[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80226":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":35,"discoverSource":36},80226,"skill-file-security","Netxeo\u002Fskill-file-security","Netxeo","One command. 29 battle-tested security checks built into every AI coding assistant you already use without leaving your IDE.","https:\u002F\u002Fsecurity.ai-dev-skills.com\u002F",null,"JavaScript",63,8,1,0,2,2.86,false,"main",true,[22,23,24,25,26,27,28,29,30,31],"ai","claude","claude-code","cli","cursor","cwe","javascript","nextjs","owasp","security","2026-06-12 02:03:59","\u003Cdiv align=\"center\">\n\n```\n███████╗███████╗ ██████╗██╗   ██╗██████╗ ██╗████████╗██╗   ██╗\n██╔════╝██╔════╝██╔════╝██║   ██║██╔══██╗██║╚══██╔══╝╚██╗ ██╔╝\n███████╗█████╗  ██║     ██║   ██║██████╔╝██║   ██║    ╚████╔╝ \n╚════██║██╔══╝  ██║     ██║   ██║██╔══██╗██║   ██║     ╚██╔╝  \n███████║███████╗╚██████╗╚██████╔╝██║  ██║██║   ██║      ██║   \n╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝╚═╝   ╚═╝      ╚═╝   \n                         🔐 S K I L L\n```\n\n**Your AI coding assistant just became a security engineer.**\n\n🌐 **[Visit the Official Website](https:\u002F\u002Fskill-file-security-website.vercel.app)**\n\n[![npm](https:\u002F\u002Fimg.shields.io\u002Fnpm\u002Fv\u002F@netxeo\u002Fsecurity-skill?color=red&label=npm)](https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002F@netxeo\u002Fsecurity-skill)\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](LICENSE)\n[![OWASP Top 10](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FOWASP-Top%2010%20✓-red)](https:\u002F\u002Fowasp.org\u002FTop10\u002F)\n[![CWE Top 25](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCWE-Top%2025%20✓-orange)](https:\u002F\u002Fcwe.mitre.org\u002Ftop25\u002F)\n[![ASVS Level 3](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FASVS-Level%203%20✓-blue)](https:\u002F\u002Fowasp.org\u002Fasvs)\n[![PRs Welcome](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPRs-welcome-brightgreen.svg)](CONTRIBUTING.md)\n\n\u003C\u002Fdiv>\n\n---\n\n## Install it. Right now.\n\nInteractive mode (Smart 5-question setup):\n```bash\nnpx @netxeo\u002Fsecurity-skill\n```\n*The interactive mode automatically detects your stack (Next.js, Supabase, Docker, etc.) and asks you 5 simple questions to install **only** the security rules you actually need.*\n\nFast mode (Silent install, bypasses prompts and installs all rules):\n```bash\nnpx @netxeo\u002Fsecurity-skill --yes       # Installs everywhere (silent)\nnpx @netxeo\u002Fsecurity-skill --all       # Same as --yes\nnpx @netxeo\u002Fsecurity-skill --claude    # Claude only\nnpx @netxeo\u002Fsecurity-skill --cursor    # Cursor only\nnpx @netxeo\u002Fsecurity-skill --windsurf\nnpx @netxeo\u002Fsecurity-skill --cline\nnpx @netxeo\u002Fsecurity-skill --copilot\n```\n\nThat's it. Run this in any project. Then type `\u002Fsecurity-scan` in your AI.\n\n---\n\n## What just happened?\n\n```\n📦 Installing security-skill...\n\n  ✅ Skill files installed → .skills\u002Fsecurity\u002F\n  ✅ memory-security.md created\n  ✅ .gitignore updated (6 security entries added)\n\n  Configuring AI assistants...\n  ✅ CLAUDE.md created              ← Claude \u002F Antigravity\n  ✅ AGENTS.md created              ← OpenAI Codex CLI\n  ✅ GEMINI.md created              ← Gemini Code Assist\n  ✅ .cursorrules created           ← Cursor\n  ✅ .cursor\u002Frules\u002Fsecurity.mdc     ← Cursor (new format)\n  ✅ .windsurfrules created         ← Windsurf\n  ✅ .clinerules created            ← Cline\n  ✅ .github\u002Fcopilot-instructions.md ← GitHub Copilot+\n  ✅ .continue\u002Fconfig.yaml created  ← Continue.dev\n\n  ⚡ Run \u002Fsecurity-scan in your AI to get started!\n```\n\nYour AI now knows 25 security categories. It will flag vulnerabilities **while you code**, not after.\n\n---\n\n## See it in action\n\n```\nYou: \u002Fsecurity-audit\n\n╔══════════════════════════════════════════════════╗\n║      🔐  SECURITY AUDIT — myproject              ║\n║         Stack: Next.js · Supabase · Vercel        ║\n╠══════════════════════════════════════════════════╣\n║                                                   ║\n║  SECURITY SCORE  :  61 \u002F 100  🟠                  ║\n║                                                   ║\n╠══════════════════════════════════════════════════╣\n║  🔴  Secrets & Files          12\u002F20  ← FIX NOW   ║\n║  🟢  Auth & Sessions          16\u002F20              ║\n║  🔴  Database (Supabase RLS)   8\u002F20  ← FIX NOW   ║\n║  🟡  HTTP Headers             12\u002F20              ║\n║  🟢  Source Code              18\u002F20              ║\n║  ...  20 more categories...                       ║\n╠══════════════════════════════════════════════════╣\n║  🔴 2 critical  🟠 3 high  🟡 4 medium           ║\n╚══════════════════════════════════════════════════╝\n\n🔴 CRITICAL #1 — Supabase service role key in frontend code\n   Found: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY in .env.local\n   Risk:  Full database access exposed to browser\n   Fix:   \u002Fsecurity-fix supabase-key\n\n🔴 CRITICAL #2 — RLS disabled on 3 tables\n   Found: users, orders, messages (no row-level security)\n   Risk:  Any authenticated user can read all data\n   Fix:   \u002Fsecurity-fix rls\n\n📄 Full report → security-report.md\n```\n\n---\n\n## Commands\n\n| Command | What it does |\n|---|---|\n| `\u002Fsecurity-scan` | 30-second scan, critical issues only |\n| `\u002Fsecurity-audit` | Full audit + score \u002F100 + report file |\n| `\u002Fsecurity-fix` | Applies fixes — always asks before touching code |\n| `\u002Fsecurity-status` | Score history from `memory-security.md` |\n| `\u002Fsecurity-history` | Shows before→after audit comparison to prove value |\n| `\u002Fsecurity-incident` | Full incident response playbook |\n\n---\n\n## Coverage\n\n> **100% of OWASP, 100% of CWE Top 25 — without installing a single extra tool.**\n\n\u003Cdetails>\n\u003Csummary>📋 CWE Top 25 — Full list\u003C\u002Fsummary>\n\n| # | CWE | What we check |\n|---|---|---|\n| 1 | CWE-787 Out-of-bounds Write | Buffer.alloc(), safe allocation |\n| 2 | CWE-79 XSS | textContent vs innerHTML, CSP nonces |\n| 3 | CWE-89 SQL Injection | Parameterized queries everywhere |\n| 4 | CWE-416 Use After Free | Event listener cleanup, memory lifecycle |\n| 5 | CWE-78 OS Command Injection | execFile() with argument arrays |\n| 6 | CWE-20 Improper Input Validation | Allowlists, schema validation (Zod) |\n| 7 | CWE-125 Out-of-bounds Read | Buffer bounds, user-controlled sizes |\n| 8 | CWE-22 Path Traversal | Path normalization, filename sanitization |\n| 9 | CWE-352 CSRF | SameSite cookies + Sec-Fetch headers |\n| 10 | CWE-434 Unrestricted Upload | MIME from bytes, size limits, web root |\n| 11 | CWE-862 Missing Authorization | All routes checked for auth middleware |\n| 12 | CWE-476 NULL Pointer Dereference | Null safety patterns on DB results |\n| 13 | CWE-287 Improper Authentication | bcrypt cost, timing attacks, lockout |\n| 14 | CWE-190 Integer Overflow | Price\u002Fquantity bounds validation |\n| 15 | CWE-502 Deserialization | pickle.loads, yaml.load → safe_load |\n| 16 | CWE-77 Command Injection | No shell: true, no string commands |\n| 17 | CWE-119 Buffer Overflow | Buffer.alloc vs new Buffer |\n| 18 | CWE-798 Hard-coded Credentials | Secret scanning in all files |\n| 19 | CWE-918 SSRF | URL allowlist before any fetch() |\n| 20 | CWE-306 Missing Auth Check | Route-level auth middleware scan |\n| 21 | CWE-362 Race Condition | Atomic ops, distributed locks |\n| 22 | CWE-269 Privilege Mismanagement | Least privilege, no root in Docker |\n| 23 | CWE-94 Code Injection | No eval(), new Function(), dynamic require |\n| 24 | CWE-863 Incorrect Authorization | Ownership check on every resource |\n| 25 | CWE-276 Incorrect Permissions | File\u002FDB\u002Fcontainer permissions |\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>📋 OWASP Coverage — 7 lists\u003C\u002Fsummary>\n\n- ✅ **OWASP Web Top 10** (2025)\n- ✅ **OWASP API Security Top 10**\n- ✅ **OWASP Mobile Top 10**\n- ✅ **OWASP LLM\u002FAI Top 10**\n- ✅ **OWASP Docker Top 10**\n- ✅ **OWASP Serverless Top 10**\n- ✅ **OWASP Cloud-Native Top 10**\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>📋 All 25 security categories\u003C\u002Fsummary>\n\n```\n01  Secrets & Files         08  Deployment & CI\u002FCD     15  DNS & Email\n02  Network & CORS          09  Docker Security         16  Supply Chain\n03  HTTP Headers            10  Protocols (GQL\u002FWS)      17  Mobile Security\n04  Auth & Sessions         11  Advanced Attacks        18  Compliance & GDPR\n05  Cryptography            12  All Injections          19  Monitoring & Honeytokens\n06  JWT Security            13  Race Conditions         20  Serverless & Edge\n07  Database Security       14  File Upload             21  Source Code Analysis\n                                                        22  AI\u002FLLM Security\n                                                        23  Bot & DDoS\n                                                        24  Browser APIs\n                                                        25  Modern Security\n```\n\n\u003C\u002Fdetails>\n\n---\n\n## Compatible with your AI\n\nWorks out-of-the-box with every major AI coding assistant. No manual setup.\n\n| AI Assistant | Auto-configured via |\n|---|---|\n| Claude \u002F Antigravity | `CLAUDE.md` |\n| Cursor | `.cursorrules` + `.cursor\u002Frules\u002Fsecurity.mdc` |\n| GitHub Copilot+ | `.github\u002Fcopilot-instructions.md` |\n| Windsurf | `.windsurfrules` |\n| Cline | `.clinerules` |\n| OpenAI Codex CLI | `AGENTS.md` |\n| Continue.dev | `.continue\u002Fconfig.yaml` |\n| Aider | `.aider.conf.yml` |\n| Gemini Code Assist | `GEMINI.md` |\n\n---\n\n## How it works\n\n```\n1.  npx @netxeo\u002Fsecurity-skill\n    └─ installs 29 security instruction files to .skills\u002Fsecurity\u002F\n    └─ creates memory-security.md (tracks your score over time)\n    └─ creates AI config files for every assistant on your machine\n    └─ hardens .gitignore\n\n2.  \u002Fsecurity-scan\n    └─ AI reads skill.md\n    └─ auto-detects your stack (Next.js? Express? Docker? Firebase?)\n    └─ runs the right checks for YOUR specific setup\n    └─ gives you a prioritized list, most critical first\n\n3.  \u002Fsecurity-fix\n    └─ shows you the diff\n    └─ always asks before modifying anything\n    └─ zero breaking changes guaranteed\n```\n\n---\n\n## What developers say after their first scan\n\n> *\"Found a Supabase RLS misconfiguration that would have exposed all user data.\"*\n\n> *\"Caught a hardcoded OpenAI key that was about to go to production.\"*\n\n> *\"Finally understand what CSP headers actually do.\"*\n\n---\n\n## Philosophy\n\n**🎯 Signal vs Noise** — Highly selective. Prioritizes practical fixes and avoids overwhelming you with overly strict or theoretical noise.\n\n**🧠 Semantic Analysis** — Catches business logic flaws and context-dependent vulnerabilities that static analysis tools (like SonarQube) completely miss.\n\n**🛡️ AI Blind Spot Override** — Forces LLMs to check rate-limiting and complex session fixation (ASVS L3), which they naturally ignore.\n\n**🔧 Non-destructive** — Never auto-applies changes. You approve every fix.\n\n**📚 Educational** — Explains *why* something is risky in simple terms instead of blindly giving patches, helping you actually learn.\n\n**⚡ Zero setup** — No config, no API keys, no cloud service. Pure AI instructions.\n\n**🔄 Living memory** — `memory-security.md` tracks your score across sessions.\n\n**🌍 Stack-agnostic** — Works on Next.js, Express, Django, Laravel, Rails, Spring Boot, and more.\n\n---\n\n## Security Score\n\nAfter your first audit, your score lives in `memory-security.md`:\n\n```\n| Date       | Score  | Critical | High | Notes              |\n|------------|--------|----------|------|--------------------|\n| 2025-05-01 | 61\u002F100 | 2        | 3    | First audit        |\n| 2025-05-03 | 84\u002F100 | 0        | 1    | Fixed RLS + secret |\n| 2025-05-10 | 97\u002F100 | 0        | 0    | 🟢 Excellent        |\n```\n\n---\n\n## Updating & Custom Rules\n\nTo update to the latest security checks, simply re-run the installation:\n\n```bash\nnpx @netxeo\u002Fsecurity-skill@latest\n```\n\n**⚠️ Important:** \n- This command will cleanly overwrite the `.skills\u002Fsecurity\u002F` folder to provide the newest AI instructions. \n- **Do not modify files inside `.skills\u002Fsecurity\u002F` manually.**\n- Your score history is safe. The installer will **never** overwrite your `memory-security.md` file.\n- **Custom Rules:** If you need to add your own company-specific security rules, add them to the `## Custom Rules` section inside your `memory-security.md` file. The AI will always read them from there.\n\n---\n\n## Contributing\n\nFound a missing vulnerability pattern? Open a PR.\n\nThe skill is 29 Markdown files. No build step. No TypeScript. Just knowledge.\n\n```\ninstructions\u002F\n├── 01-secrets-management.md\n├── 07-database-security.md\n├── 22-ai-llm-security.md\n└── ... 26 more\n```\n\n---\n\n## License\n\nMIT — free forever.\n\n---\n\n\u003Cdiv align=\"center\">\n\n**[⭐ Star this repo](https:\u002F\u002Fgithub.com\u002FNetxeo\u002Fsecurity-skill)** if it helped you catch a bug before production.\n\n*Covers: CWE Top 25 · OWASP Top 10 (7 lists) · ASVS Level 1-2-3*\n\n\u003C\u002Fdiv>\n","Netxeo\u002Fskill-file-security 项目为开发者提供了一个命令行工具，能够将29项经过实战验证的安全检查集成到现有的AI编码助手之中，无需离开IDE即可使用。其核心功能在于通过简单的安装步骤，自动识别项目技术栈并配置相应的安全规则，支持包括Claude、Cursor在内的多种AI辅助工具。基于JavaScript构建，该项目遵循OWASP Top 10和CWE Top 25等权威安全标准，适用于需要增强代码安全性但又不想中断开发流程的场景，特别适合那些希望在编码过程中即时发现潜在安全问题的团队或个人开发者。","2026-06-11 03:59:44","CREATED_QUERY"]