Security
Security scanning and vulnerability detection
polish-repo
by axiomantic
"Use when improving project discoverability, attracting users/contributors, or presenting open source work. Triggers: 'write a README', 'improve README', 'get more users', 'get more contributors', 'add badges', 'create a logo', 'set up issue templates', 'audit this project', 'project presence', 'make this discoverable', 'why isn't anyone using this', 'prepare for launch', 'repo presentation', 'open source marketing', 'attract contributors', 'project storefront'. Also triggers on: naming a project, writing taglines, GitHub metadata, community infrastructure, signs of life."
code-review
by axiomantic
"Use when reviewing code. Triggers: 'review my code', 'check my work', 'look over this', 'review PR #X', 'PR comments to address', 'reviewer said', 'address feedback', 'self-review before PR', 'audit this code'. Modes: --self (pre-PR self-review), --feedback (process received review comments), --give (review someone else's code/PR), --audit (deep single-pass analysis). For heavyweight multi-phase analysis, use advanced-code-review instead."
reviewing-design-docs
by axiomantic
"Use when reviewing design documents, technical specifications, architecture docs, RFCs, ADRs, or API designs for completeness and implementability. Triggers: 'review this design', 'is this spec complete', 'can someone implement from this', 'what's missing from this design', 'review this RFC', 'is this ready for implementation', 'audit this spec'. Core question: could an implementer code against this without guessing?"
tarot-mode
by axiomantic
"Use when session returns mode.type='tarot', user says '/tarot', or requests roundtable dialogue with archetypes. Ten tarot archetypes (Magician, Priestess, Hermit, Fool, Chariot, Justice, Lovers, Hierophant, Emperor, Queen) collaborate via visible roundtable with instruction-engineering embedded."
security-audit
by Aedelon
Proactive security audit: OWASP top 10, dependency vulnerabilities, secrets detection, input validation, auth patterns, and secure defaults. MUST BE USED when user mentions: "security", "vulnerability", "audit", "OWASP", "CVE", "security review", "pentest", "injection", "XSS", "CSRF", "authentication", "authorization", "secrets", "hardcoded password", "secure", "npm audit", "pip-audit", "check security", "is this secure", "security risk", "data leak", "SQL injection", "command injection", "path traversal", "SSRF", "RCE", "privilege escalation", "supply chain", "dependency scan", "snyk", "trivy", "semgrep", "bandit". Scans code for vulnerabilities, checks dependencies, verifies auth patterns. NOT for explaining security concepts (use pedagogical-explain), or general code review (use code-review).
gathering-requirements
by axiomantic
"Use when eliciting or clarifying feature requirements, defining scope, identifying constraints, or capturing user needs. Triggers: 'what are the requirements', 'define the requirements', 'scope this feature', 'user stories', 'acceptance criteria', 'what should this do', 'what problem are we solving', 'what are the constraints'. Also invoked by implementing-features during DISCOVER stage and by the Forged workflow."
security-auditing
by axiomantic
"Use when auditing skills, commands, hooks, and MCP tools for security vulnerabilities. Triggers: 'security audit', 'scan for vulnerabilities', 'check security', 'audit skills', 'audit MCP tools'. Integrates with code-review --audit, implementing-features Phase 4, and distilling-prs for PR security review."
vendor-evaluation
by proflead
Evaluate third-party vendors for engineering fit. Use when a senior developer needs a structured vendor assessment.
code-review
by Montimage
Perform code reviews following best practices from Code Smells and The Pragmatic Programmer. Use when asked to "review this code", "check for code smells", "review my PR", "audit the codebase", or need quality feedback on code changes. Supports both full codebase audits and focused PR/diff reviews. Outputs structured markdown reports grouped by severity.
2600-magazine
by plurigrid
Query and explore the 2600: The Hacker Quarterly magazine archive (1984-present) via DuckDB. Provides structured access to 168+ issues covering hacker culture, security, privacy, telephony, and digital rights without loading full content into context.
grey-haven-code-quality-analysis
by greyhaven-ai
"Multi-mode code quality analysis covering security reviews (OWASP Top 10), clarity refactoring (readability rules), and synthesis analysis (cross-file issues). Supports team-mode parallel analysis when invoked from quality-pipeline. Use when reviewing code for security vulnerabilities, improving code readability, conducting quality audits, pre-deployment checks, or when user mentions 'code quality', 'code review', 'security review', 'refactoring', 'code smell', 'OWASP', 'code clarity', or 'quality audit'."
grey-haven-plugin-audit
by greyhaven-ai
"Comprehensive Claude Code plugin auditing skill for validating structure, detecting deprecated patterns, and recommending best practices based on the latest changelog. Use when auditing plugins, checking for deprecations, validating plugin structure, preparing plugins for release, or ensuring compatibility with recent Claude Code versions. Triggers: 'audit plugin', 'check plugin health', 'validate skill', 'plugin deprecation', 'changelog compatibility', 'plugin best practices'."
iac-reviewer
by proflead
Review infrastructure-as-code changes for safety and correctness. Use when a mid-level developer needs a second look on IaC.
nats-design-subject
by TrogonStack
Design NATS subject hierarchies for messaging patterns (pub/sub, request/reply, streaming). Apply naming conventions, segmentation strategies, and wildcard patterns to create scalable subject architectures. Use when designing NATS messaging systems, planning multi-tenant communication, or auditing existing subject hierarchies. Do not use for: (1) NATS server configuration or cluster setup, (2) client library implementation or connection code, (3) debugging connectivity or performance issues, (4) choosing between NATS and other messaging systems.
security-reviewer
by alexander-danilenko
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
auto-paper
by u9401066
全自動論文撰寫 + 閉環自我改進系統。 LOAD THIS SKILL WHEN: 全自動寫論文、auto write、自動撰寫、幫我寫完整篇、autopilot、從頭到尾、一鍵寫論文 CAPABILITIES: 編排所有研究 Skills + 3 層 Audit Hooks + Meta-Learning 自我改進
magento-code-reviewer
by maxnorm
Reviews Magento 2 code for quality, security, performance, and compliance with PSR-12 and Magento coding standards. Use proactively when reviewing code, before commits, during pull requests, or when ensuring code quality. Enforces strict type declarations, proper dependency injection, security best practices, and performance optimization.
data-governance-check
by proflead
Review data handling for privacy and retention. Use when a senior developer needs governance validation.
smart-contract-audit
by greatpie
Script-backed, out-of-box auditing workflow for Solidity/EVM repositories based on EVMbench detect/patch/exploit methodology. Use when asked to audit a smart contract repo from a URL or local path, auto-prepare the environment, find high-severity loss-of-funds vulnerabilities, validate exploitability, propose safe fixes, and deliver a structured report with exact code references.
ai-debug
by breethomas
Diagnose why an AI feature is underperforming, hallucinating, or behaving inconsistently. Uses 4D audit to work backwards from symptoms to root cause.
code-reviewer
by nahisaho
Copilot agent that assists with comprehensive code review focusing on code quality, SOLID principles, security, performance, and best practices Trigger terms: code review, review code, code quality, best practices, SOLID principles, code smells, refactoring suggestions, code analysis, static analysis Use when: User requests involve code reviewer tasks.
audit-ux
by doodledood
Audit UI/UX changes in a focus area against design guidelines for accessibility, consistency, and usability issues.
security-stride-methodology
by vinnie357
Activate when conducting security analysis using STRIDE threat modeling, vulnerability assessment, and security architecture evaluation
claude-code-command-patterns
by vinnie357
Activate when creating or modifying Claude Code slash commands with proper frontmatter, Task invocation patterns, and TodoWrite integration