Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From code-abyss
Scans code for security vulnerabilities (OWASP Top 10), injection risks, sensitive data leaks, and dangerous patterns. Automatically activated on security-related changes, new modules, or post-refactor.
How this skill is triggered — by the user, by Claude, or both
Slash command
/code-abyss:analyzing-security <扫描路径><扫描路径>This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
> 自动化扫描捕捉模式,但**严重度判定与处置取决于上下文**——sink、信任边界、补偿控制。
自动化扫描捕捉模式,但严重度判定与处置取决于上下文——sink、信任边界、补偿控制。
| 场景 | 必跑 | 理由 |
|---|---|---|
| 新模块落地 | ✅ | 引入新攻击面 |
| 安全相关变更 | ✅ | 直接触及威胁面 |
| 重构完成 | ✅ | 防止重构引入退化 |
| 提交前(含敏感数据/外部输入处理) | ✅ | 最后一道闸 |
| 攻防任务交付 | ✅ | 验收前自检 |
| 仅文档/样式改动 | ❌ | 无攻击面变化 |
npm audit、pip-audit,不是模式扫描)严重度(critical / high / medium / low)+ 类别(注入 / 敏感信息 / XSS / 反序列化 / 路径遍历 / SSRF / 弱加密 / 不安全随机 / 调试残留)。
random 用于非安全场景(如 jitter)→ 可接受每条规则均有 excludePattern,若仍误报:
// nosec: <规则 ID> <理由>)pentest.md)node scripts/security_scanner.js <路径> # 默认全扫
node scripts/security_scanner.js <路径> -v # 详细,含命中代码片段
node scripts/security_scanner.js <路径> --json # 机读格式,供 CI
node scripts/security_scanner.js <路径> --exclude vendor,dist
完整规则矩阵、危险模式速查、误报豁免清单详见 references/rules.md。
Critical/High 必修后方可交付。安全决策须于 DESIGN.md 记录:威胁模型、信任边界、已知风险、补偿控制。
npx claudepluginhub telagod/code-abyss --plugin code-abyssRuns deep security audit combining mechanical scanning with AI vulnerability analysis. Uses OWASP baseline and stack-adaptive rules for pre-release, dependency, and codebase audits.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.