diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-06 06:17:08 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-06 06:17:08 -0500 |
| commit | aa6924591127970d3241ab6b1a50f4bab457da27 (patch) | |
| tree | 7e97590f711a173c8e7adfdff99e8d8298e64605 /security-check | |
| parent | ce66de633129abc94df03ab5da91ba2ca2e93330 (diff) | |
| download | rulesets-aa6924591127970d3241ab6b1a50f4bab457da27.tar.gz rulesets-aa6924591127970d3241ab6b1a50f4bab457da27.zip | |
refactor(skills): convert 16 user-invoked skills to commands
I converted 16 user-invoked skills to commands. Skills cost ~150-300 tokens each per session for descriptions the model uses to auto-route. Commands cost nothing until you type the slash. These 16 are workflows I always trigger deliberately. The auto-routing wasn't earning its keep. This reclaims ~4-5k tokens per session.
Nine skills stayed where auto-routing genuinely helps: debug, root-cause-trace, five-whys, add-tests, frontend-design, humanizer, playwright-js, playwright-py, and pairwise-tests. Pairwise-tests stays a skill because its helper files don't fit a single-file command shape.
For arch-decide, I preserved the upstream MIT LICENSE alongside the command at .claude/commands/arch-decide.LICENSE so attribution stays intact.
Diffstat (limited to 'security-check')
| -rw-r--r-- | security-check/SKILL.md | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/security-check/SKILL.md b/security-check/SKILL.md deleted file mode 100644 index ca431e0..0000000 --- a/security-check/SKILL.md +++ /dev/null @@ -1,48 +0,0 @@ -# /security-check — Audit Changes for Security Issues - -Scan staged or recent changes for secrets, OWASP vulnerabilities, and dependency risks. - -## Usage - -``` -/security-check [FILE_OR_DIRECTORY] -``` - -If no argument is given, audit all staged changes (`git diff --cached`). If there are no staged changes, audit the diff from the last commit. - -## Instructions - -1. **Gather the changes** to audit: - - Staged changes: `git diff --cached` - - Or last commit: `git diff HEAD~1` - - Or specific path if provided - -2. **Check for hardcoded secrets** — scan for patterns: - - AWS access keys (`AKIA...`) - - Generic secret patterns (`sk-`, `sk_live_`, `sk_test_`) - - Password assignments (`password=`, `passwd=`, `secret=`) - - Private keys (`-----BEGIN.*PRIVATE KEY-----`) - - `.env` file contents committed by mistake - - API tokens, JWTs, or bearer tokens in source code - -3. **OWASP Top 10 review**: - - SQL injection: string concatenation in queries - - XSS: unsanitized user input rendered in HTML/JSX - - Broken authentication: missing permission checks on endpoints - - Insecure deserialization: unsafe deserialization of untrusted data (e.g., eval, exec) - - Security misconfiguration: debug mode enabled in production settings - - Sensitive data exposure: PII or tokens in log statements - -4. **Dependency audit**: - - Run `pip-audit` if Python files changed - - Run `npm audit` if JavaScript/TypeScript files changed - - Flag any new dependencies added without version pinning - -5. **Report findings** in a table: - - | Severity | File:Line | Finding | Recommendation | - |----------|-----------|---------|----------------| - - Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO - -6. If no issues found, report "No security issues detected" with a summary of what was checked. |