Skip to content

Commit 4c1d7dc

Browse files
fidgetcodingruvnet
andcommitted
Add Step 9 (Safety Check) + security hardening across the board
- New Step 9: installs /safetycheck Claude Code skill for security auditing - /safetycheck scans any project for exposed keys, rate limiting gaps, input sanitization issues, dependency vulns, and more (8 checks) - Fix command injection in github-safe.js (execSync -> execFileSync) - Fix shell expansion in step-6 credential write (heredoc -> printf) - Expand .gitignore with .env, *.pem, *.key, node_modules patterns - Add SECURITY.md with vulnerability disclosure policy - Add Dependabot for GitHub Actions dependencies - Add ShellCheck CI workflow for shell script linting - Update update.sh, uninstall.sh, README, CHEATSHEET with Step 9 - Add /safetycheck to skills list in CHEATSHEET and README Co-Authored-By: claude-flow <ruv@ruv.net>
1 parent 02fb810 commit 4c1d7dc

11 files changed

Lines changed: 626 additions & 12 deletions

File tree

.github/dependabot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
labels:
8+
- "dependencies"

.github/workflows/lint.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
name: Lint Shell Scripts
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
9+
jobs:
10+
shellcheck:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- uses: actions/checkout@v4
14+
- name: Run ShellCheck
15+
uses: ludeeus/action-shellcheck@2.0.0
16+
with:
17+
scandir: '.'
18+
severity: warning
19+
ignore_paths: terminal-academy node_modules

.gitignore

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,20 @@
44
.mcp.json
55
CLAUDE.md
66
.DS_Store
7+
8+
# Environment / secrets
9+
.env
10+
.env.*
11+
.env.local
12+
.env.production
13+
.env.development
14+
15+
# Private keys and certificates
16+
*.pem
17+
*.key
18+
*.cert
19+
*.p12
20+
*.pfx
21+
22+
# Node (defensive — step scripts may install deps)
23+
node_modules/

CHEATSHEET.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -96,9 +96,10 @@ These are custom skills installed by the setup scripts. Type them inside a Claud
9696
| `/rmini do the thing` | Step 3 | Launch a compact 5-agent swarm — same power, tighter team |
9797
| `/rhive <goal>` | Step 3 | Launch a queen-led autonomous hive-mind with raft consensus |
9898
| `/w4w` | Step 3 | Maximum attention to detail — word for word, line for line. No skipping, no summarizing. Also works without the slash — just type `w4w` |
99+
| `/safetycheck` | Step 9 | Security audit — scans any project for exposed keys, missing rate limiting, input sanitization gaps, dependency vulnerabilities, and insecure configurations. Also responds to "run a safety check" in plain English |
99100

100101

101-
> These are **explicit triggers** — you type the command to activate the skill. This is different from the auto-triggered tools below, which respond to natural language. Exception: `/w4w` also works without the slash — just type `w4w` anywhere in your message. `/rmini` is the compact version of `/rswarm` — 5 agents instead of 15.
102+
> These are **explicit triggers** — you type the command to activate the skill. This is different from the auto-triggered tools below, which respond to natural language. Exception: `/w4w` also works without the slash — just type `w4w` anywhere in your message. `/rmini` is the compact version of `/rswarm` — 5 agents instead of 15. `/safetycheck` also works in natural language.
102103
103104
---
104105

@@ -125,7 +126,7 @@ These activate on their own when Claude detects a relevant task via natural lang
125126
| Excalidraw | Add-on | Natural language — diagrams, flowcharts, whiteboard sketches | "Draw a system architecture diagram" |
126127
| Gamma | Add-on | Natural language — presentations, documents, webpages | "Create a pitch deck for my startup" |
127128

128-
> **Key distinction:** Slash commands (`/rswarm`, `/rmini`, `/rhive`, `/w4w`) require you to type the command. Everything in this table works by just talking to Claude naturally.
129+
> **Key distinction:** Slash commands (`/rswarm`, `/rmini`, `/rhive`, `/w4w`, `/safetycheck`) require you to type the command. Everything in this table works by just talking to Claude naturally.
129130
>
130131
> **Add-on tools** are not part of the step-by-step setup — they're optional MCP servers you can connect separately. Claude auto-detects them when they're installed.
131132

README.md

Lines changed: 49 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ Everything you need to start working with AI-powered development tools, installe
2020
| [Step 6](#step-6---productivity-tools) | Productivity Tools | Motion Calendar + Notion (pick what you use) | ~5 min |
2121
| [Step 7](#step-7---second-brain-obsidian) | Second Brain (Obsidian) | Personal knowledge management system | ~30+ min |
2222
| [Step 8](#step-8---telegram) | Telegram | Message Claude from your phone via Telegram bot | ~2 min |
23+
| [Step 9](#step-9---safety-check) | Safety Check | Security auditing — scan any project for vulnerabilities | ~2 min |
2324
| [Final Step](#final-step---status-line) | Status Line | Final config — status indicators wired up | ~2 min |
2425
| [You're Ready](#youre-ready) | **Start here after setup** | Your daily command and what to do next | |
2526
| [Video Tutorials (coming soon)](#video-tutorials-coming-soon) | Walkthroughs | Shows you exactly how to do everything, screen by screen | |
@@ -85,6 +86,8 @@ Run the steps in order. Each one builds on the last.
8586
8687
**[Step 8](#step-8---telegram)** connects Claude to Telegram so you can message it straight from your phone. You create a free bot through Telegram (takes about two minutes), the script handles the rest, and then you use `ctg` or `cbraintg` to launch Claude with Telegram connected — messages show up in your session in real time. This step is completely optional; everything else works without it.
8788
89+
**[Step 9](#step-9---safety-check)** installs a security auditing skill that lets Claude scan any project for exposed keys, missing rate limiting, input sanitization gaps, dependency vulnerabilities, and more. Just point Claude at a project and ask it to run a safety check. It catches the stuff that slips through code review.
90+
8891
**[Final Step](#final-step---status-line)** is the wrap-up. It installs a custom status line that shows you what's active at a glance — your vault, MCP connection, design tools, and any running swarms, mini swarms, or hive-minds. It also runs a final verification to make sure every command and tool from the cheat sheet is installed and working.
8992
9093
After the Final Step, head to **[You're Ready](#youre-ready)** — it tells you the one command you need going forward and what to do next.
@@ -1031,6 +1034,48 @@ Open a new terminal and run `ctg` to launch Claude with Telegram connected. Insi
10311034
10321035
---
10331036
1037+
## Step 9 - Safety Check
1038+
1039+
[Back to top](#quick-nav)
1040+
1041+
This step installs a security auditing skill that lets Claude scan any project for vulnerabilities. Exposed API keys, missing rate limiting, input sanitization gaps, dependency vulnerabilities, insecure configurations — the stuff that slips through code review. You point Claude at a project and tell it to run a safety check. It does the rest.
1042+
1043+
### What It Does
1044+
1045+
The `/safetycheck` skill gives Claude a structured security audit framework. Instead of asking Claude to "look for security issues" and hoping for the best, this skill runs a systematic scan across the categories that actually matter:
1046+
1047+
- **Exposed secrets.** API keys, tokens, passwords, and credentials hardcoded in source files or committed to git.
1048+
- **Missing rate limiting.** Endpoints that accept unlimited requests without throttling.
1049+
- **Input sanitization gaps.** User input that flows into queries, commands, or file paths without validation.
1050+
- **Dependency vulnerabilities.** Known CVEs in your npm, pip, or other package dependencies.
1051+
- **Insecure configurations.** CORS misconfigurations, debug mode left on in production, permissive file permissions, and more.
1052+
1053+
This isn't a replacement for a full security audit. It's a first line of defense — the kind of check you should run before every deploy, every PR, every time you hand code off to someone else.
1054+
1055+
### Run Step 9
1056+
1057+
You should still have a Claude session open. If you closed it, open your terminal and type `cskip` to start a new Claude session.
1058+
1059+
Once you're inside the Claude session, paste this and hit Enter:
1060+
1061+
> [!IMPORTANT]
1062+
> **Paste this into your Claude session:**
1063+
> ```
1064+
> run this command to install the safety check skill: bash <(curl -fsSL https://raw.githubusercontent.com/lorecraft-io/cli-maxxing/main/step-9/step-9-install.sh)
1065+
> ```
1066+
1067+
### What This Step Installs
1068+
1069+
| Component | What it does |
1070+
|-----------|-------------|
1071+
| Safety Check Skill (`/safetycheck`) | A Claude Code skill that runs structured security audits on any project — exposed keys, missing rate limiting, input sanitization gaps, dependency vulnerabilities, and insecure configurations. |
1072+
1073+
### After Step 9
1074+
1075+
Open any project in Claude and type `/safetycheck` to run a security audit. Claude will scan the project and report what it finds, organized by severity. You can also just ask Claude to "run a safety check on this project" in plain English and the skill kicks in automatically.
1076+
1077+
---
1078+
10341079
## Final Step - Status Line
10351080
10361081
[Back to top](#quick-nav)
@@ -1106,7 +1151,7 @@ That's it. `cbrain` opens Claude Code directly inside your 2ndBrain vault with a
11061151
**What `cbrain` gives you:**
11071152
- Drops you into your Obsidian vault automatically — no `cd`-ing around
11081153
- All permissions skipped — Claude acts immediately, no approval prompts
1109-
- Full access to everything: `/rswarm`, `/rmini`, `/rhive`, `/w4w`, Ruflo, Context Hub, Motion Calendar, Notion, Obsidian, design tools, video tools — all of it
1154+
- Full access to everything: `/rswarm`, `/rmini`, `/rhive`, `/w4w`, `/safetycheck`, Ruflo, Context Hub, Motion Calendar, Notion, Obsidian, design tools, video tools — all of it
11101155
- Your status line shows what's active at a glance
11111156
11121157
**When to use something else:**
@@ -1136,9 +1181,10 @@ Run the steps in this order:
11361181
| 6 | Productivity Tools | Motion Calendar + Notion (optional) |
11371182
| 7 | Second Brain | Obsidian vault setup + data import (7a-7d) |
11381183
| 8 | Telegram | Telegram bot setup — message Claude from your phone |
1184+
| 9 | Safety Check | Security auditing — scan projects for exposed keys, vulnerabilities, and more |
11391185
| **Final** | **Status Line** | **Final config — status indicators, system health check** |
11401186
1141-
> **Note:** Step 6 (Productivity Tools) is all optional — install only the tools you use. Step 7 (Second Brain) is the biggest step with four sub-parts (7a-7d). Step 8 (Telegram) is interactive — it walks you through creating a bot and pasting your token. The Final Step (Status Line) is the wrap-up — it wires your status indicators to show what's active across all the tools you installed.
1187+
> **Note:** Step 6 (Productivity Tools) is all optional — install only the tools you use. Step 7 (Second Brain) is the biggest step with four sub-parts (7a-7d). Step 8 (Telegram) is interactive — it walks you through creating a bot and pasting your token. Step 9 (Safety Check) installs a security auditing skill for scanning projects. The Final Step (Status Line) is the wrap-up — it wires your status indicators to show what's active across all the tools you installed.
11421188
11431189
---
11441190
@@ -1182,7 +1228,7 @@ If you need to remove everything installed by this setup, the uninstall script r
11821228
**What it removes:**
11831229
- Claude Code + shell aliases (cskip, ctg, cc, ccr, ccc, cbrain, cbraintg)
11841230
- All MCP servers (Ruflo, claude-flow, Magic, YouTube Transcript, yt-dlp, Whisper, Obsidian, Motion Calendar, Notion)
1185-
- All skills (rswarm, rmini, rhive, w4w, get-api-docs, UI/UX Pro Max, Remotion)
1231+
- All skills (rswarm, rmini, rhive, w4w, get-api-docs, UI/UX Pro Max, Remotion, safetycheck)
11861232
- Dev tools (pandoc, jq, ripgrep, gh, tree, fzf, wget, weasyprint, ffmpeg, xlsx2csv, poppler)
11871233
- Whisper models (~/.whisper/)
11881234
- Motion Calendar config (~/.motion-calendar-mcp/)

SECURITY.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
|---------|-----------|
7+
| latest | Yes |
8+
9+
## Reporting a Vulnerability
10+
11+
If you discover a security vulnerability, please report it responsibly:
12+
13+
1. **Do NOT open a public GitHub issue.**
14+
2. Email: nate@lorecraft.io
15+
3. Include: description of the vulnerability, steps to reproduce, and potential impact.
16+
4. You will receive acknowledgment within 48 hours.
17+
18+
## Credential Handling
19+
20+
CLI-MAXXING install scripts collect API credentials interactively and store them in local config files with restrictive permissions (`chmod 600`). Credentials are never committed to this repository.
21+
22+
**Stored credentials and their locations:**
23+
- Motion Calendar: `~/.motion-calendar-mcp/.env`
24+
- Telegram Bot: `~/.claude/channels/telegram/.env`
25+
26+
## Scope
27+
28+
- Shell scripts in this repository
29+
- Installation workflows
30+
- GitHub Actions workflows

step-6/step-6-install.sh

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -141,12 +141,12 @@ install_motion_calendar() {
141141

142142
# Write config
143143
mkdir -p "$HOME/.motion-calendar-mcp"
144-
cat > "$HOME/.motion-calendar-mcp/.env" <<ENVEOF
145-
MOTION_API_KEY=${MOTION_API_KEY}
146-
FIREBASE_API_KEY=${FIREBASE_API_KEY}
147-
FIREBASE_REFRESH_TOKEN=${FIREBASE_REFRESH_TOKEN}
148-
MOTION_USER_ID=${MOTION_USER_ID}
149-
ENVEOF
144+
{
145+
printf 'MOTION_API_KEY=%s\n' "$MOTION_API_KEY"
146+
printf 'FIREBASE_API_KEY=%s\n' "$FIREBASE_API_KEY"
147+
printf 'FIREBASE_REFRESH_TOKEN=%s\n' "$FIREBASE_REFRESH_TOKEN"
148+
printf 'MOTION_USER_ID=%s\n' "$MOTION_USER_ID"
149+
} > "$HOME/.motion-calendar-mcp/.env"
150150

151151
chmod 600 "$HOME/.motion-calendar-mcp/.env"
152152

step-9/safetycheck-skill/SKILL.md

Lines changed: 182 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,182 @@
1+
# Security Safety Check
2+
3+
When this skill is invoked, run a comprehensive security audit on the current working directory. Detect the project type automatically and run all applicable checks.
4+
5+
## Invocation
6+
7+
This skill activates when the user types `/safetycheck`, or says "run a safety check", "security audit", "safetycheck", or "check this project for security issues".
8+
9+
## Execution
10+
11+
### Step 1 — Detect Project Type
12+
13+
Determine what kind of project this is by checking for:
14+
- `package.json` → Node.js
15+
- `requirements.txt` / `pyproject.toml` → Python
16+
- `*.sh` files at root → Shell scripts
17+
- `Cargo.toml` → Rust
18+
- `go.mod` → Go
19+
- If none match, treat as generic and run filesystem-level checks only
20+
21+
### Step 2 — Run All 8 Security Checks
22+
23+
Run each check against the current working directory. Use Grep, Read, Glob, and Bash tools. Report findings in a severity-rated table at the end.
24+
25+
---
26+
27+
#### Check 1: Exposed API Keys
28+
29+
Scan source files and git history for hardcoded secrets.
30+
31+
**Source scan** — Grep all source files for these patterns:
32+
- `AIzaSy[a-zA-Z0-9_-]{30,}` (Firebase/Google API keys)
33+
- `sk-[a-zA-Z0-9]{20,}` (OpenAI keys)
34+
- `pk_live_`, `sk_live_`, `pk_test_`, `sk_test_` (Stripe keys)
35+
- `ghp_[a-zA-Z0-9]{36}`, `gho_`, `github_pat_` (GitHub tokens)
36+
- `AKIA[0-9A-Z]{16}` (AWS access keys)
37+
- `xox[bpsa]-[a-zA-Z0-9-]+` (Slack tokens)
38+
- Hardcoded `Bearer` tokens with actual values
39+
- Any `password = "..."` or `secret = "..."` with literal values (not env vars)
40+
41+
Exclude: test fixtures, example files, regex patterns in security scanners, `.env.example` files with placeholder values.
42+
43+
**Git history scan** — Run:
44+
```bash
45+
git log -p --all -S "API_KEY" -S "SECRET" -S "TOKEN" -S "sk-" --max-count=30 2>/dev/null | grep -E "^\+" | grep -ivE "(process\.env|os\.environ|\.env\.example|placeholder|your_|example|test)" | head -20
46+
```
47+
48+
**Tracked .env check** — Run:
49+
```bash
50+
git ls-files 2>/dev/null | grep -iE "\.env$"
51+
```
52+
53+
**Severity**: CRITICAL if real keys found in source or git history. HIGH if .env is tracked. PASS if clean.
54+
55+
---
56+
57+
#### Check 2: Rate Limiting
58+
59+
**Detect endpoints** — Grep for: `express`, `fastify`, `http.createServer`, `app.listen`, `app.get(`, `app.post(`, `router.`
60+
61+
**If endpoints exist**, check for rate limiting:
62+
- Grep for: `rate-limit`, `rateLimit`, `throttle`, `@upstash/ratelimit`, `bottleneck`, `p-queue`
63+
- Check package.json dependencies for rate-limit packages
64+
65+
**Detect outbound APIs** — Grep for: `fetch(`, `axios`, `http.request`, `got(`
66+
- If outbound calls exist, check for retry/backoff logic and 429 handling
67+
68+
**Severity**: HIGH if public endpoints exist without rate limiting. MEDIUM if outbound APIs lack 429 handling. N/A if no endpoints.
69+
70+
---
71+
72+
#### Check 3: Input Sanitization
73+
74+
Scan for dangerous patterns:
75+
- `eval(` with non-constant arguments
76+
- `execSync(` or `exec(` with string concatenation (not `execFileSync` with array)
77+
- `innerHTML` assignments without `escapeHtml` or DOMPurify
78+
- SQL queries built with string concatenation (`"SELECT * FROM " + table`)
79+
- Template literals in URL paths with unsanitized variables: `` `/api/${userInput}` ``
80+
- `child_process.exec(` with template literals or string concat
81+
- `dangerouslySetInnerHTML` without sanitization
82+
- `source` of untrusted files in shell scripts
83+
84+
Check for validation:
85+
- Grep for: `zod`, `joi`, `yup`, `ajv`, `validator`, `encodeURIComponent`, `escapeHtml`, `sanitize`
86+
87+
**Severity**: CRITICAL for eval/exec with user input. HIGH for unsanitized URL paths. MEDIUM for missing validation library. PASS if clean.
88+
89+
---
90+
91+
#### Check 4: RLS / Database Security
92+
93+
**Detect database usage** — Check package.json and source for: `supabase`, `prisma`, `drizzle`, `knex`, `sequelize`, `typeorm`, `pg`, `mysql`, `sqlite`, `mongoose`, `mongodb`
94+
95+
**If Supabase**: Check for migration files, look for `ENABLE ROW LEVEL SECURITY` in SQL files, check for policy definitions.
96+
97+
**If any database**: Check for parameterized queries vs string concatenation.
98+
99+
**Severity**: CRITICAL if database found without RLS/access control. HIGH if queries use string concat. N/A if no database.
100+
101+
---
102+
103+
#### Check 5: Dependency Vulnerabilities
104+
105+
**Node.js**: Run `npm audit --json 2>/dev/null` — parse results for high/critical vulnerabilities.
106+
**Python**: Run `pip audit 2>/dev/null` if available.
107+
**Check lockfile**: Verify `package-lock.json`, `yarn.lock`, or equivalent exists.
108+
**Check outdated**: Run `npm outdated 2>/dev/null | head -10`
109+
110+
**Severity**: CRITICAL if known high/critical vulns. MEDIUM if no lockfile. LOW if outdated packages. PASS if clean.
111+
112+
---
113+
114+
#### Check 6: Gitignore Hygiene
115+
116+
Read `.gitignore` and verify it includes:
117+
- `.env` and `.env.*`
118+
- `*.pem`, `*.key`, `*.cert`
119+
- `node_modules/` (Node.js)
120+
- `.DS_Store`
121+
- IDE folders (`.vscode/`, `.idea/`)
122+
123+
Check for files that SHOULD be ignored but are tracked:
124+
```bash
125+
git ls-files 2>/dev/null | grep -iE "\.(env|pem|key|cert|p12|pfx|keystore)$"
126+
```
127+
128+
If the project is published to npm, check for `files` field in package.json or `.npmignore`.
129+
130+
**Severity**: HIGH if .env not in .gitignore. MEDIUM if *.pem/*.key missing. LOW if minor patterns missing. PASS if complete.
131+
132+
---
133+
134+
#### Check 7: CI/CD and GitHub Security
135+
136+
Check for:
137+
- `.github/workflows/` directory — any CI at all?
138+
- `.github/dependabot.yml` — automated dependency updates?
139+
- `SECURITY.md` — vulnerability disclosure policy?
140+
- `.github/CODEOWNERS` — code ownership rules?
141+
- Branch protection (if `gh` CLI available): `gh api repos/{owner}/{repo}/branches/main/protection 2>/dev/null`
142+
143+
**Severity**: HIGH if no CI/CD and project has dependencies. MEDIUM if missing dependabot or SECURITY.md. LOW if missing CODEOWNERS. PASS if all present.
144+
145+
---
146+
147+
#### Check 8: Error Handling
148+
149+
Scan for patterns that leak internal details:
150+
- `res.text()` or `res.json()` results thrown directly in error messages
151+
- `catch (e) { res.send(e.message) }` or `catch (e) { return e.stack }`
152+
- `console.error` of full error objects in production code paths
153+
- Error responses that include raw API response bodies
154+
155+
**Severity**: MEDIUM if raw error bodies are exposed to users. LOW if only logged to console. PASS if errors are sanitized.
156+
157+
---
158+
159+
### Step 3 — Report Findings
160+
161+
Output a markdown table:
162+
163+
```
164+
| # | Check | Status | Findings |
165+
|---|-------|--------|----------|
166+
| 1 | Exposed API Keys | PASS/CRITICAL/HIGH/MEDIUM/LOW | Details... |
167+
| 2 | Rate Limiting | ... | ... |
168+
| ... | ... | ... | ... |
169+
```
170+
171+
Then list specific findings with file paths and line numbers.
172+
173+
### Step 4 — Offer Fixes
174+
175+
For each finding that has an auto-fixable solution, offer to fix it:
176+
- Missing .gitignore patterns → offer to add them
177+
- Missing SECURITY.md → offer to create one
178+
- Missing dependabot.yml → offer to create one
179+
- execSync with string concat → offer to replace with execFileSync
180+
- Missing input validation → offer to add validation functions
181+
182+
Ask the user before making any changes.

0 commit comments

Comments
 (0)