Skills

security-audit

Installation
SKILL.md

Security Audit

Critical Rules

  • Never install tools automatically — detect what is available, suggest install commands if missing, never run curl | sh.
  • Protect outputs.security/ must be in .gitignore before any scan runs. Reports may contain secrets and vulnerability details.
  • Ask before fixing — present findings and fix plan, apply only what the user explicitly approves, one fix at a time.
  • Target the analysis — do not read the entire codebase. Focus Layer 4 on high-risk surfaces (auth, input boundaries, API config).
  • Timeout everything — 120s per dependency audit command, 300s for Trivy, 600s for SAST. Kill and note if exceeded.

Modes

Mode Layers Output
quick 1 + 2 Inline summary only, no files
full (default) 1 + 2 + 3 + 4 Report + fix plan in .security/
ci 1 + 2 + 3 + 4 Report + exit code 1 if new critical/high

If the user does not specify a mode, use full.

Related skills

More from loomcrafthq/skills

Installs
9
Repository
loomcrafthq/skills
First Seen
Mar 9, 2026
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykFail