How does it calculate risk scores?

It uses a proprietary formula combining CVSS scores, real-world exploitability (via CISA KEV), system criticality, and network exposure levels.

What vulnerability databases does it use for live data?

It fetches current threat intelligence from OSV.dev, the National Vulnerability Database (NVD), GitHub Advisories, and the CISA Known Exploited Vulnerabilities (KEV) catalog.

Does it automatically apply fixes to my code?

It provides specific remediation code, patches, and CLI commands along with unit tests to validate the fix, allowing you to review and verify the resolution before application.

Can it detect leaked API keys?

Yes, it scans for secret exposure in .env files and configuration scripts, flagging risks while ensuring sensitive values are never logged or stored in the inventory.

Which package managers does the Security Analyzer support?

The skill scans dependencies for npm (JavaScript), pip (Python), gem (Ruby), go (Golang), cargo (Rust), and Maven (Java/pom.xml).

Security Analyzer

Name: Security Analyzer
Author: Cornjebus

byCornjebus

0•

Security & Testing

Performs comprehensive security audits across codebases, dependencies, and infrastructure to identify vulnerabilities and provide automated remediation plans.

The Security Analyzer skill empowers Claude to perform deep security assessments of modern software environments by scanning dependencies (npm, pip, go, etc.), Docker containers, and Cloud Infrastructure as Code (Terraform, CloudFormation). It integrates live vulnerability intelligence from OSV.dev and CISA KEV to calculate real-world risk scores and generates actionable, phased remediation reports. Uniquely, it employs a Test-Driven Development (TDD) approach, providing pre-fix tests to prove vulnerabilities and post-fix validation tests to ensure patches are effective, making it an essential tool for maintaining a robust security posture and meeting compliance requirements.

Key Features

01Dual-report generation for both technical engineering teams and executive leadership

02Multi-ecosystem dependency scanning for npm, pip, gem, go, cargo, and Maven

030 GitHub stars

04TDD-based remediation with automated validation tests for every finding

05Live CVE fetching and exploitability risk scoring using CISA KEV and NVD data

06Infrastructure as Code (IaC) and container configuration auditing for Terraform and Docker

Use Cases

01Identifying and rotating exposed secrets or sensitive keys within environment files

02Auditing a codebase for publicly known vulnerabilities before a major production release

03Hardening cloud infrastructure and container images based on OWASP and industry best practices

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add cornjebus/amair security-analyzer

For use in Claude.ai and ChatGPT

Download Skill