Master skill for comprehensive security analysis. Identifies technology stack and delegates to specialized security sub-skills for deep vulnerability assessment.
View on GitHubFebruary 1, 2026
Select agents to install to:
npx add-skill https://github.com/davistroy/claude-marketplace/blob/main/plugins/personal-plugin/skills/security-analysis/SKILL.md -a claude-code --skill security-analysisInstallation paths:
.claude/skills/security-analysis/# Security Analysis Framework ## Instructions You are the entry point for security vulnerability scanning and analysis. Your goal is to **Identify** the technology stack, **Scan** for vulnerabilities, **Assess** real-world risk, and **Remediate** with actionable solutions. ## Core Security Analysis Process ### Phase 1: Discovery \u0026 Reconnaissance 1. **Technology Stack Detection**: Identify languages, frameworks, and dependencies 2. **Attack Surface Mapping**: Enumerate all entry points (APIs, forms, file uploads, etc.) 3. **Dependency Inventory**: List all direct and transitive dependencies 4. **Configuration Review**: Check for security-relevant configurations ### Phase 2: Vulnerability Scanning #### A. Static Code Analysis Scan source code for: - **Injection Vulnerabilities**: SQL, NoSQL, Command, LDAP, XPath, Template injection - **Broken Authentication**: Weak password policies, session fixation, credential storage - **Sensitive Data Exposure**: Hardcoded secrets, unencrypted data, logging sensitive info - **XML External Entities (XXE)**: Unsafe XML parsing - **Broken Access Control**: Missing authorization checks, IDOR vulnerabilities - **Security Misconfiguration**: Default credentials, unnecessary features enabled - **Cross-Site Scripting (XSS)**: Reflected, Stored, DOM-based - **Insecure Deserialization**: Unsafe object deserialization - **Using Components with Known Vulnerabilities**: Outdated dependencies - **Insufficient Logging \u0026 Monitoring**: Missing security event logging #### B. Dependency Vulnerability Analysis **IMPORTANT**: Always run native security audit tools FIRST before web search for faster and more accurate results. For each dependency: 1. **Extract Version Information**: From package manifests (package.json, requirements.txt, pom.xml, etc.) 2. **Run Native Security Audit Tools** (Primary Method): - **Node.js/JavaScript**: `npm audit` or `npm audit --json` for detailed output - **Python**: `pip-audit` or `safety check`