A community-driven registry for the Claude Code ecosystem. Not affiliated with Anthropic.
Are you the author? Sign in to claim
Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 1
Protect your apps. Protect your users. Protect your community.
-00ff41.svg){kind=icon}
Shipped by @soyenriquerocha | Built by the Tododeia community — empowering developers to ship secure software.
Cyber Neo is a comprehensive cybersecurity analysis agent that runs inside Claude Code. Point it at any project on your computer, and it performs a deep security audit — scanning your code, dependencies, secrets, infrastructure, and supply chain for vulnerabilities. It generates a professional, prioritized report with actionable remediation guidance so you can fix issues before they become incidents.
No security expertise required. Just run /cyber-neo and let the agent do the work.
Cyber Neo was built with a mission: our community at tododeia.com is building apps, tools, and products. We want to help every developer in the community protect what they're building. This agent is our contribution — open source, free, and designed to be the most thorough security scanner available as a Claude Code skill.
Most security tools require installation, configuration, and expertise to interpret results. Cyber Neo is different:
| Traditional Security Tools | Cyber Neo |
|---|---|
| Require installation and setup | Works instantly as a Claude Code skill |
| Need security expertise to interpret | Plain-language findings with code-level remediation |
| Scan one category (SAST or SCA or secrets) | Scans 11 categories in one run |
| Output raw findings without context | CWE/OWASP-classified findings with fix examples |
| Run sequentially | 5 parallel subagents for speed |
| Require paid licenses for full coverage | 100% free and open source |
Cyber Neo covers 11 security domains across every major vulnerability class:
| # | Category | What It Finds | How |
|---|---|---|---|
| 1 | Code Security (SAST) | SQL injection, XSS, command injection, code injection, path traversal, SSRF, deserialization, prototype pollution | Semgrep (optional) + Claude-native pattern analysis |
| 2 | Authentication & Authorization | Missing auth middleware, JWT misconfigurations, broken access control, IDOR, session management flaws, missing RBAC | Claude-native analysis using auth-authz-patterns.md |
| 3 | Cryptographic Security | Weak algorithms (MD5, SHA1, DES, RC4), hardcoded keys/IVs, TLS bypass, insecure random, weak key lengths | Claude-native analysis using crypto-patterns.md |
| 4 | Secret Detection | 60+ regex patterns: AWS, GCP, Azure, GitHub, Slack, Stripe, database credentials, private keys, API keys, JWT tokens, .env files | Python batch scanner + Gitleaks (optional) |
| 5 | Dependency Vulnerabilities (SCA) | Known CVEs in npm, pip, cargo, bundler, composer, and Go dependencies | Trivy / npm audit / pip-audit / cargo-audit (optional) |
| 6 | Web Security | Missing security headers (CSP, CORS, HSTS), CSRF, cookie flags, file upload flaws, open redirects | Claude-native analysis using web-security-patterns.md |
| 7 | Supply Chain Security | Lock file integrity, dependency confusion, typosquatting, unpinned versions, malicious packages | Python lockfile checker + Claude-native analysis |
| 8 | CI/CD Security | GitHub Actions script injection, overly permissive permissions, unpinned actions, secret exposure in workflows | Claude-native analysis using cicd-security.md |
| 9 | Docker & Container Security | Root user, unpinned base images, secrets in layers, privileged containers, Docker socket exposure | Claude-native analysis using iac-docker.md |
| 10 | Error Handling | Debug mode in production, stack trace exposure, empty catch blocks, missing error boundaries | Claude-native analysis using error-handling-patterns.md |
| 11 | Logging Security | Sensitive data in logs, log injection, missing security event logging | Claude-native analysis using logging-patterns.md |
Cyber Neo maps every finding to industry standards:
| Language | Frameworks | Reference File |
|---|---|---|
| JavaScript / TypeScript | Express, Next.js, React, Vue, Angular, Fastify, NestJS, Koa, Electron | lang-javascript.md (924 lines) |
| Python | Django, Flask, FastAPI, Tornado, Starlette | lang-python.md (935 lines) |
| Any language | Generic SAST patterns (eval, exec, hardcoded creds, command injection) | Built into SKILL.md |
Coming in v0.2: Go, Ruby/Rails, Java/Spring, Rust, PHP/Laravel
cd ~/.claude/skills
git clone https://github.com/Hainrixz/cyber-neo.git
That's it. Claude Code automatically discovers the skill.
git clone https://github.com/Hainrixz/cyber-neo.git ~/projects/cyber-neo
ln -s ~/projects/cyber-neo ~/.claude/skills/cyber-neo
/plugin install cyber-neo
Marketplace availability coming soon.
Open Claude Code and type:
/cyber-neo
If installed correctly, Cyber Neo will ask you for a project path to scan.
# Scan a specific project
/cyber-neo /path/to/your/project
# Scan the current working directory
/cyber-neo .
Phase 1: Reconnaissance
Detects your tech stack, frameworks, and infrastructure
Estimates project scope and applies scanning tier
Phase 2-6: Parallel Analysis (5 subagents)
Dependency vulnerabilities (SCA)
Code security patterns (SAST)
Secret detection (60+ regex patterns)
Configuration & infrastructure checks
Supply chain & CI/CD security
Phase 7: Report Generation
Deduplicates, scores, and classifies findings
Generates professional security report
The report is saved to your Desktop:
~/Desktop/cyber-neo-report-{project-name}-{YYYY-MM-DD}.md
Every Cyber Neo report includes:
Risk Score: 67/100 (High Risk)
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 5 |
| Medium | 8 |
| Low | 3 |
| Info | 4 |
Top 3 Priority Actions:
1. Fix SQL injection in src/api/users.js:42 — use parameterized queries
2. Rotate leaked AWS key in .env — key is active and exposed
3. Add authentication to /api/admin routes — currently public
Each finding includes:
[CN-001] SQL Injection in User Query
Severity: Critical (CVSS ~9.8)
CWE: CWE-89 (SQL Injection)
OWASP: A05:2025 (Injection)
Location: src/api/users.js:42
Description: User input is directly concatenated into SQL query
without parameterization, enabling SQL injection attacks.
Evidence:
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
Remediation:
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [req.params.id]);
Cyber Neo is built as a Claude Code skill — a markdown-based prompt that orchestrates Claude's analysis capabilities. The architecture has three layers:
The SKILL.md file (563 lines) is the brain of Cyber Neo. It contains:
14 reference files totaling 10,000+ lines of security patterns:
references/
├── owasp-top-10.md # OWASP 2025 classification + scoring guide
├── cwe-top-25.md # CWE mappings with detection patterns
├── secrets-patterns.md # 60+ regex patterns for secret detection
├── auth-authz-patterns.md # JWT, sessions, RBAC, IDOR patterns
├── crypto-patterns.md # Weak crypto, hardcoded keys, TLS bypass
├── web-security-patterns.md # Headers, CORS, CSRF, SSRF, uploads, redirects
├── error-handling-patterns.md # Debug mode, stack traces, empty catches
├── logging-patterns.md # Sensitive data in logs, log injection
├── cicd-security.md # GitHub Actions injection, permissions
├── supply-chain.md # Dependency confusion, typosquatting, lock files
├── lang-javascript.md # Node/Express/Next.js/React patterns (924 lines)
├── lang-python.md # Django/Flask/FastAPI patterns (935 lines)
├── iac-docker.md # Dockerfile/Compose security (1,005 lines)
└── report-template.md # Report format specification
Each reference file contains:
Two Python scripts handle tasks where batch processing is faster than sequential Claude analysis:
| Script | Purpose | Lines |
|---|---|---|
scan_secrets.py | Regex-based secret scanning across all files. 60+ patterns covering AWS, GCP, GitHub, Slack, Stripe, database credentials, private keys, API keys, and more. Includes smart allowlisting to reduce false positives. | 510 |
check_lockfiles.py | Lock file integrity verification for 10 package managers (npm, yarn, pnpm, bun, pip, pipenv, poetry, cargo, bundler, composer, Go). Detects missing lock files, unpinned dependencies, and risky lifecycle scripts. | 340 |
Both scripts:
Cyber Neo works out of the box using Claude-native analysis. For deeper scanning, install these optional tools:
| Tool | Category | Install | What It Adds |
|---|---|---|---|
| Semgrep | SAST | brew install semgrep | 3,000+ community rules for 30+ languages |
| Trivy | SCA | brew install trivy | Comprehensive dependency vulnerability database |
| Gitleaks | Secrets | brew install gitleaks | Git history scanning for committed secrets |
| pip-audit | Python SCA | pip install pip-audit | Python package vulnerability checking |
| cargo-audit | Rust SCA | cargo install cargo-audit | Rust crate vulnerability checking |
When these tools are installed, Cyber Neo automatically detects and uses them alongside its built-in analysis for deeper coverage.
Cyber Neo adapts its scanning strategy based on project size:
| Tier | File Count | Strategy |
|---|---|---|
| Small | < 1,000 | Full scan — every source file analyzed |
| Medium | 1,000 - 10,000 | Targeted scan — prioritizes src/, app/, API routes, auth middleware, config files |
| Large | 10,000+ | Critical-path scan — focuses on entry points, auth, config, deps. Reports coverage percentage |
The final report always shows how many files were scanned vs. skipped, so you know exactly what was covered.
Cyber Neo follows a strict read-only iron law:
| Rule | Description |
|---|---|
| Never modifies files | Your project files are never changed, deleted, or created |
| Never executes code | No npm start, python app.py, or any project execution |
| Never installs packages | No npm install, pip install, or dependency modifications |
| Never runs fix commands | No npm audit --fix or auto-remediation |
| Single write operation | Only writes the report file to ~/Desktop/ |
| Secrets are redacted | Detected secrets are never included in the report |
These constraints are enforced at the top level AND in every subagent prompt.
| ID | Category | Where Addressed |
|---|---|---|
| A01:2025 | Broken Access Control | auth-authz-patterns.md — missing middleware, IDOR, privilege escalation |
| A02:2025 | Security Misconfiguration | web-security-patterns.md + error-handling-patterns.md — headers, debug mode, env config |
| A03:2025 | Software Supply Chain Failures | supply-chain.md + cicd-security.md — dep confusion, typosquatting, CI injection |
| A04:2025 | Cryptographic Failures | crypto-patterns.md + secrets-patterns.md — weak algorithms, hardcoded keys |
| A05:2025 | Injection | lang-javascript.md + lang-python.md + web-security-patterns.md — SQLi, XSS, SSRF |
| A06:2025 | Insecure Design | auth-authz-patterns.md + web-security-patterns.md — structural design flaws |
| A07:2025 | Authentication Failures | auth-authz-patterns.md — JWT, sessions, password hashing, OAuth |
| A08:2025 | Software/Data Integrity Failures | lang-*.md + supply-chain.md — deserialization, dependency integrity |
| A09:2025 | Logging/Monitoring Failures | logging-patterns.md — sensitive data in logs, missing security logging |
| A10:2025 | Mishandling of Exceptional Conditions | error-handling-patterns.md — empty catches, stack traces, debug mode |
After running Cyber Neo, we recommend a test-driven security fix approach:
1. Read the report — start with Critical findings
2. Pick the highest-severity finding
3. Write a test that proves the vulnerability exists
4. Apply the fix from the remediation guidance
5. Run the test — verify it passes
6. Re-run /cyber-neo to confirm the finding is resolved
7. Repeat for the next finding
If you have the Superpowers plugin installed, use its TDD workflow for structured remediation.
Cyber Neo works with other Claude Code skills for enhanced analysis:
| Skill | Integration |
|---|---|
| /last30days | Researches emerging threats and community discussions about your detected stack |
| /deep-research | Looks up context on unfamiliar CVEs or emerging threats found during scan |
| Superpowers | TDD-driven remediation workflow for fixing findings systematically |
cyber-neo/
├── .claude-plugin/
│ └── plugin.json # Plugin metadata
├── skills/
│ └── cyber-neo/
│ ├── SKILL.md # Orchestration engine (563 lines)
│ ├── scripts/
│ │ ├── scan_secrets.py # Batch secret scanner (510 lines)
│ │ └── check_lockfiles.py # Lock file checker (340 lines)
│ └── references/ # Security knowledge base (14 files, 10K+ lines)
│ ├── owasp-top-10.md
│ ├── cwe-top-25.md
│ ├── secrets-patterns.md
│ ├── auth-authz-patterns.md
│ ├── crypto-patterns.md
│ ├── web-security-patterns.md
│ ├── error-handling-patterns.md
│ ├── logging-patterns.md
│ ├── cicd-security.md
│ ├── supply-chain.md
│ ├── lang-javascript.md
│ ├── lang-python.md
│ ├── iac-docker.md
│ └── report-template.md
├── CLAUDE.md # Contributor guidelines
├── LICENSE # MIT
└── README.md # This file
/cyber-neo:config)We welcome contributions from the community. See CLAUDE.md for detailed contributor guidelines.
references/lang-{language}.md following the existing patternCyber Neo is shipped by @soyenriquerocha and built by the Tododeia community — a growing network of developers building apps, tools, and products together. We believe every developer deserves access to enterprise-grade security tooling, for free.
Cyber Neo builds on the shoulders of the security community:
Shipped by @soyenriquerocha | Built with purpose. Open source forever.
Protecting the apps our community builds — one scan at a time.
Get Started | Report an Issue | Join the Community | Follow @soyenriquerocha
ML engineering — model training, deployment, MLOps, monitoring
DevOps practices — CI/CD, containers, monitoring, infrastructure automation
Professional skills marketplace with production-ready skills for enhanced development
Self-learning system that captures corrections and syncs them to CLAUDE.md and AGENTS.md
