OpenSkillIndex← back to search
claude-code

Agentic-qe security-watch

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

install
source · Clone the upstream repo
git clone https://github.com/proffesor-for-testing/agentic-qe
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/proffesor-for-testing/agentic-qe "$T" && mkdir -p ~/.claude/skills && cp -r "$T/assets/skills/security-watch" ~/.claude/skills/proffesor-for-testing-agentic-qe-security-watch-bdc242 && rm -rf "$T"
manifest: assets/skills/security-watch/SKILL.md
source content

Security Watch Mode

When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.

What It Does

Flags or blocks writes containing:

  • Secrets: API keys, passwords, tokens, private keys in source code
  • Dangerous functions: 
    eval()
    , 
    Function()
    , 
    innerHTML
    , 
    dangerouslySetInnerHTML
  • Injection vectors: Unsanitized template literals in SQL/shell commands
  • Insecure config: 
    http://
    URLs, disabled TLS verification, 
    *
    CORS origins

Activation

/security-watch

Hook Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
      }
    ]
  }
}

Detection Patterns

#!/bin/bash
# scan-security.sh
CONTENT="$1"
ISSUES=0

# Secrets detection
SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

# Dangerous functions
DANGER_PATTERNS=(
  '\beval\s*\('
  '\bFunction\s*\('
  '\.innerHTML\s*='
  'dangerouslySetInnerHTML'
  'child_process.*exec\('
  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
)

for pattern in "${DANGER_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "WARNING: Dangerous pattern detected: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

if [ $ISSUES -gt 0 ]; then
  echo "Found $ISSUES security issues. Review before proceeding."
  exit 1
fi

Gotchas

  • False positives on test fixtures that intentionally contain patterns like 
    eval()
    — use 
    // security-watch:ignore
    comment
  • Base64-encoded secrets won't be caught — this scans for plaintext patterns only
  • Template literal injection detection has false positives on safe string interpolation — review warnings carefully
  • This is a first line of defense, not a replacement for proper security review