terminal Claude Marketplace Browser
AGENT v2.0.0

security-agent

Agent autonome d'analyse de vulnérabilités. Effectue des audits de sécurité approfondis sur le code source et les dépendances.

Category Security
Author Alice Martin
Version 2.0.0

Description & Examples

security-agent

Autonomous security analysis plugin that performs in-depth vulnerability audits on source code and project dependencies. Designed to run as part of a CI pipeline or on-demand before releases.

What it does

This plugin ships two autonomous agents: security-reviewer scans source code for vulnerabilities, secrets, and insecure patterns; dependency-auditor cross-references your dependency manifests against known CVE databases and flags outdated or compromised packages.

When to use it

Run this plugin before any production release, after adding new third-party dependencies, or whenever a new CVE is disclosed for a technology your project uses. It is also useful during security audits or penetration testing preparation to surface low-hanging fruit before engaging an external team.

Components

smart_toy
security-reviewer Agent
expand_more

security-reviewer

An autonomous agent that performs static security analysis on source code. It scans files for vulnerability patterns, hardcoded secrets, insecure configurations, and dangerous API usage across multiple languages.

Capabilities

  • Detects OWASP Top 10 vulnerability patterns in application code
  • Identifies hardcoded passwords, API keys, and private keys using entropy analysis and regex patterns
  • Flags insecure cryptographic primitives (MD5, SHA1, DES, ECB mode)
  • Detects unsafe deserialization, path traversal, and command injection sinks
  • Reviews authentication and authorisation logic for common bypasses
  • Checks HTTP headers and cookie configuration for security misconfigurations

Supported languages

  • Java, Kotlin
  • Python
  • JavaScript, TypeScript
  • PHP
  • Go
  • Ruby

Usage

Invoke the agent with a description of what to review:

"Run the security-reviewer agent on the authentication module"
"Security review of src/api/ before the v2 release"
"Check the new payment integration for vulnerabilities"

Output

The agent produces a structured security report:

## Security Review — authentication module

### High severity
- Hardcoded JWT secret in src/auth/config.js:12
- Missing rate limiting on /api/login endpoint

### Medium severity
- Session token not invalidated on logout (src/auth/SessionService.java:88)

### Informational
- Consider adding security headers middleware (CSP, HSTS, X-Frame-Options)

Configuration

The agent respects a .securityignore file at the project root to exclude paths (test fixtures, generated code, etc.) from analysis.

# .securityignore
test/fixtures/
generated/
vendor/
smart_toy
dependency-auditor Agent
expand_more

dependency-auditor

An autonomous agent that audits project dependencies against known vulnerability databases. It parses dependency manifests, resolves transitive dependencies, and reports CVEs with severity scores and remediation advice.

Capabilities

  • Parses package.json, pom.xml, build.gradle, requirements.txt, Gemfile.lock, go.mod, and composer.json
  • Cross-references declared and transitive dependencies against the NVD (National Vulnerability Database) and GitHub Advisory Database
  • Flags packages that have been deprecated, abandoned, or taken over (supply chain risk)
  • Detects licence conflicts (e.g., GPL in a proprietary project)
  • Suggests minimal-impact upgrade paths to resolve vulnerabilities

Usage

"Audit the dependencies of this project"
"Run dependency-auditor and list all critical CVEs"
"Check if any of our npm packages have known vulnerabilities"

Output format

## Dependency Audit — package.json

### Critical CVEs
- lodash@4.17.20 — CVE-2021-23337 (Command Injection) — fix: upgrade to 4.17.21

### High CVEs
- axios@0.21.1 — CVE-2021-3749 (ReDoS) — fix: upgrade to 0.21.4

### Deprecated packages
- request@2.88.2 — no longer maintained since 2020, consider node-fetch or axios

### Licence warnings
- gpl-3.0-licensed-lib@1.0.0 — incompatible with proprietary distribution

### Summary
3 packages with known vulnerabilities (1 critical, 1 high, 1 medium)
2 deprecated packages
1 licence conflict

Remediation workflow

After reporting, the agent can optionally:

  1. Generate a package-upgrades.json with the minimal required version bumps
  2. Apply upgrades automatically when safe (patch-level, non-breaking)
  3. Open a summary issue or comment on the current pull request

Notes

  • Transitive dependency resolution may require network access to package registries
  • The agent caches advisory data locally for 24 hours to reduce external calls