security-sweep
Scan codebase for security vulnerabilities, hardcoded secrets, injection flaws, misconfigurations, and attack surfaces. Use when user wants a security audit, vulnerability scan, or to find security issues.
git clone https://github.com/Onome-AJ/security-sweep-plugin
T=$(mktemp -d) && git clone --depth=1 https://github.com/Onome-AJ/security-sweep-plugin "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/security-sweep" ~/.claude/skills/onome-aj-security-sweep-plugin-security-sweep && rm -rf "$T"
skills/security-sweep/SKILL.mdSecurity Sweep
Run a comprehensive security scan of the codebase. This skill identifies vulnerabilities, hardcoded secrets, injection flaws, misconfigurations, and attack surfaces across web and mobile applications.
Arguments
(optional): Scan scope — one of:$0
,all
,secrets
,injection
,auth
,config
,deps
,ai
,mobile
. Defaults todata
.all
(optional): Path to scan. Defaults to the project root.$1
If
$ARGUMENTSallExecution Plan
Step 1: Tech Stack Detection
Before scanning, detect the project's tech stack by checking for indicator files. This determines which language-specific checks to run.
| Indicator File | Stack | Scan Focus |
|---|---|---|
| Node.js/JS/TS | npm patterns, XSS sinks, eval, child_process |
| Python | pickle, subprocess, Jinja2, Django/Flask patterns |
| Java/Kotlin | JDBC injection, ObjectInputStream, Spring patterns |
| Ruby | Marshal, system(), ERB patterns |
| Go | fmt.Sprintf in SQL, crypto patterns |
| Rust | unsafe blocks, FFI |
| PHP | exec, unserialize, include with vars |
| .NET | BinaryFormatter, SqlCommand concat |
| Android | exported components, cleartext, SharedPreferences |
| iOS | NSUserDefaults, ATS bypass |
| Docker | FROM :latest, root user, secrets in build |
| Terraform | public ACLs, open CIDR |
| Next.js | SSR-specific checks |
| Flutter/Dart | Dart-specific mobile checks |
Use
GlobStep 2: Run Scans by Priority
Run the scans below in order. If a scope argument was provided, only run that specific scan module. Use the patterns from patterns.md for each module.
For each scan module, use
Grepnode_modules/vendor/.git/dist/build/__pycache__/.venv/venv/.next/.nuxt/target/Pods/.gradle/Module 1: SECRETS (Critical Priority)
Scan for hardcoded API keys, tokens, private keys, credentials, database connection strings, and committed secret files. See patterns.md Section 1.
Also check:
- Whether
files exist in the repo (they should be gitignored).env - Whether
covers.gitignore
,.env*
,*.pem
,*.key
,*.p12credentials*.json - Whether any
,*.pem
,*.key
,*.p12
,*.pfx
files are present*.jks
Module 2: INJECTION (Critical Priority)
Scan for SQL injection, XSS, command injection, SSRF, insecure deserialization, and path traversal patterns. See patterns.md Section 2.
Module 3: AUTH (High Priority)
Scan for JWT misuse, weak password handling, insecure session config, broken access control. See patterns.md Section 3.
Module 4: CONFIG (High Priority)
Scan for CORS misconfiguration, missing security headers, exposed debug endpoints, insecure TLS, Docker issues, Kubernetes/Terraform misconfig. See patterns.md Section 4.
Module 5: DEPS (High Priority)
Check dependency manifests for:
- Missing lockfiles alongside manifests
- Suspicious install scripts in package.json (
/preinstall
with curl/wget/bash)postinstall - Known risky or deprecated packages
Module 6: AI (High Priority)
Scan for AI-specific issues: hardcoded AI API keys, prompt injection vectors, eval/exec of LLM output, system prompt leakage, excessive agent permissions. See patterns.md Section 5.
Module 7: MOBILE (High Priority — only if Android/iOS detected)
Scan for insecure data storage, missing certificate pinning, cleartext traffic, debug flags, weak crypto. See patterns.md Section 6.
Module 8: DATA (Medium Priority)
Scan for PII in logs, sensitive data in URLs, plaintext HTTP to external hosts. See patterns.md Section 7.
Step 3: Generate Report
After all scans complete, produce a structured report.
Report Format
Start with a summary banner:
============================================ SECURITY SWEEP REPORT Project: <project name> Scanned: <date> Tech Stack: <detected stacks> ============================================ SUMMARY CRITICAL: <count> HIGH: <count> MEDIUM: <count> LOW: <count> INFO: <count> TOTAL: <count> ============================================
Then list findings grouped by severity (CRITICAL first), with this format for each:
[SEVERITY] CATEGORY — Finding Title File: path/to/file.ext:line_number Evidence: <the matching code snippet, max 2 lines> Risk: <1-sentence explanation of the attack scenario> Fix: <specific remediation with code example> Ref: <CWE or OWASP reference>
After the findings, include:
- Top 3 Priorities — The 3 most impactful issues to fix first, with reasoning
- Positive Findings — Security practices the project is doing well (e.g., using parameterized queries, proper .gitignore, CSP headers present)
- Recommendations — General security improvements not tied to a specific finding
Important Guidelines
- Minimize false positives: When a pattern match looks like it might be a false positive (e.g., a test file, a comment, an example/documentation), note it as
rather than flagging it at high severity. Use your contextual understanding of the code to distinguish real issues from benign matches.[INFO] - Read files for context: When a grep match is ambiguous, use
to examine surrounding code before classifying severity. For example, aRead
in a test fixture is lower risk than one in a web endpoint.pickle.load() - Skip vendored/generated code: Do not flag issues in
,node_modules/
, generated files, or lock files.vendor/ - Be framework-aware: Understand that some frameworks have built-in protections (e.g., Django ORM prevents SQL injection, React escapes by default, Angular sanitizes innerHTML). Adjust severity accordingly.
- Deduplicate: If the same pattern appears many times (e.g.,
in 20 files), group them as one finding with a count rather than listing each separately.console.log(req.body)