Stats
Actions
Tags
From epic
Scans codebases for injection, auth, data exposure, and dependency vulnerabilities. Activates during security reviews, threat model validation, or via /vuln-scan.
How this skill is triggered — by the user, by Claude, or both
Slash command
/epic:vuln-scanThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Code you haven't scanned for vulnerabilities has vulnerabilities you haven't found.
Code you haven't scanned for vulnerabilities has vulnerabilities you haven't found.
Check for .harness/engagement.md. If present, load scope constraints — only scan in-scope paths and respect exclusions.
Check for THREAT_MODEL.md from a previous /threat-model run. If present, use its threat scenarios as scan targets. If absent, run full-surface scan.
# Gather changed files (for incremental scans)
git diff --name-only $(git merge-base HEAD main)
# Or scan entire codebase
find . -type f \( -name "*.rs" -o -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" \) \
| grep -v node_modules | grep -v target | grep -v vendor
Launch all dimensions concurrently:
Search patterns:
eval( exec( system(
string concat SQL format!.*query raw_query
innerHTML dangerouslySetInnerHTML
For each match:
Search patterns:
password secret api_key
token credential private_key
Bearer Authorization
session cookie
For each match:
Search patterns:
console\.log.*token println!.*secret log\.info.*password
\.env DEBUG.*=.*true stacktrace
err\.message error\.response
For each match:
# Rust
cargo audit 2>/dev/null || echo "cargo-audit not installed"
# Node.js
npm audit 2>/dev/null || echo "npm audit not available"
For each CVE found:
For each finding, apply adversarial validation:
eval() is INFO, not CRITICAL.Write VULN-FINDINGS.json:
{
"scan_date": "ISO-8601",
"scope": "full | incremental",
"threat_model_ref": "THREAT_MODEL.md | null",
"findings": [
{
"id": "V1",
"dimension": "injection | auth | exposure | dependency",
"severity": "CRITICAL | HIGH | MEDIUM | LOW | INFO",
"file": "path/to/file",
"line": 42,
"pattern": "matched pattern",
"description": "what was found",
"validated": true,
"false_positive": false,
"reachable": true,
"mitigated": false,
"threat_scenario": "T1 | null",
"remediation": "one-line fix hint"
}
],
"summary": {
"total": 10,
"critical": 1,
"high": 3,
"medium": 4,
"low": 2,
"false_positives": 0
}
}
After producing findings, suggest:
"Run /triage to validate findings with adversarial review."
| Excuse | Rebuttal | What to do instead |
|---|---|---|
| "Static scanning has too many false positives" | False positives are filtered in Step 3. Unfiltered findings are better than missed vulnerabilities. | Run the scan, then validate. Skipping scan guarantees missed vulns. |
| "We use a framework that prevents injection" | Frameworks prevent generic injection. Business-logic injection is framework-agnostic. | Scan for application-layer patterns too. |
| "Dependencies are vetted" | Transitive dependencies aren't. cargo audit / npm audit exist for a reason. | Run dependency scanning every time Cargo.lock or package-lock.json changes. |
| "The code is too new to have vulnerabilities" | New code has the most vulnerabilities. Old code has had time to be tested. | New code is the highest-priority scan target. |
npx claudepluginhub epicsagas/epic-harness --plugin epic-harnessGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.