Loading...
Loading...
Found 25 Skills
Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.
Enumerate and analyze client-side JavaScript for hidden endpoints, secrets, dangerous sinks, and exploitable browser behaviors.
Run all security scanners against the project and produce a unified, severity-bucketed report. Orchestrates gitleaks (secrets), osv-scanner/trivy (dependency vulns), semgrep (static analysis), context-file injection scanner (built-in), and repo hygiene checks (built-in). Missing scanners are skipped with install hints — the scan always completes. Triggers on: 'security check', 'security scan', 'run security', 'scan for secrets', 'check for vulnerabilities', 'security audit', 'audit dependencies', 'check secrets', 'find vulnerabilities', 'scan codebase'.
Audit MCP (Model Context Protocol) server configurations for security issues. Use this skill when: - Reviewing .mcp.json files for security risks - Checking MCP server args for hardcoded secrets or shell injection patterns - Validating that MCP servers use pinned versions (not @latest) - Detecting unpinned dependencies in MCP server configurations - Auditing which MCP servers a project registers and whether they're on an approved list - Checking for environment variable usage vs. hardcoded credentials in MCP configs - Any request like "is my MCP config secure?", "audit my MCP servers", or "check .mcp.json" keywords: [mcp, security, audit, secrets, shell-injection, supply-chain, governance]
Git security best practices for 2025 including signed commits, zero-trust workflows, secret scanning, and verification
Run Trivy to scan container images for OS and library vulnerabilities, misconfigurations, and secrets. Comprehensive multi-target security scanner.
Detect accidentally committed secrets, credentials, and sensitive information in code.
Systematic 4-phase codebase exploration: Detect, Explore, Map, Summarize. Use when starting work on an unfamiliar codebase, onboarding to a new project, reviewing a repository for the first time, or building context before debugging or code review. Use for "explore codebase", "what does this project do", "understand architecture", or "onboard me". Do NOT use for modifying files, running applications, performance optimization, or deep domain analysis.
Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
Managing secrets (API keys, database credentials, certificates) with Vault, cloud providers, and Kubernetes. Use when storing sensitive data, rotating credentials, syncing secrets to Kubernetes, implementing dynamic secrets, or scanning code for leaked secrets.
Helps with Prowler repository CI and PR gates (GitHub Actions workflows). Trigger: When investigating CI checks failing on a PR, PR title validation, changelog gate/no-changelog label, conflict marker checks, secret scanning, CODEOWNERS/labeler automation, or anything under .github/workflows.
Security vulnerability scanner for any application. Use proactively and aggressively whenever the user asks to review code, perform a security audit, scan for vulnerabilities, look for application improvements, harden security, check for OWASP issues, find secrets, or assess risk. Triggers on phrases like code review, security review, audit, vulnerability, OWASP, CVE, improve security, find issues, look for improvements, secure code, pentest, threat model, harden app, audit deps. If the working directory is empty, ask for a GitHub URL and clone with gh before analyzing. Aligned to OWASP Top 10:2025. Writes a structured report to audit/<YYYY-MM-DD>/report.md in the project root.