Agent-Skills.md

Agent Skills: Security Watch Mode

Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning.

UncategorizedID: proffesor-for-testing/agentic-qe/security-watch

Repository

proffesor-for-testing/agentic-qe
proffesor-for-testingLicense: MIT
28258

Install this agent skill to your local

pnpm dlx add-skill https://github.com/proffesor-for-testing/agentic-qe/tree/HEAD/assets/skills/security-watch

Skill Files

Browse the full folder contents for security-watch.

Download Skill

Loading file tree…

assets/skills/security-watch/SKILL.md

Skill Metadata

Name
security-watch
Description
"Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning."

Security Watch Mode

When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.

What It Does

Flags or blocks writes containing:

  • Secrets: API keys, passwords, tokens, private keys in source code
  • Dangerous functions: eval(), Function(), innerHTML, dangerouslySetInnerHTML
  • Injection vectors: Unsanitized template literals in SQL/shell commands
  • Insecure config: http:// URLs, disabled TLS verification, * CORS origins

Activation

/security-watch

Hook Configuration

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
      }
    ]
  }
}

Detection Patterns

#!/bin/bash
# scan-security.sh
CONTENT="$1"
ISSUES=0

# Secrets detection
SECRET_PATTERNS=(
  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
)

for pattern in "${SECRET_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

# Dangerous functions
DANGER_PATTERNS=(
  '\beval\s*\('
  '\bFunction\s*\('
  '\.innerHTML\s*='
  'dangerouslySetInnerHTML'
  'child_process.*exec\('
  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
)

for pattern in "${DANGER_PATTERNS[@]}"; do
  if echo "$CONTENT" | grep -qP "$pattern"; then
    echo "WARNING: Dangerous pattern detected: $pattern"
    ISSUES=$((ISSUES + 1))
  fi
done

if [ $ISSUES -gt 0 ]; then
  echo "Found $ISSUES security issues. Review before proceeding."
  exit 1
fi

Gotchas

  • False positives on test fixtures that intentionally contain patterns like eval() — use // security-watch:ignore comment
  • Base64-encoded secrets won't be caught — this scans for plaintext patterns only
  • Template literal injection detection has false positives on safe string interpolation — review warnings carefully
  • This is a first line of defense, not a replacement for proper security review