Security
Security scanning and vulnerability detection
postmortem-team
by wcygan
Blameless language guide
security-review
by wcygan
Run a targeted security audit on specified files or modules. Uses OWASP-informed checks, dependency vulnerability scanning, and auth/input validation review. Use for security audits, vulnerability checks, or before deploying sensitive code. Keywords: security, audit, vulnerability, OWASP, CVE, secrets, injection, XSS, auth, authentication, authorization
arch-review
by wcygan
RFC-style review of major technical decisions using a 5-agent debate team. Spawns tech-lead, security-auditor, performance-analyst, reliability-engineer, and devils-advocate for independent analysis followed by structured discussion. Produces decision document with pros/cons, dissenting opinions, and recommendation. Use for architecture decisions, technology selection, major refactors, design reviews. Keywords: architecture, RFC, design review, technical decision, architecture review, design decision, major change
gitops-repo-audit
by fluxcd
Audit Flux CD GitOps repositories for structure, security, API compliance, and best practices. Use this skill whenever the user asks to audit, analyze, review, validate, or check a GitOps repository. Also use it when users mention Flux repo structure, GitOps best practices, manifest validation, deprecated APIs, security review, or repository organization — even if they don't explicitly say "audit".
reviewing-dependencies
by bitwarden
This skill should be used when the user asks to "review Dependabot alerts", "check for vulnerable dependencies", "audit third-party packages", "assess supply chain risk", "run Grype scan", or needs to evaluate dependency health, transitive risk, or supply chain security.
scv-scan
by trailofbits
"Audits Solidity codebases for smart contract vulnerabilities using a four-phase workflow (cheatsheet loading, codebase sweep, deep validation, reporting) covering 36 vulnerability classes. Use when auditing Solidity contracts for security issues, performing smart contract vulnerability scans, or reviewing Solidity code for common exploit patterns."
wooyun-legacy
by trailofbits
Provides web vulnerability testing methodology distilled from 88,636 real-world cases from the WooYun vulnerability database (2010-2016). Use when performing penetration testing, security audits, code reviews for security flaws, or vulnerability research. Covers SQL injection, XSS, command execution, file upload, path traversal, unauthorized access, information disclosure, and business logic flaws.
discover
by AsiaOstrich
"[UDS] Assess project health, architecture, and risks before adding features"
cognitive-fallacies-guard
by lyndonkl
Use when detecting and preventing visual misleads, cognitive biases, and design failures in data visualizations, dashboards, reports, or presentations. Invoke when user mentions chartjunk, misleading chart, truncated axis, data integrity, visual deception, 3D chart problems, cherry-picking data, or needs to audit visualizations for honesty and accuracy.
superpowers-review
by anthonylee991
Reviews changes for correctness, edge cases, style, security, and maintainability with severity levels (Blocker/Major/Minor/Nit). Use before finalizing changes.
openai-security-best-practices
by trailofbits
Perform language and framework specific security best-practice reviews and suggest improvements.
security-awareness
by trailofbits
Teaches agents to recognize and avoid security threats during normal activity. Covers phishing detection, credential protection, domain verification, and social engineering defense. Use when building or operating agents that access email, credential vaults, web browsers, or sensitive data.
openai-security-ownership-map
by trailofbits
'Analyze git repositories to build a security ownership topology (people-to-file), compute
asking-questions
by oaustegard
Guidance for asking clarifying questions when user requests are ambiguous, have multiple valid approaches, or require critical decisions. Use when implementation choices exist that could significantly affect outcomes.
code-review
by LangConfig
"Systematic code review guidance covering best practices, security, performance, and maintainability. Use when reviewing code, checking PRs, or analyzing code quality."
ghost-scan-secrets
by ghostsecurity
Ghost Security - Secrets and credentials scanner. Scans codebase for leaked API keys, tokens, passwords, and sensitive data. Detects hardcoded secrets and generates findings with severity and remediation guidance. Use when the user asks to check for leaked secrets, scan for credentials, find hardcoded API keys or passwords, detect exposed .env values, or audit code for sensitive data exposure.
defectdojo
by julianobarbosa
Guide for implementing DefectDojo - an open-source DevSecOps, ASPM, and vulnerability management platform. Use when querying vulnerabilities, managing findings, configuring CI/CD pipeline imports, or working with security scan data. Includes MCP tools for direct API interaction.
skill-install
by stellarlinkco
Install Claude skills from GitHub repositories with automated security scanning. Triggers when users want to install skills from a GitHub URL, need to browse available skills in a repository, or want to safely add new skills to their Claude environment.
creating-an-agent
by ed3dai
Use when creating specialized subagents for Claude Code plugins or the Task tool - covers description writing for auto-delegation, tool selection, prompt structure, and testing agents
audit-rules
by melodic-software
Audit Claude Code rule files for quality and compliance. Use when creating or validating .claude/rules/*.md files, or troubleshooting rule loading issues.
enterprise-security
by melodic-software
Central authority for Claude Code enterprise security. Covers enterprise managed policies (managed-settings.json), settings precedence hierarchy, policy file locations (macOS, Linux, Windows), unoverridable organizational policies, cloud execution security (isolated VMs, network access controls, credential protection), IDE security (VS Code, JetBrains), devcontainer security, and security best practices for teams. Assists with configuring enterprise policies, understanding precedence, and implementing organizational security standards. Delegates 100% to docs-management skill for official documentation.
audit-memory
by melodic-software
Audit Claude Code CLAUDE.md memory files for quality, compliance, and organization. Use to validate import syntax, detect circular imports, and check hierarchy compliance.
dockerfile-validator
by akin-ozer
Comprehensive toolkit for validating, linting, and securing Dockerfiles. Use this skill when validating Dockerfile syntax, checking security best practices, optimizing image builds. Applies to all Dockerfile variants (Dockerfile, Dockerfile.prod, Dockerfile.dev, etc.).
audit-settings
by melodic-software
Audit Claude Code settings.json files for quality, compliance, and security. Use to validate configuration before deployment or check for exposed secrets.