gemini-cli-security

Gemini CLI Security Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "gemini-cli-security" with this command: npx skills add oimiragieo/agent-studio/oimiragieo-agent-studio-gemini-cli-security

Gemini CLI Security Skill

Overview

This skill adapts the Gemini CLI Security Extension's analysis methodology for the agent-studio framework. The original extension uses two MCP server patterns — a security analysis server and an OSV-Scanner integration — to provide dual-vector coverage. This skill implements equivalent analysis using native Claude Code tools (WebFetch for OSV.dev API, Grep/Bash for static analysis patterns).

Source repository: https://github.com/gemini-cli-extensions/security

License: Apache 2.0 Performance: 90% precision, 93% recall (OpenSSF CVE benchmark, TypeScript/JavaScript)

When to Use

  • Before merging pull requests to detect introduced vulnerabilities

  • During security reviews of new code changes

  • For dependency auditing against known CVE databases

  • For LLM-integrated applications requiring prompt injection defense review

  • As part of CI/CD pipeline security gates

Iron Law

NO PRODUCTION CODE WITHOUT SECURITY ANALYSIS FOR AUTH/SECRETS/EXTERNAL-INPUT HANDLERS

All code paths handling authentication, hardcoded values, external input, or AI model outputs MUST be analyzed before production deployment.

Vulnerability Coverage

Category 1: Secrets Management

Pattern Detection Method

Hardcoded API keys Grep for key patterns + entropy analysis

Hardcoded passwords Credential keyword detection

Private keys in source PEM block / base64 key detection

Encryption keys Symmetric key constant patterns

Category 2: Injection Attacks

Attack Type Examples

SQL injection String concatenation in queries

XSS Unescaped user content in HTML/JS output

Command injection Shell exec with user-controlled args

SSRF User-controlled URLs in server requests

Template injection Unsanitized user input in template engines

Category 3: Authentication Flaws

Flaw Detection

Session bypass Missing auth middleware

Weak tokens Predictable token generation

Insecure password reset Token-less or email-only resets

Missing MFA enforcement Auth flows without 2FA checks

Category 4: Data Handling

Issue Detection

Weak cryptography MD5/SHA1 for secrets; DES/RC4 usage

Sensitive data in logs PII/credential patterns in log statements

PII violations Unencrypted PII storage or transmission

Insecure deserialization Unsafe pickle/eval/deserialize calls

Category 5: LLM Safety (Novel)

Risk Detection

Prompt injection User content injected into LLM prompts without sanitization

Unsafe output handling LLM output used in exec/eval/shell without validation

Insecure tool integration Tool calls with unchecked LLM-provided parameters

Usage

Invocation

// From an agent Skill({ skill: 'gemini-cli-security' });

// With arguments via Bash integration Skill({ skill: 'gemini-cli-security', args: 'src/ --scan-deps' });

Workflow Execution

Analyze code in a directory

node .claude/skills/gemini-cli-security/scripts/main.cjs --target src/

Scan dependencies for CVEs

node .claude/skills/gemini-cli-security/scripts/main.cjs --scan-deps

JSON output for CI integration

node .claude/skills/gemini-cli-security/scripts/main.cjs --target . --json

Scoped analysis with natural language

node .claude/skills/gemini-cli-security/scripts/main.cjs --target src/auth/ --scope "focus on token handling and session management"

Output Format

Default output (markdown report):

Security Analysis Report

CRITICAL

  • [AUTH-001] Hardcoded API key found in src/config.ts:42 Pattern: const API_KEY = "sk-..." Remediation: Move to environment variable

HIGH

  • [INJ-002] SQL injection risk in src/db/users.ts:87 Pattern: String concatenation in query builder Remediation: Use parameterized queries

Dependencies

  • lodash@4.17.15 → CVE-2021-23337 (HIGH) - Prototype pollution Fix: Upgrade to lodash@4.17.21+

JSON output (--json flag):

{ "findings": [ { "id": "AUTH-001", "severity": "CRITICAL", "category": "secrets", "file": "src/config.ts", "line": 42, "description": "Hardcoded API key", "remediation": "Move to environment variable" } ], "dependencies": [ { "package": "lodash", "version": "4.17.15", "cve": "CVE-2021-23337", "severity": "HIGH", "fix": "4.17.21" } ], "summary": { "critical": 1, "high": 2, "medium": 3, "low": 0, "precision": 0.9, "recall": 0.93 } }

OSV.dev Dependency Scanning

The skill integrates with the OSV.dev API (no authentication required) to check dependencies:

// OSV.dev batch query endpoint WebFetch({ url: 'https://api.osv.dev/v1/querybatch', prompt: 'Extract vulnerability IDs, severity, and affected versions for these packages', });

Supported ecosystems: npm, PyPI, RubyGems, Maven, Go, Cargo, NuGet, Packagist

GitHub Actions Integration

The original extension supports PR analysis via GitHub Actions. This skill includes an equivalent workflow template:

.github/workflows/security.yml

name: Security Analysis on: [pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run security analysis run: node .claude/skills/gemini-cli-security/scripts/main.cjs --target . --json

Implementation Notes

Why native tools over MCP servers: The original extension uses two MCP servers (security analysis server + OSV-Scanner binary). This skill uses native Claude Code tools instead:

  • WebFetch replaces OSV-Scanner for dependency CVE lookups (OSV.dev has a public REST API)

  • Grep/Bash replace the security analysis server for pattern-based detection

  • This approach works immediately without binary installation or session restart

Deviation from source: The original uses Gemini AI for code analysis; this skill uses the pattern-based detection methodology documented in the extension's benchmarking. The AI analysis component can be provided by the invoking agent (security-architect) rather than an embedded AI call.

Assigned Agents

Agent Role

security-architect

Primary: comprehensive security audits

developer

Supporting: pre-commit security checks

code-reviewer

Supporting: PR review security layer

Memory Protocol (MANDATORY)

Before starting: Read .claude/context/memory/learnings.md

After completing:

  • New vulnerability pattern found -> .claude/context/memory/learnings.md

  • Issue with scanning -> .claude/context/memory/issues.md

  • Decision about scope -> .claude/context/memory/decisions.md

ASSUME INTERRUPTION: If it's not in memory, it didn't happen.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

auth-security-expert

No summary provided by upstream source.

Repository SourceNeeds Review
-58
oimiragieo
Security

tauri-security-rules

No summary provided by upstream source.

Repository SourceNeeds Review
-53
oimiragieo
Security

security-architect

No summary provided by upstream source.

Repository SourceNeeds Review
-52
oimiragieo