Stats
Actions
Tags
From agentic-security
Applies a deterministic remediation patch for a specific security scanner finding via MCP toolchain (synthesize→verify→apply). Handles single-finding and batch fixes with HMAC-verified writes and project test verification.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-security:security-fix-findingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Activates when the user is pointing at a specific finding from a prior
Activates when the user is pointing at a specific finding from a prior
scan and wants to remediate it. The deterministic toolchain
(synthesize_fix → verify_fix → apply_fix) is the only correct path —
do NOT use Edit directly.
struct:src/api.js:42:SQL_Injection)
or a stableId (abc12345) and asks for action.Confirm the finding still exists. Read
.agentic-security/last-scan.json and look up the finding by id /
stableId / file+line. If it's gone, tell the user and stop — don't
patch a finding that's already been resolved.
Decide appropriateness. Read the file around finding.line ± 30
via the Read tool. Is the canonical fix actually right here? If
the surrounding code already validates upstream, or there's a custom
sanitizer, or the file is a test fixture — STOP and report
refused: <reason>. Don't proceed.
Route via MCP, not Edit. The deterministic path is:
MCP synthesize_fix → MCP verify_fix → MCP apply_fix
synthesize_fix({ finding_id }) returns the stored replacement
text. You do NOT modify it. You do NOT retype it.verify_fix({ stable_id, files: {…} }) re-scans the patched file
in memory and runs the project linter. Read the structured
introduced[] array on failure (template-incomplete vs codebase-
prior vs lint-failed — see agents/security-fixer.md for the
decision tree).apply_fix({ finding_id, confirm: true }) writes via
fix-history.js with HMAC verification + reserved-path refusal +
attempt-budget enforcement.Batch mode. If the user wants to fix more than one finding, hand
off to the security-fixer subagent with a list (≤ 10 findings per
invocation per _CONFINEMENT.md). The subagent writes a PLAN.md
to the scratchpad.
Run the project tests after apply. If the project has
npm test, pytest, cargo test, or similar — invoke it via
Bash. Surface pass/fail in the final report.
Edit to apply security patches. The deterministic
toolchain is the only path with HMAC + audit + budget + backup.verify_fix./fix --one <id> — patch a single finding (interactive)/fix --all --critical — batch by severity/fix --pr — bundle into a PR branchnpx claudepluginhub clear-capabilities/agentic-security --plugin agentic-securityGenerates targeted security fixes with regression tests from detect-dev SARIF findings. Use when remediating vulnerabilities after a security audit.
Applies fixes for security findings produced by /security-review. Use after detecting vulnerabilities to remediate them using language-idiomatic safe APIs.
Reviews security fixes and patches for completeness and correctness. Useful for verifying vulnerability remediations after audits or scans.