npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

security-analysis-skill

v2.0.0

Published

Security audit skill for 11 AI coding agents — OWASP Top 10, Laravel, Next.js, ASP.NET, React, GraphQL

Downloads

244

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

simbarashe1498simbarashe1498

Keywords

copilotskillsecurityowaspauditvulnerabilitylaravelnextjsaspnetreactgraphqlcursorclaudecodexwindsurfclineaidercontinueamazonqgeminized

Readme

security-analysis-skill

A security audit skill for 11 AI coding agents. Performs a comprehensive, evidence-based security audit of your codebase following the OWASP Top 10 (2021) with framework-specific checks for Laravel, Next.js, ASP.NET Core C#, React, and GraphQL.

Supported Agents

| Agent | Scope | Instruction file | |---|---|---| | GitHub Copilot | User | ~/.agents/skills/security-analysis-skill/ | | Claude Code | User | ~/.claude/CLAUDE.md | | Codex CLI | User | ~/.codex/instructions.md | | Cursor | User | ~/.cursor/rules/security-analysis-skill.mdc | | Gemini CLI | User | ~/.gemini/GEMINI.md | | Zed | Project (cwd) | .rules | | Windsurf | Project (cwd) | .windsurfrules | | Cline | Project (cwd) | .clinerules | | Aider | Project (cwd) | CONVENTIONS.md | | Continue.dev | Project (cwd) | .continuerules | | Amazon Q Developer | Project (cwd) | .amazonq/rules/security-analysis.md |

User-scoped agents are configured once and active in every project.
Project-scoped agents are configured per-project — run the install command inside the project you want to audit.

Install

npx security-analysis-skill
pnpm dlx security-analysis-skill

Installs for all 10 agents by default. Target specific agents with --agent=:

# Single agent
npx security-analysis-skill --agent=copilot

# Multiple agents
npx security-analysis-skill --agent=claude,cursor,codex

# Only user-level agents (global, all projects)
npx security-analysis-skill --agent=user

# Only project-level agents (run inside your project directory)
npx security-analysis-skill --agent=project

Uninstall

# All agents
npx security-analysis-skill --uninstall

# Specific agents
npx security-analysis-skill --uninstall --agent=cursor,claude

Usage

After installing, restart your editor or agent, then ask:

"audit my code for security issues"

GitHub Copilot users can also use the slash command: /security-analysis-skill

The skill produces a structured checklist report with ✅ PASS, ❌ FAIL, ⚠️ PARTIAL, or ➖ N/A for each check.

What It Checks

| Category | Checks | |---|---| | Secrets & Configuration | Hardcoded secrets, .env in git, secrets management | | Authentication & Sessions | Password hashing, session handling, JWT security | | Authorisation | IDOR, privilege escalation, role-based access | | Input Validation & Injection | SQLi, SSTI, command injection, file uploads | | XSS | Output escaping, CSP, dangerouslySetInnerHTML | | CSRF | Token validation, SameSite cookies | | Security Headers | HSTS, X-Frame-Options, CSP, COOP, CORP | | Cryptography | TLS enforcement, weak ciphers, encryption at rest | | Dependencies | Known CVEs, lockfiles, abandoned packages | | Error Handling & Logging | Stack trace exposure, sensitive data in logs | | Rate Limiting & DoS | API rate limits, upload limits, ReDoS | | SSRF | URL allowlists, private IP blocking | | Open Redirects | Redirect validation, return URL restrictions | | CORS | Wildcard origins, credential leaks | | Deserialization | Unsafe deserializers, type discrimination | | XXE | External entity resolution, DTD processing | | Exposed Files | .git/ access, backup files, debug pages | | Deployment | Container security, debug ports, CI/CD secrets |

License

MIT