{"manifest":{"name":"Security Scanner","version":"1.0.0","description":"OWASP Top 10 security scanner. Finds injection, XSS, broken auth, hardcoded secrets, vulnerable dependencies. Severity-ranked actionable report.","tags":["security","owasp","scanner","devtools"],"standard":"agentskills.io","standard_version":"1.0","content_checksum":"d02b20a4538c5c4bc8f1aa29fa5c62d2687b3a79c8e0db36266a308614f2eea2","bundle_checksum":null,"metadata":{},"files":[]},"files":{"SKILL.md":"# Security Scanner\n\n> **Purpose:** Scan a codebase for security vulnerabilities following OWASP Top 10 and common CVE patterns. Produces an actionable report with severity rankings.\n\n---\n\n## Invocation\n\n```\n/security-scan [path] [--severity critical|high|medium|all]\n```\n\nDefault: scan entire project, report all severities.\n\n---\n\n## Vulnerability Categories\n\n### A01: Broken Access Control\n- Missing auth middleware on protected routes\n- Direct object reference without ownership check\n- CORS misconfiguration (`Access-Control-Allow-Origin: *`)\n- Missing CSRF tokens on state-changing operations\n\n### A02: Cryptographic Failures\n- Hardcoded secrets, API keys, tokens in source\n- Weak hashing (MD5, SHA1 for passwords)\n- Missing HTTPS enforcement\n- Sensitive data in URL parameters or logs\n\n### A03: Injection\n- SQL injection via string interpolation\n- NoSQL injection through unsanitized query objects\n- OS command injection via `exec()`, `spawn()` with user input\n- LDAP, XPath, or template injection\n\n### A04: Insecure Design\n- Missing rate limiting on auth endpoints\n- No account lockout after failed attempts\n- Password reset tokens without expiry\n- Predictable resource IDs\n\n### A05: Security Misconfiguration\n- Debug mode enabled in production config\n- Default credentials in configuration files\n- Verbose error messages exposing stack traces\n- Unnecessary HTTP methods enabled\n\n### A07: Cross-Site Scripting (XSS)\n- Unescaped user input rendered as HTML\n- `dangerouslySetInnerHTML` without sanitization\n- Event handler injection through user-controlled attributes\n- SVG/XML injection\n\n### A08: Software and Data Integrity\n- Dependencies with known CVEs (check package-lock.json)\n- Missing integrity checks on CDN resources\n- Unsigned or unverified updates\n\n### A09: Logging & Monitoring Failures\n- Sensitive data in log output (passwords, tokens, PII)\n- Missing audit logging for admin operations\n- No rate limit logging\n\n---\n\n## Scan Process\n\n1. **File Discovery** — Glob for source files (`.ts`, `.js`, `.py`, `.go`, `.rb`, `.java`)\n2. **Pattern Matching** — AST-aware scan for vulnerability patterns\n3. **Dependency Audit** — Check `package-lock.json` / `requirements.txt` against advisory databases\n4. **Secret Detection** — Regex scan for API keys, tokens, passwords\n5. **Configuration Review** — Check env files, Docker configs, CI/CD pipelines\n\n---\n\n## Output Format\n\n```\n🔴 CRITICAL | A03:Injection | src/api/users.ts:42\n  SQL query built with string concatenation using user input.\n  Fix: Use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [userId])\n\n🟡 MEDIUM | A02:Crypto | .env.example:3\n  Example env file contains what appears to be a real API key.\n  Fix: Replace with placeholder value: API_KEY=your-api-key-here\n```\n\n---\n\n## Summary Report\n\n| Category | Critical | High | Medium | Low |\n|----------|----------|------|--------|-----|\n| Injection | 1 | 0 | 0 | 0 |\n| Access Control | 0 | 2 | 1 | 0 |\n| Crypto | 0 | 0 | 1 | 2 |\n| XSS | 0 | 1 | 0 | 0 |\n| **Total** | **1** | **3** | **2** | **2** |\n\n## Playground\n\n<!DOCTYPE html><html><head><meta charset='utf-8'><style>*{box-sizing:border-box;margin:0;padding:0}body{background:#0d1117;color:#e6edf3;font-family:monospace;font-size:12px;height:100vh;display:flex;flex-direction:column;overflow:hidden}.header{background:#161b22;border-bottom:1px solid #30363d;padding:8px 14px;font-size:11px;color:#8b949e;display:flex;justify-content:space-between;align-items:center;flex-shrink:0}.title{color:#58a6ff;font-weight:bold;font-size:13px}.panels{display:flex;flex:1;overflow:hidden}.panel{flex:1;overflow:auto;padding:12px;border-right:1px solid #30363d}.panel:last-child{border-right:none}.label{font-size:10px;color:#8b949e;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px}pre{white-space:pre-wrap;word-break:break-word;line-height:1.5}</style></head><body><div class='header'><span class='title'>Security Scanner</span><span>Example · SkillSlap</span></div><div class='panels'><div class='panel'><div class='label'>Input: Code snippet</div><pre><span style='color:#8b949e'>app.get('/user', (req, res) =&gt; {</span>\n<span style='color:#8b949e'>  const id = req.query.id</span>\n<span style='color:#8b949e'>  db.query(</span>\n<span style='color:#8b949e'>    `SELECT * FROM users</span>\n<span style='color:#8b949e'>     WHERE id = '${id}'`,</span>\n<span style='color:#8b949e'>    (err, rows) =&gt; res.json(rows)</span>\n<span style='color:#8b949e'>  )</span>\n<span style='color:#8b949e'>})</span></pre></div><div class='panel'><div class='label'>Output: Findings</div><pre><span style='color:#f85149'>🔴 CRITICAL — SQL Injection (line 3)</span>\n<span style='color:#8b949e'>User-controlled `id` interpolated</span>\n<span style='color:#8b949e'>directly into SQL. CVSS 9.8 / CWE-89</span>\n\n<span style='color:#f85149'>🔴 HIGH — Mass data exposure (line 5)</span>\n<span style='color:#8b949e'>`SELECT *` leaks all columns including</span>\n<span style='color:#8b949e'>password hashes, tokens, PII.</span>\n\n<span style='color:#e3b341'>🟡 MEDIUM — No auth check (line 1)</span>\n<span style='color:#8b949e'>Route has no authentication middleware.</span>\n<span style='color:#8b949e'>Any caller can query arbitrary users.</span>\n\n<span style='color:#8b949e'>Fix: parameterised query + auth guard</span></pre></div></div></body></html>"}}