Skills / appsec skills
appsec skills
Production-ready AI AppSec skills for SAST, threat modeling, remediation, PR security review, and serialization abuse analysis.
Installation
Kompatibilitaet
Beschreibung
Overview
eresus-sast-scanner is the core skill in the Eresus Security AppSec suite for AI coding agents such as OpenAI Codex and Claude Code. It is designed to help agents review source code with a structured, evidence-first security workflow instead of loose pattern matching.
The suite focuses on practical application security work:
- full-repository or targeted SAST scanning
- threat modeling for new features and services
- PR and diff-focused security review
- remediation of confirmed findings
- deep analysis of serialization and deserialization attack surface
Supported language families include Java, Python, JavaScript/TypeScript, PHP, and .NET.
Included Skills
| Skill | Primary Use |
|------|-------------|
| eresus-sast-scanner | Full-repo or targeted SAST scan across 34 vulnerability classes |
| eresus-manual-security-audit | Manual security code review with exploit-chain discovery, adversarial reasoning, and trust boundary analysis |
| eresus-remediator | Patch confirmed findings with root-cause-focused fixes |
| eresus-pr-security-review | Review PRs and changed files for newly introduced security issues |
| eresus-threat-modeler | Model attack paths, trust boundaries, and high-risk workflows before scanning or implementation |
| eresus-serialization-review | Deep review of deserialization, parser abuse, object mapping, and state-transfer risks |
| eresus-variant-analysis | GHSA/CVE variant analysis — find all instances of a known vulnerability pattern across the codebase |
| eresus-codeql-heuristics | Language-specific sink/source reference derived from CodeQL Community Packs query suites |
| eresus-deser-audit | Deserialization gadget chain knowledge and exploitation methodology for all major languages |
| eresus-python-audit | Python-specific audit with full Bandit B101-B704 coverage, Django/Flask/FastAPI checks, and ML attack surface |
| eresus-php-audit | PHP-specific audit with Kunlun-M CVI rules, POP chain discovery, and Laravel/WordPress/Symfony checks |
Why This Suite
This suite is built around a simple principle: security findings should be tied to a believable exploit path.
Instead of stopping at suspicious strings, the core scanner pushes the agent to:
- identify attacker-controlled sources
- trace tainted data through the codebase
- verify that it reaches a dangerous sink
- challenge the finding with a Judge step to reduce false positives
- produce actionable remediation guidance
That makes it useful not only for vulnerability hunting, but also for patching, design review, and PR gating.
Quick Start
Recommended repository name: appsec-skills
Install via npx (Recommended)
# Interactive — prompts you to select your agent
npx @eresus/appsec-skills
# Direct — specify your agent
npx @eresus/appsec-skills --agent claude
npx @eresus/appsec-skills --agent codex
npx @eresus/appsec-skills --agent antigravity
npx @eresus/appsec-skills --agent cursor
# Install specific skills only
npx @eresus/appsec-skills --agent claude --skills sast,audit,threat
# Custom directory
npx @eresus/appsec-skills --dir /path/to/your/skills
# List available skills
npx @eresus/appsec-skills --list
Install From Git
# Claude Code
git clone https://github.com/EresusSecurity/appsec-skills.git
cp -r appsec-skills/skills/eresus-sast-scanner/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-manual-security-audit/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-remediator/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-pr-security-review/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-threat-modeler/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-serialization-review/ ~/.claude/skills/
# OpenAI Codex
git clone https://github.com/EresusSecurity/appsec-skills.git
cp -r appsec-skills/skills/eresus-sast-scanner/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-manual-security-audit/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-remediator/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-pr-security-review/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-threat-modeler/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-serialization-review/ ~/.codex/skills/
Manual Install
Copy the skill directories you want into your agent's skills folder:
# Claude Code
cp -r skills/eresus-sast-scanner/ ~/.claude/skills/
cp -r skills/eresus-manual-security-audit/ ~/.claude/skills/
cp -r skills/eresus-remediator/ ~/.claude/skills/
cp -r skills/eresus-pr-security-review/ ~/.claude/skills/
cp -r skills/eresus-threat-modeler/ ~/.claude/skills/
cp -r skills/eresus-serialization-review/ ~/.claude/skills/
# OpenAI Codex
cp -r skills/eresus-sast-scanner/ ~/.codex/skills/
cp -r skills/eresus-manual-security-audit/ ~/.codex/skills/
cp -r skills/eresus-remediator/ ~/.codex/skills/
cp -r skills/eresus-pr-security-review/ ~/.codex/skills/
cp -r skills/eresus-threat-modeler/ ~/.codex/skills/
cp -r skills/eresus-serialization-review/ ~/.codex/skills/
Recommended Usage
| Goal | Recommended Skill |
|------|-------------------|
| Audit a repository for security bugs | eresus-sast-scanner |
| Deep manual audit with exploit-chain discovery | eresus-manual-security-audit |
| Review a pull request or changed files | eresus-pr-security-review |
| Patch a confirmed vulnerability | eresus-remediator |
| Threat model a new feature or service | eresus-threat-modeler |
| Audit Jackson, Fastjson, YAML, XML, cookies, sessions, or queue payloads | eresus-serialization-review |
Core Scanner Workflow
The main scanner skill follows a structured six-step process:
-
Understand scope
Determine whether the target is a file, module, endpoint, service, or full repository. -
Load relevant knowledge
Pull in the vulnerability knowledge files relevant to the language, framework, and attack surface. -
Trace source-to-sink flow
Track attacker-controlled input through transformations into sensitive operations. -
Check business logic and authorization
Look beyond injection bugs for IDOR, privilege issues, race conditions, token misuse, and trust-boundary problems. -
Judge every candidate finding
Re-check reachability, sanitization, framework protections, and exploitability before reporting. -
Report actionable findings
Output precise file locations, impact, evidence, and fix guidance.
Vulnerability Coverage
The core scanner includes built-in knowledge for 34 vulnerability classes.
Injection
| File | Coverage |
|------|----------|
| sql_injection.md | SQL Injection |
| xss.md | Cross-Site Scripting |
| ssti.md | Server-Side Template Injection |
| nosql_injection.md | NoSQL Injection |
| graphql_injection.md | GraphQL Injection / Introspection Abuse |
| xxe.md | XML External Entity |
| rce.md | Remote Code Execution / Command Injection |
| expression_language_injection.md | Expression Language Injection |
Access Control And Auth
| File | Coverage |
|------|----------|
| idor.md | Insecure Direct Object Reference |
| privilege_escalation.md | Privilege Escalation |
| authentication_jwt.md | JWT Weaknesses and Authentication Flaws |
| default_credentials.md | Hardcoded or Default Credentials |
| brute_force.md | Brute Force and Missing Rate Limiting |
| business_logic.md | Business Logic Flaws |
| http_method_tamper.md | HTTP Method Tampering |
| verification_code_abuse.md | Verification Code Abuse |
| session_fixation.md | Session Fixation |
Data Exposure And Crypto
| File | Coverage |
|------|----------|
| weak_crypto_hash.md | Weak Cryptography, Weak Hashing, Weak Randomness |
| information_disclosure.md | Sensitive Information Disclosure |
| insecure_cookie.md | Insecure Cookie Flags |
| trust_boundary.md | Trust Boundary Violations |
Server-Side And Parser Risk
| File | Coverage |
|------|----------|
| ssrf.md | Server-Side Request Forgery |
| path_traversal_lfi_rfi.md | Path Traversal, LFI, RFI |
| insecure_deserialization.md | Insecure Deserialization |
| arbitrary_file_upload.md | Arbitrary File Upload |
| jndi_injection.md | JNDI Injection |
| race_conditions.md | Race Conditions and TOCTOU |
Protocol And Infrastructure
| File | Coverage |
|------|----------|
| csrf.md | Cross-Site Request Forgery |
| open_redirect.md | Open Redirect |
| smuggling_desync.md | HTTP Request Smuggling / Desync |
| denial_of_service.md | Resource Exhaustion and Denial of Service |
| cve_patterns.md | High-Risk CVE-Style Code Patterns |
Language And Platform
| File | Coverage |
|------|----------|
| php_security.md | PHP-Specific Security Risks |
| mobile_security.md | Android and iOS Security Risks |
Professional Usage Patterns
- Use
eresus-threat-modelerbefore auditing large features so the scan starts from the right trust boundaries. - Use
eresus-manual-security-auditfor depth-first adversarial review of security-critical components — auth, callbacks, middleware, tool execution, and trust boundaries. - Use
eresus-manual-security-auditwith the[TeachMe]token to train junior engineers on secure coding patterns while performing a real audit. - Use
eresus-pr-security-reviewduring code review to focus on newly introduced attack surface instead of re-auditing the whole repository. - Use
eresus-remediatorafter a confirmed finding to drive minimal, production-safe patches. - Use
eresus-serialization-reviewwhen the system relies on session blobs, queues, import/export features, or dynamic parser configuration. - Run more than one scan round for large codebases when you want better recall and more stable reporting.
Benchmarks
Benchmark numbers are reference values and may vary by model configuration, prompt strategy, and available context.
Multi-Agent Plus Skill — Claude Opus 4.6 High — 2026-03-27
4 Java benchmark projects were scanned in parallel using 4 agents with the full scanner workflow and Judge verification enabled.
| Project | Recall | Precision | F1 | TP | FN | FP | |---------|:------:|:---------:|:--:|:--:|:--:|:--:| | JavaSecLab | 1.000 | 0.958 | 0.979 | 23 | 0 | 1 | | SecExample | 1.000 | 1.000 | 1.000 | 9 | 0 | 0 | | VulnerableApp | 1.000 | 1.000 | 1.000 | 10 | 0 | 0 | | verademo | 1.000 | 1.000 | 1.000 | 14 | 0 | 0 | | Global | 1.000 | 0.982 | 0.991 | 56 | 0 | 1 |
Multi-Agent Plus Skill — GPT-5.4 High — 2026-03-27
| Project | Recall | Precision | F1 | TP | FN | FP | |---------|:------:|:---------:|:--:|:--:|:--:|:--:| | JavaSecLab | 0.957 | 1.000 | 0.978 | 22 | 1 | 0 | | SecExample | 0.889 | 1.000 | 0.941 | 8 | 1 | 0 | | VulnerableApp | 0.900 | 0.900 | 0.900 | 9 | 1 | 1 | | verademo | 0.929 | 1.000 | 0.963 | 13 | 1 | 0 | | Global | 0.929 | 0.981 | 0.954 | 52 | 4 | 1 |
Repository Structure
appsec-skills/
├── README.md
├── LICENSE
├── package.json
├── assets/
│ ├── eresus-banner.svg
│ └── eresus-logo.svg
├── scripts/
│ └── install.mjs
└── skills/
├── eresus-sast-scanner/
│ ├── SKILL.md
│ └── references/
├── eresus-manual-security-audit/
│ └── SKILL.md
├── eresus-remediator/
│ └── SKILL.md
├── eresus-pr-security-review/
│ └── SKILL.md
├── eresus-threat-modeler/
│ └── SKILL.md
└── eresus-serialization-review/
└── SKILL.md
Maintained By
Maintained under the EresusSecurity GitHub organization:
Contributing
Contributions that improve detection quality, reduce false positives, or strengthen language-specific coverage are welcome.
License
Apache License 2.0
Aehnliche Skills
last30days skill
AI agent skill that researches any topic across Reddit, X, YouTube, HN, Polymarket, and the web - then synthesizes a grounded summary
context mode
Context window optimization for AI coding agents. Sandboxes tool output, 98% reduction. 12 platforms
claude seo
Universal SEO skill for Claude Code. 19 sub-skills, 12 subagents, 3 extensions (DataForSEO, Firecrawl, Banana). Technical SEO, E-E-A-T, schema, GEO/AEO, backlinks, local SEO, maps intelligence, Google APIs, and PDF/Excel reporting.
pinme
Deploy Your Frontend in a Single Command. Claude Code Skills supported.
godogen
Claude Code & Codex skills that build complete Godot projects from a game description
claude ads
Comprehensive paid advertising audit & optimization skill for Claude Code. 250+ checks across Google, Meta, YouTube, LinkedIn, TikTok, Microsoft & Apple Ads with weighted scoring, parallel agents, industry templates, and AI creative generation.