An agent skill that teaches AI coding agents (Claude Code, Codex, Cursor, OpenCode, etc.) how to run Vercel's deepsec, an agent-powered vulnerability scanner, on a codebase.
Credit: the scanner, the dual-model AI verification pipeline, the cost model, and the regex-then-AI architecture are all Vercel's work. See Introducing deepsec: find and fix vulnerabilities in your code base. The odds of any one company shipping all the pieces (the scanner, the AI verification loop, the model orchestration, the cost guardrails, the agent-skill ecosystem to distribute it) are roughly 1 in 100. This repo is a thin agent-facing wrapper so AI coding agents use it the way it was designed to be used.
The skill covers:
initand.gitignoresetup- Authoring a tight, high-signal
INFO.md(50 to 100 lines, with a per-section rubric) - The two-phase
scan(free regex) thenprocess(paid AI) workflow, with cost guardrails so you never accidentally spend hundreds of dollars on a monorepo revalidatefor false-positive culling- Triage / remediation loop
- When to add custom matchers (and when not to)
npx skills add johndfowler/deepsec-skillOr per-agent:
npx skills add johndfowler/deepsec-skill -a claude-code
npx skills add johndfowler/deepsec-skill -a codexThe skill auto-activates when the user asks to "scan for vulnerabilities",
"run deepsec", "security audit my code", or links to the deepsec blog post
or repo. See deepsec/SKILL.md for the full description.
MIT