What is deepsec-skill?

An agent skill (per the agentskills.io spec) that teaches AI coding agents how to run Vercel's deepsec vulnerability scanner. Install once with npx skills add johndfowler/deepsec-skill and every supported agent (Claude Code, Cursor, Codex, OpenCode, Continue, Goose, Aider, GitHub Copilot CLI, Gemini CLI, Cline, Warp, and more) learns the workflow.

Why does deepsec need a skill?

deepsec's AI process step uses Claude Opus 4.7 and GPT-5.5 at maximum reasoning effort. Cost scales with scan candidates, not repository size, so a naive run on a monorepo can cost hundreds of dollars. This skill bakes in the scan-first, get-approval, then-process pattern so agents do not surprise users with a bill.

How is the skill installed?

Run npx skills add johndfowler/deepsec-skill, or fetch directly from URL with npx skills add https://deepsec-skill.dev/SKILL.md. The endpoint serves the SKILL.md with text/markdown content-type and CORS open, so any compliant agent loader can fetch it.

Which AI coding agents are supported?

Any agent that consumes the agentskills.io spec: Claude Code, Cursor, Codex, OpenCode, Continue, Goose, Aider, GitHub Copilot CLI, Gemini CLI, Cline, Warp, and roughly fifty more. The skill picks up your existing claude or codex CLI subscription automatically, so no extra API keys are needed for most users.

deepsec skill: AI vulnerability scanning for AI coding agents

An agent skill that teaches AI coding agents how to run Vercel's deepsec vulnerability scanner, with cost guardrails.

Install

Via the skills.sh CLI:

npx skills add johndfowler/deepsec-skill

Or from this URL directly:

npx skills add https://deepsec-skill.dev/SKILL.md

What it does

Walks through deepsec init + .gitignore setup
Authors a tight, high-signal INFO.md (50–100 lines, five-section rubric)
Runs the free regex scan first, reports candidate count, then asks before running the paid AI process
revalidates findings to cull false positives
Triage loop: verify findings, fix in focused commits, re-scan to confirm closure

Try it: ask the skill

Live demo powered by Vercel AI Gateway. The model has the full SKILL.md as context, so it answers like an agent that has loaded the skill. 10 questions/hr/IP, ~600 tokens/answer.

Cost compare: same prompt, 7 models

Same question, fanned out across 7 frontier models in parallel via AI Gateway. Real latency, real tokens, real cost, sorted cheapest first. 5 compares/hr/IP, $1/day hard cap, served from Stockholm (low-carbon grid). Each click bills roughly $0.0001 to $0.001 total.

Region arn1 · Stockholm Vercel's lowest-carbon edge (Nordic hydro/wind)

Daily cap $1.00 Hard ceiling. Resumes 00:00 UTC.

Spent today $0.000000 0% of cap

Site footprint ≈93 KB 7 files · 0 prod npm deps · static HTML

Why a skill?

deepsec's AI process step uses Claude Opus 4.7 + GPT-5.5 at max effort. Cost scales with scan candidates, not repo size. A naive run on a monorepo can cost hundreds of dollars. This skill bakes in the scan first, get user approval, then process pattern so your agent doesn't surprise you with a bill.

Compatible agents

Claude Code, Codex, Cursor, OpenCode, Continue, Goose, Aider, GitHub Copilot CLI, Gemini CLI, Cline, Warp, and ~50 more. Picks up your existing claude or codex CLI subscription automatically, so no new API key is needed for most users.

Credit where it's due

This skill is a thin agent-facing wrapper around Vercel's deepsec. The hard parts (the scanner itself, the dual-model AI verification pipeline, the cost model, the regex-then-AI architecture) are all Vercel's work. Read the announcement: Introducing deepsec: find and fix vulnerabilities in your code base.

The analysis behind deepsec is exceptional, and the odds of any one company shipping all of these pieces (the scanner, the AI verification loop, the model orchestration, the cost guardrails, the agent-skill ecosystem to distribute it) are roughly 1 in 100. This skill exists to make sure that when an AI coding agent picks up the tool, it uses the tool the way Vercel's team designed it to be used.

Powered by

The site, the live demos, and the skill itself stand on the shoulders of these:

Vercelhost AI Gateway9-model fan-out Claude Haiku 4.5streaming brain OpenAIGPT-5.4 mini/nano Node.js22.x runtime deepsecscanner agentskills.iov1 spec skills.shCLI + registry GitHubMIT

What's new

2026-05-05 Live cost-compare fans out to 7 cheapest "big house" models via AI Gateway, plus a $1/day hard cap, plus a Stockholm-region pin for low-carbon serve, plus the "ask the skill" streaming demo.
2026-05-04 Speed Insights + Web Analytics enabled, full Open Graph and Schema.org coverage, GSC verified.
2026-04-29 Initial release: skill published, listed on skills.sh.