Security
Security scanning and vulnerability detection
visual-audit
by clearsmog
Adversarial visual layout audit of documents and slides. Checks overflow, font consistency, component fatigue, and spacing. Supports .tex, .qmd, and .typ files.
sast-bandit
by vchirrav
Run Bandit SAST scans on Python code. Detects common security issues like SQL injection, hardcoded passwords, exec usage, and insecure crypto.
mobile-security-mobsf
by vchirrav
Run MobSF (Mobile Security Framework) for automated static and dynamic analysis of Android and iOS apps. Detects insecure storage, weak crypto, hardcoded secrets, and permission issues.
sast-cargo-audit
by vchirrav
Run cargo-audit and cargo-geiger on Rust code. Audits dependencies for known vulnerabilities and detects unsafe code usage for memory safety review.
secret-scan-gitleaks
by vchirrav
Run Gitleaks to detect hardcoded secrets in git repositories. Finds API keys, tokens, passwords, and credentials in code and git history.
sca-grype
by vchirrav
Run Anchore Grype for SCA vulnerability scanning on filesystems and container images. Matches dependencies against multiple vulnerability databases (NVD, GitHub, OS advisories).
cloud-security-prowler
by vchirrav
Run Prowler for comprehensive cloud security posture assessment. Audits AWS, Azure, and GCP against CIS Benchmarks, PCI-DSS, HIPAA, GDPR, and other compliance frameworks.
tech-stack-evaluator
by chaorenex1
Comprehensive technology stack evaluation and comparison tool with TCO analysis, security assessment, and intelligent recommendations for engineering teams
evaluation-criteria
by masanao-ohba
Defines evaluation criteria and scoring methodologies for deliverable assessment
x-content-optimizer
by NewmanXBT
Audit and optimize tweets, X articles, and threads for X's recommendation algorithm. Use when user wants to review content before posting, improve engagement potential, or get algorithm-friendly suggestions. Triggers on /x-content-optimizer or requests to "review tweet", "optimize for X algorithm", "audit my post", or "improve engagement".
malware-scan-yara
by vchirrav
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
factory-review
by jwilger
Structures the human review experience for factory-mode builds. Audit trail summaries, PR digests, retrospective synthesis, quality trend tracking, and autonomy tuning interface. Activate during Phase 3 human review.
sast-semgrep
by vchirrav
Run Semgrep SAST scans on code. Supports 30+ languages with OWASP, security, and custom rulesets. Parses results and provides remediation guidance.
dependency-confusion-detect
by vchirrav
Run Confused and GuardDog to detect dependency confusion and typosquatting risks. Checks if internal package names exist on public registries and identifies malicious packages.
license-scan-scancode
by vchirrav
Run ScanCode Toolkit for comprehensive license and copyright detection. Identifies license types, copyright holders, and compliance obligations across codebases.
vulnerability-scan
by ymd38
Run an offensive security audit (OWASP-based) using Semgrep and produce a read-only vulnerability report. Use before committing code to detect Broken Access Control, Injection (SQL/NoSQL/OS/Template), Frontend Security issues (XSS/CSP/HSTS), SSRF, and hardcoded secrets or PII exposure. Triggers on requests like "security scan", "vulnerability check", "audit security", "find vulnerabilities", "/vulnerability-scan", or when asked for an offensive security review of the codebase. Does NOT modify any code — read-only inspection only.
secure-coding-generate
by vchirrav
Generate secure code following OWASP Secure Coding rules. Automatically detects the security domain and produces code with inline Rule ID citations (e.g., [INPUT-04], [AUTH-07]) plus a rules-applied summary.
secret-scan-trufflehog
by vchirrav
Run TruffleHog to detect secrets in git repos, filesystems, and S3 buckets. Uses verification to confirm if detected secrets are live/active.
license-auditor
by famaoai-creator
Output path for license report
uv-deps
by WhatIfWeDigDeeper
Maintain Python packages through security audits or dependency updates on a dedicated branch using uv. Use for: security audits, CVE fixes, vulnerability checks, dependency updates, package upgrades, outdated packages, bump versions, fix Python vulnerabilities, check for Python CVEs, audit Python packages, update pyproject.toml dependencies, modernize Python deps, or when user types "/uv-deps" with or without specific package names or glob patterns. Use "help" or "--help" to show options.
investor-readiness-audit
by famaoai-creator
Output file path
financial-modeling-maestro
by famaoai-creator
Output file path
security-hardening
by StealthyLabsHQ
Audit/harden app, infra, AI, privacy. Triggers: OWASP, XSS, SQLi, SSRF, auth/JWT, IDOR, secrets, deps, API, CI/CD, supply chain, cloud, K8s, IaC, AI IDE, browser builder, no-code, LLM/MCP, prompt injection, system prompt leakage, RAG poisoning, tool misuse, excessive agency, GDPR.
@tank/auth-patterns
by tankpkg
Authentication and authorization patterns for any language or framework. Covers JWT internals (structure, algorithms, attacks, validation), OAuth2 grant types (Authorization Code, PKCE, Client Credentials, Device Code), session management (cookies, expiry, fixation, distributed), RBAC/ABAC/ReBAC (role modeling, authorization policies, Zanzibar), OpenID Connect and social login (ID tokens, account linking, provider patterns), MFA (TOTP, WebAuthn/passkeys, backup codes, step-up auth), and authentication security (XSS/CSRF, token storage, credential stuffing, rate limiting). Synthesizes RFC 6749, RFC 7519, RFC 6238, W3C WebAuthn Level 2, NIST SP 800-63B, and OWASP Authentication/CSRF cheat sheets. Trigger phrases: "JWT", "OAuth2", "OAuth 2.0", "session management", "RBAC", "ABAC", "role-based access", "authorization model", "OpenID Connect", "OIDC", "social login", "MFA", "multi-factor authentication", "TOTP", "WebAuthn", "passkeys", "refresh token", "access token", "PKCE", "auth flow", "implement authentication", "implement auth", "sign in with", "cookie security", "HttpOnly", "SameSite", "token storage", "XSS auth", "CSRF protection", "credential stuffing", "account linking", "backup codes", "permission system", "login security", "password hashing"