-autopilot/SKILL.md
.claude/skills/vc-autoresearch/SKILL.md
.claude/skills/vc-context-discovery/SKILL.md
.claude/skills/vc-debug/SKILL.md
.claude/skills/vc-docs-seeker/SKILL.md
.claude/skills/vc-feasibility-test/SKILL.md
.claude/skills/vc-frontend-design/SKILL.md
.claude/skills/vc-generate-closeout/SKILL.md
.claude/skills/vc-generate-context/SKILL.md
.claude/skills/vc-generate-phase-program/SKILL.md
.claude/skills/vc-generate-plan/SKILL.md
.claude/skills/vc-generate-spec/SKILL.md
.claude/skills/vc-intent-clarify/SKILL.md
.claude/skills/vc-plan-discovery/SKILL.md
.claude/skills/vc-predict/SKILL.md
.claude/skills/vc-problem-solving/SKILL.md
.claude/skills/vc-publish/SKILL.md
.claude/skills/vc-review-situation/SKILL.md
.claude/skills/vc-risk-evidence-pack/SKILL.md
.claude/skills/vc-scenario/SKILL.md
.claude/skills/vc-scout/SKILL.md
.claude/skills/vc-sequential-thinking/SKILL.md
.claude/skills/vc-setup/SKILL.md
.claude/skills/vc-test-coverage-plan/SKILL.md
.claude/skills/vc-update/SKILL.md
.claude/skills/vc-validate-findings/SKILL.md
.claude/skills/vc-web-testing/SKILL.md

Metadata

Files
0
Version
3bcb2f9
Hash
50db37b9
Indexed
2026-07-05 14:36

Home - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-13 16:36
浙ICP备14020137号-1 $Map of visitor$