mk:vulnerability-scanner

Advanced vulnerability analysis principles. OWASP Top 10 baseline + current threat landscape awareness, supply chain security, attack surface mapping, and risk prioritization. Use when performing security audits, threat modeling, or OWASP reviews. NOT for STRIDE/CSO-mode infrastructure audits (see mk:cso).

What This Skill Does

Maps attack surface: entry points, data flows, trust boundaries, assets
Scans for OWASP Top 10 vulnerabilities adapted for contemporary threat landscape (AI/LLM risks, supply-chain attacks)
Audits dependency supply chain: known CVEs, typosquatting, install scripts, lockfile integrity
Searches code for high-risk patterns: SQL injection, dynamic code execution, unsafe deserialization, path traversal, disabled security
Detects exposed secrets: API keys, tokens, credentials, cloud provider prefixes
Prioritizes risks using EPSS (exploitability) and CVSS scoring
Produces structured findings: What, Where, Why, Impact, How to fix

When to Use

Security audit of a project or module
Before shipping code that handles auth, payments, or user data
When asked to "scan for vulnerabilities", "security check", "audit security"
When mk:cso delegates specific scanning tasks

NOT for: STRIDE/CSO-mode infrastructure audits (use mk:cso), diff-scoped PR security review (use mk:review).

Core Capabilities

Core Principles

Principle	Application
Assume Breach	Design as if attacker already inside
Zero Trust	Never trust, always verify
Defense in Depth	Multiple layers, no single point
Least Privilege	Minimum required access only
Fail Secure	On error, deny access

4-Phase Process

1. RECONNAISSANCE -> Technology stack, entry points, data flows
2. DISCOVERY -> Configuration review, dependency analysis, code pattern search
3. ANALYSIS -> False positive elimination, risk scoring, attack chain mapping
4. REPORTING -> Clear reproduction steps, business impact, remediation guidance

OWASP Top 10 (2021 ranking, 2025 threat context)

Rank	Category	Think About
A01	Broken Access Control	IDOR, SSRF, who can access what?
A02	Security Misconfiguration	Defaults, headers, exposed services
A03	Software Supply Chain	Dependencies, CI/CD, build integrity
A04	Cryptographic Failures	Weak crypto, exposed secrets
A05	Injection	User input -> system commands
A06	Insecure Design	Flawed architecture
A07	Authentication Failures	Session, credential management
A08	Integrity Failures	Unsigned updates, tampered data
A09	Logging & Alerting	Blind spots, no monitoring
A10	Exceptional Conditions	Error handling, fail-open states

Supply Chain Security (A03)

Vector	Risk	Check
Dependencies	Malicious packages	Audit new deps?
Lock files	Integrity attacks	Committed?
Build pipeline	CI/CD compromise	Who can modify?
Registry	Typosquatting	Verified sources?

Code Pattern Analysis -- High-Risk Patterns

Pattern	Risk	Look For
String concat in queries	Injection	`"SELECT * FROM " + input`
Dynamic code execution	RCE	`eval()`, `exec()`, `Function()`
Unsafe deserialization	RCE	`pickle.loads()`, `unserialize()`
Path manipulation	Traversal	User input in file paths
Disabled security	Various	`verify=False`, `--insecure`

Secret Patterns

Type	Indicators
API Keys	`api_key`, `apikey`, high entropy
Tokens	`token`, `bearer`, `jwt`
Credentials	`password`, `secret`, `key`
Cloud	`AWS_`, `AZURE_`, `GCP_` prefixes

Risk Prioritization

Is it actively exploited (EPSS >0.5)?
|-- YES -> CRITICAL: Immediate action
|-- NO -> Check CVSS
         |-- CVSS >=9.0 -> HIGH
         |-- CVSS 7.0-8.9 -> Consider asset value
         |-- CVSS <7.0 -> Schedule for later

Exceptional Conditions (A10)

Scenario	Fail-Open (BAD)	Fail-Closed (GOOD)
Auth error	Allow access	Deny access
Parsing fails	Accept input	Reject input
Timeout	Retry forever	Limit + abort

Cloud Security Checklist

IAM: Least privilege?
Storage: Public buckets?
Network: Security groups?
Secrets: Using manager?

Threat Modeling Questions

Before scanning, ask: What are we protecting? Who would attack? How? What's the impact?

Arguments

No positional arguments. Invoked by name:

/mk:vulnerability-scanner

Workflow

Map attack surface -- entry points, data flows, trust boundaries, assets
Load scanning methodology -- read references/scanning-methodology.md
Reconnaissance -- understand technology stack, entry points, data flows
Discovery -- configuration review, dependency analysis, code pattern search
Analysis -- validate findings, eliminate false positives, score risks
Report -- each finding: What, Where, Why, Impact, How to fix

Usage

bash

# Scan current project for vulnerabilities
/mk:vulnerability-scanner

# The skill loads scanning-methodology.md and runs through the 4-phase process

Runtime Scripts

Script	Purpose	Usage
`security-scan.py`	Security pattern scanning	`.claude/skills/.venv/bin/python3 .claude/scripts/security-scan.py`
`injection-audit.py`	Prompt injection detection	`.claude/skills/.venv/bin/python3 .claude/scripts/injection-audit.py`

Common Use Cases

Pre-release vulnerability scan for a module handling payments or user data
Dependency supply chain audit before deploying to production
Code pattern search for injection vulnerabilities in a new feature
Secret detection scan across the full codebase after a team member accidentally committed a key
Risk-scored OWASP assessment as part of a compliance checklist

Example Prompt

/mk:vulnerability-scanner We're about to launch the payment processing module. Run a full OWASP Top 10 scan — check for SQL injection, exposed secrets, dependency CVEs, and supply chain risks. Score every finding with CVSS so we know what to fix first.

Pro Tips

False positives in test fixtures: security scan flags intentionally insecure test data. Exclude test/fixtures/ and **/mocks/ from vulnerability scans.
Dependency confusion attacks missed: scanner checks known CVEs but not package name typosquatting. Cross-reference package names against known typosquat databases.
Not all CVEs are exploitable -- check if the vulnerable function is actually imported and called in your codebase.
Cloud secrets detection needs special attention: AWS_, AZURE_, GCP_ prefixes in config files or environment dumps.
This skill delegates to scanning scripts -- security-scan.py for pattern scanning, injection-audit.py for prompt injection detection.
For STRIDE threat modeling and full CSO audits, use mk:cso instead -- this skill handles focused OWASP/code-pattern scanning.

mk:vulnerability-scanner ​

What This Skill Does ​

When to Use ​

Core Capabilities ​

Core Principles ​

4-Phase Process ​

OWASP Top 10 (2021 ranking, 2025 threat context) ​

Supply Chain Security (A03) ​

Code Pattern Analysis -- High-Risk Patterns ​

Secret Patterns ​

Risk Prioritization ​

Exceptional Conditions (A10) ​

Cloud Security Checklist ​

Threat Modeling Questions ​

Arguments ​

Workflow ​

Usage ​

Runtime Scripts ​

Common Use Cases ​

Example Prompt ​

Pro Tips ​