DiscordSign up
SKILLS.SH

security

Run repository security scans.

INSTALLATION
npx skills add https://github.com/boshu2/agentops --skill security
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$27

scripts/security-gate.sh --mode quick

Expected behavior:

  • Fails on high/critical findings from available scanners.
  • Writes artifacts under $TMPDIR/agentops-security/<run-id>/.

2) Pre-Release (strict)

Run full gate:

scripts/security-gate.sh --mode full

Expected behavior:

  • Full scanner pass before release workflow can continue.
  • Artifacts retained for audit and incident response.

3) Nightly (continuous)

Nightly workflow should run:

scripts/security-gate.sh --mode full

Expected behavior:

  • Detects drift/regressions outside active PR windows.
  • Failing run creates actionable signal in workflow summary/issues.

Triage Guidance

When gate fails:

  • Open latest artifact in $TMPDIR/agentops-security/ and identify scanner + file.
  • Classify severity (critical/high/medium).
  • Fix immediately for critical/high or create tracked follow-up issue with owner.
  • Re-run scripts/security-gate.sh until gate passes.

Reporting Template

Security gate run: <run-id>

Mode: <quick|full>

Result: <pass|blocked>

Top findings:

- <scanner> <severity> <file> <summary>

Actions:

- <fix or issue id>

Notes

  • Use this as the canonical security runbook instead of ad-hoc scanner commands.
  • Keep workflow wiring aligned with this contract in:
  • .github/workflows/validate.yml
  • .github/workflows/nightly.yml
  • .github/workflows/release.yml
  • For binary/internal black-box assurance plus offline repo-surface redteam, use:
  • skills/security-suite/SKILL.md (includes security_suite.py and prompt_redteam.py)
  • For dependency vulnerability and license scanning, use:
  • deps — Dependency audit, vulnerability scanning, and license compliance

Examples

Scenario: Quick Security Gate Before Opening a PR

User says: /security

What happens:

  • The skill runs scripts/security-gate.sh --mode quick, which executes available scanners (semgrep, gosec, gitleaks) against the current working tree and flags high/critical findings.
  • Run /deps vuln to scan for vulnerable dependencies (OWASP A06: Vulnerable and Outdated Components).
  • Scan artifacts are written to $TMPDIR/agentops-security/<run-id>/ for review, and the gate reports a pass/blocked verdict.

Result: The gate passes with no high/critical findings, confirming the branch is safe to open a PR.

Scenario: Full Security Gate for a Release

User says: /security --release

What happens:

  • The skill runs scripts/security-gate.sh --mode full, which performs a comprehensive scan including all scanner passes, test-inclusive toolchain checks, and stricter severity thresholds.
  • Artifacts are retained under $TMPDIR/agentops-security/<run-id>/ for audit trail and incident response, and a structured report is generated.

Result: The full gate blocks the release on two medium-severity findings in cli/internal/config.go; the operator triages and fixes them before re-running the gate to get a clean pass.

Troubleshooting

Problem

Cause

Solution

Gate reports "scanner not found" and skips checks

Required scanner (semgrep, gosec, or gitleaks) is not installed

Install the missing scanner: brew install semgrep, go install github.com/securego/gosec/v2/cmd/gosec@latest, or brew install gitleaks.

Gate passes locally but fails in CI

CI environment has additional scanners or stricter config

Compare $TMPDIR/agentops-security/ artifacts from both environments; align scanner versions and config files across local and CI.

False positive blocking the gate

Scanner flags a non-issue as high/critical severity

Add a scanner-specific inline suppression comment (e.g., # nosemgrep: rule-id) or update the scanner config to exclude the pattern, then document the suppression reason.

Artifacts directory $TMPDIR/agentops-security/ not created

Script lacks write permissions or $TMPDIR is not writable

Verify $TMPDIR is set and writable; the script auto-creates subdirectories on each run.

Nightly scan not detecting regressions

Nightly workflow is not configured or is pointing at stale branch

Verify .github/workflows/nightly.yml runs scripts/security-gate.sh --mode full against the correct branch (typically main).

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card