███████╗███████╗ ██████╗██╗ ██╗██████╗ ██╗████████╗██╗ ██╗
██╔════╝██╔════╝██╔════╝██║ ██║██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝
███████╗█████╗ ██║ ██║ ██║██████╔╝██║ ██║ ╚████╔╝
╚════██║██╔══╝ ██║ ██║ ██║██╔══██╗██║ ██║ ╚██╔╝
███████║███████╗╚██████╗╚██████╔╝██║ ██║██║ ██║ ██║
╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
🔐 S K I L L
Your AI coding assistant just became a security engineer.
Interactive mode (Smart 5-question setup):
npx @netxeo/security-skillThe interactive mode automatically detects your stack (Next.js, Supabase, Docker, etc.) and asks you 5 simple questions to install only the security rules you actually need.
Fast mode (Silent install, bypasses prompts and installs all rules):
npx @netxeo/security-skill --yes # Installs everywhere (silent)
npx @netxeo/security-skill --all # Same as --yes
npx @netxeo/security-skill --claude # Claude only
npx @netxeo/security-skill --cursor # Cursor only
npx @netxeo/security-skill --windsurf
npx @netxeo/security-skill --cline
npx @netxeo/security-skill --copilotThat's it. Run this in any project. Then type /security-scan in your AI.
📦 Installing security-skill...
✅ Skill files installed → .skills/security/
✅ memory-security.md created
✅ .gitignore updated (6 security entries added)
Configuring AI assistants...
✅ CLAUDE.md created ← Claude / Antigravity
✅ AGENTS.md created ← OpenAI Codex CLI
✅ GEMINI.md created ← Gemini Code Assist
✅ .cursorrules created ← Cursor
✅ .cursor/rules/security.mdc ← Cursor (new format)
✅ .windsurfrules created ← Windsurf
✅ .clinerules created ← Cline
✅ .github/copilot-instructions.md ← GitHub Copilot+
✅ .continue/config.yaml created ← Continue.dev
⚡ Run /security-scan in your AI to get started!
Your AI now knows 25 security categories. It will flag vulnerabilities while you code, not after.
You: /security-audit
╔══════════════════════════════════════════════════╗
║ 🔐 SECURITY AUDIT — myproject ║
║ Stack: Next.js · Supabase · Vercel ║
╠══════════════════════════════════════════════════╣
║ ║
║ SECURITY SCORE : 61 / 100 🟠 ║
║ ║
╠══════════════════════════════════════════════════╣
║ 🔴 Secrets & Files 12/20 ← FIX NOW ║
║ 🟢 Auth & Sessions 16/20 ║
║ 🔴 Database (Supabase RLS) 8/20 ← FIX NOW ║
║ 🟡 HTTP Headers 12/20 ║
║ 🟢 Source Code 18/20 ║
║ ... 20 more categories... ║
╠══════════════════════════════════════════════════╣
║ 🔴 2 critical 🟠 3 high 🟡 4 medium ║
╚══════════════════════════════════════════════════╝
🔴 CRITICAL #1 — Supabase service role key in frontend code
Found: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY in .env.local
Risk: Full database access exposed to browser
Fix: /security-fix supabase-key
🔴 CRITICAL #2 — RLS disabled on 3 tables
Found: users, orders, messages (no row-level security)
Risk: Any authenticated user can read all data
Fix: /security-fix rls
📄 Full report → security-report.md
| Command | What it does |
|---|---|
/security-scan |
30-second scan, critical issues only |
/security-audit |
Full audit + score /100 + report file |
/security-fix |
Applies fixes — always asks before touching code |
/security-status |
Score history from memory-security.md |
/security-history |
Shows before→after audit comparison to prove value |
/security-incident |
Full incident response playbook |
100% of OWASP, 100% of CWE Top 25 — without installing a single extra tool.
📋 CWE Top 25 — Full list
| # | CWE | What we check |
|---|---|---|
| 1 | CWE-787 Out-of-bounds Write | Buffer.alloc(), safe allocation |
| 2 | CWE-79 XSS | textContent vs innerHTML, CSP nonces |
| 3 | CWE-89 SQL Injection | Parameterized queries everywhere |
| 4 | CWE-416 Use After Free | Event listener cleanup, memory lifecycle |
| 5 | CWE-78 OS Command Injection | execFile() with argument arrays |
| 6 | CWE-20 Improper Input Validation | Allowlists, schema validation (Zod) |
| 7 | CWE-125 Out-of-bounds Read | Buffer bounds, user-controlled sizes |
| 8 | CWE-22 Path Traversal | Path normalization, filename sanitization |
| 9 | CWE-352 CSRF | SameSite cookies + Sec-Fetch headers |
| 10 | CWE-434 Unrestricted Upload | MIME from bytes, size limits, web root |
| 11 | CWE-862 Missing Authorization | All routes checked for auth middleware |
| 12 | CWE-476 NULL Pointer Dereference | Null safety patterns on DB results |
| 13 | CWE-287 Improper Authentication | bcrypt cost, timing attacks, lockout |
| 14 | CWE-190 Integer Overflow | Price/quantity bounds validation |
| 15 | CWE-502 Deserialization | pickle.loads, yaml.load → safe_load |
| 16 | CWE-77 Command Injection | No shell: true, no string commands |
| 17 | CWE-119 Buffer Overflow | Buffer.alloc vs new Buffer |
| 18 | CWE-798 Hard-coded Credentials | Secret scanning in all files |
| 19 | CWE-918 SSRF | URL allowlist before any fetch() |
| 20 | CWE-306 Missing Auth Check | Route-level auth middleware scan |
| 21 | CWE-362 Race Condition | Atomic ops, distributed locks |
| 22 | CWE-269 Privilege Mismanagement | Least privilege, no root in Docker |
| 23 | CWE-94 Code Injection | No eval(), new Function(), dynamic require |
| 24 | CWE-863 Incorrect Authorization | Ownership check on every resource |
| 25 | CWE-276 Incorrect Permissions | File/DB/container permissions |
📋 OWASP Coverage — 7 lists
- ✅ OWASP Web Top 10 (2025)
- ✅ OWASP API Security Top 10
- ✅ OWASP Mobile Top 10
- ✅ OWASP LLM/AI Top 10
- ✅ OWASP Docker Top 10
- ✅ OWASP Serverless Top 10
- ✅ OWASP Cloud-Native Top 10
📋 All 25 security categories
01 Secrets & Files 08 Deployment & CI/CD 15 DNS & Email
02 Network & CORS 09 Docker Security 16 Supply Chain
03 HTTP Headers 10 Protocols (GQL/WS) 17 Mobile Security
04 Auth & Sessions 11 Advanced Attacks 18 Compliance & GDPR
05 Cryptography 12 All Injections 19 Monitoring & Honeytokens
06 JWT Security 13 Race Conditions 20 Serverless & Edge
07 Database Security 14 File Upload 21 Source Code Analysis
22 AI/LLM Security
23 Bot & DDoS
24 Browser APIs
25 Modern Security
Works out-of-the-box with every major AI coding assistant. No manual setup.
| AI Assistant | Auto-configured via |
|---|---|
| Claude / Antigravity | CLAUDE.md |
| Cursor | .cursorrules + .cursor/rules/security.mdc |
| GitHub Copilot+ | .github/copilot-instructions.md |
| Windsurf | .windsurfrules |
| Cline | .clinerules |
| OpenAI Codex CLI | AGENTS.md |
| Continue.dev | .continue/config.yaml |
| Aider | .aider.conf.yml |
| Gemini Code Assist | GEMINI.md |
1. npx @netxeo/security-skill
└─ installs 29 security instruction files to .skills/security/
└─ creates memory-security.md (tracks your score over time)
└─ creates AI config files for every assistant on your machine
└─ hardens .gitignore
2. /security-scan
└─ AI reads skill.md
└─ auto-detects your stack (Next.js? Express? Docker? Firebase?)
└─ runs the right checks for YOUR specific setup
└─ gives you a prioritized list, most critical first
3. /security-fix
└─ shows you the diff
└─ always asks before modifying anything
└─ zero breaking changes guaranteed
"Found a Supabase RLS misconfiguration that would have exposed all user data."
"Caught a hardcoded OpenAI key that was about to go to production."
"Finally understand what CSP headers actually do."
🎯 Signal vs Noise — Highly selective. Prioritizes practical fixes and avoids overwhelming you with overly strict or theoretical noise.
🧠 Semantic Analysis — Catches business logic flaws and context-dependent vulnerabilities that static analysis tools (like SonarQube) completely miss.
🛡️ AI Blind Spot Override — Forces LLMs to check rate-limiting and complex session fixation (ASVS L3), which they naturally ignore.
🔧 Non-destructive — Never auto-applies changes. You approve every fix.
📚 Educational — Explains why something is risky in simple terms instead of blindly giving patches, helping you actually learn.
⚡ Zero setup — No config, no API keys, no cloud service. Pure AI instructions.
🔄 Living memory — memory-security.md tracks your score across sessions.
🌍 Stack-agnostic — Works on Next.js, Express, Django, Laravel, Rails, Spring Boot, and more.
After your first audit, your score lives in memory-security.md:
| Date | Score | Critical | High | Notes |
|------------|--------|----------|------|--------------------|
| 2025-05-01 | 61/100 | 2 | 3 | First audit |
| 2025-05-03 | 84/100 | 0 | 1 | Fixed RLS + secret |
| 2025-05-10 | 97/100 | 0 | 0 | 🟢 Excellent |
To update to the latest security checks, simply re-run the installation:
npx @netxeo/security-skill@latest- This command will cleanly overwrite the
.skills/security/folder to provide the newest AI instructions. - Do not modify files inside
.skills/security/manually. - Your score history is safe. The installer will never overwrite your
memory-security.mdfile. - Custom Rules: If you need to add your own company-specific security rules, add them to the
## Custom Rulessection inside yourmemory-security.mdfile. The AI will always read them from there.
Found a missing vulnerability pattern? Open a PR.
The skill is 29 Markdown files. No build step. No TypeScript. Just knowledge.
instructions/
├── 01-secrets-management.md
├── 07-database-security.md
├── 22-ai-llm-security.md
└── ... 26 more
MIT — free forever.
⭐ Star this repo if it helped you catch a bug before production.
Covers: CWE Top 25 · OWASP Top 10 (7 lists) · ASVS Level 1-2-3