Security
Security scanning and vulnerability detection
uv-deps
by WhatIfWeDigDeeper
Maintain Python packages through security audits or dependency updates on a dedicated branch using uv. Use for: security audits, CVE fixes, vulnerability checks, dependency updates, package upgrades, outdated packages, bump versions, fix Python vulnerabilities, check for Python CVEs, audit Python packages, update pyproject.toml dependencies, modernize Python deps, or when user types "/uv-deps" with or without specific package names or glob patterns. Use "help" or "--help" to show options.
skills-eval
by Ven0m0
'Evaluate and improve Claude skill quality through auditing. Use when
github-cleanup
by spm1001
Orchestrates progressive GitHub account cleanup using a 6-phase audit→approve→execute process that prevents accidental deletion. BEFORE any destructive repo action, invoke FIRST — traces Dependabot alerts to unused direct deps (prune) vs transitive-only (upgrade lock file). Triggers on 'clean up GitHub', 'audit my repos', 'Dependabot trouble', 'unused deps', 'stale forks', 'dependency audit'. Requires gh CLI. (user)
postgres-rls
by troykelly
MANDATORY when touching auth tables, tenant isolation, RLS policies, or multi-tenant database code - enforces Row Level Security best practices and catches common bypass vulnerabilities
security-review
by troykelly
MANDATORY for security-sensitive code changes - OWASP-based security review with dedicated checklist, required before PR for auth, input handling, API, database, or credential code
review-gate
by troykelly
HARD GATE before PR creation - verifies review artifact exists in issue comments, all findings addressed or tracked, blocks PR creation if requirements not met
comprehensive-review
by troykelly
Use after implementing features - 7-criteria code review with MANDATORY artifact posting to GitHub issue; blocks PR creation until complete
aws-cloud
by jpoutrin
AWS cloud infrastructure patterns and best practices. Use when designing or implementing AWS solutions including EC2, Lambda, S3, RDS, and infrastructure as code with Terraform or CloudFormation.
clawpilot
by kcchien
Expert skill for OpenClaw (v2026.2.19) — self-hosted AI gateway connecting chat apps (WhatsApp, Telegram, Discord, Slack, iMessage, Signal, LINE, Matrix, Teams, Google Chat, BlueBubbles) to AI agents. Use when user asks about: (1) Installing, configuring, or updating OpenClaw, (2) Setting up or troubleshooting chat channels (e.g. "my WhatsApp bot isn't responding"), (3) Security hardening, auditing, or checking a local OpenClaw installation, (4) Inspecting openclaw.json config, prompts (SOUL.md/AGENTS.md), or session transcripts, (5) Multi-agent routing, session management, agent isolation, (6) Cloud deployment (AWS/GCP/Fly.io/Docker) and remote access (Tailscale/SSH), (7) Upgrading or migrating OpenClaw versions, (8) Discovering or installing OpenClaw skills from ClawHub, (9) Any mention of "openclaw", "openclaw.json", "~/.openclaw", or gateway config. Includes bundled scripts for security audit (CVE detection, OWASP/NIST mapping, supply chain scan), config inspection, prompt checking, and session scanning. Do NOT use for: general chatbot frameworks (Botpress, Rasa, etc.), non-OpenClaw AI gateways, or generic Docker/cloud questions unrelated to OpenClaw deployment.
drill-recovery
by quangrau
Disaster recovery drill exercises and security checklists for web application projects (SPA, SSR, full-stack web apps). Focused on solo/indie developers using free-tier infrastructure (Vercel, Supabase, Cloudflare, Netlify, Railway, etc.). Bridges big-tech best practices (NIST, Google SRE DiRT, ISO 22301) to indie scale. Use when the user mentions drills, disaster recovery, security audit, incident simulation, project health check, resilience testing, backup strategies, secret rotation, or incident response for web projects. Not for mobile apps, desktop software, CLI tools, or games.
solidity-auditor
by schwepps
Professional-grade Solidity smart contract security auditor. Performs comprehensive audits or targeted reviews (security vulnerabilities, gas optimization, storage optimization, code architecture, DeFi protocol analysis). Use this skill when users request smart contract audits, security reviews, vulnerability assessments, gas/storage optimization analysis, code quality reviews, or when analyzing Solidity code for any security or quality concerns. Supports all Solidity versions with version-specific vulnerability detection. Based on OWASP Smart Contract Top 10 (2025) and real-world exploit patterns.
role-architect:threat-modeling
by rnavarych
Threat modeling expertise including STRIDE methodology, attack trees, trust boundary identification, data flow analysis, risk assessment, mitigation prioritization, and security architecture review.
role-aqa:security-testing
by rnavarych
Security test automation with OWASP ZAP (active/passive scanning), Burp Suite, SAST (SonarQube, CodeQL), DAST, dependency scanning (Snyk, Dependabot, npm audit), penetration test planning, vulnerability management, and threat modeling integration. Use when implementing security testing or evaluating application security posture.
role-architect:aws-architect
by rnavarych
AWS architecture expertise including Well-Architected Framework, account strategy, VPC and networking design, compute and serverless patterns, data architecture, security architecture, and cost optimization strategies. Use proactively when designing systems on AWS, evaluating AWS services, planning AWS landing zones, or architecting for AWS-specific capabilities.
seo-technical-audit
by schwepps
Professional technical SEO audit that analyzes crawlability, Core Web Vitals, site architecture, mobile readiness, security, structured data, and AI crawler configuration. Use when auditing websites for technical SEO issues, diagnosing indexation problems, or preparing comprehensive SEO reports.
browser-automation
by martinholovsky
"Expert in browser automation using Chrome DevTools Protocol (CDP) and WebDriver. Specializes in secure web automation, testing, and scraping with proper credential handling, domain restrictions, and audit logging. HIGH-RISK skill due to web access and data handling."
code-security-review
by DauQuangThanh
Conducts comprehensive security code reviews including vulnerability detection (OWASP Top 10, CWE), authentication/authorization flaws, injection attacks, cryptography issues, sensitive data exposure, API security, dependency vulnerabilities, security misconfigurations, and compliance validation (PCI-DSS, GDPR, HIPAA). Produces detailed security assessment reports with CVE references, CVSS scores, exploit scenarios, and remediation guidance. Use when reviewing code security, performing security audits, checking for vulnerabilities, validating security controls, assessing security risks, or when users mention "security review", "vulnerability scan", "security audit", "penetration test", "OWASP", "security assessment", "secure coding", or "security compliance".
feature-radar-scan
by runkids
Discover new feature opportunities from creative brainstorming, user feedback, ecosystem trends, and cross-project research. Writes results to .feature-radar/opportunities/. MUST use this skill when the user wants to GENERATE new ideas — not evaluate existing ones. Trigger on any request to brainstorm, explore, discover, or find new feature ideas, even casual ones like "I wonder what else we could do" or "give me ideas". Use when the user: - Asks "what else could we build?", "give me feature ideas", "what are we missing?" - Wants to brainstorm, explore new directions, or refresh the opportunity backlog - Says "scan ecosystem", "scan opportunities", "find new features" - Asks to review GitHub issues, community feedback, or adjacent tools for inspiration - Mentions "explore", "discover", or "new directions" in a feature context Do NOT use for evaluating/prioritizing existing features — that's feature-radar's job.
oracle-cloud
by DauQuangThanh
Provides comprehensive Oracle Cloud Infrastructure (OCI) guidance including compute instances, networking (VCN, load balancers, VPN), storage (block, object, file), database services (Autonomous Database, MySQL, NoSQL), container orchestration (OKE), identity and access management (IAM), resource management, cost optimization, and infrastructure as code (Terraform OCI provider, Resource Manager). Produces infrastructure code, deployment scripts, configuration guides, and architectural diagrams. Use when designing OCI architecture, provisioning cloud resources, migrating to Oracle Cloud, implementing OCI security, setting up OCI databases, deploying containerized applications on OKE, managing OCI resources, or when users mention "Oracle Cloud", "OCI", "Autonomous Database", "VCN", "OKE", "OCI Terraform", "Resource Manager", "Oracle Cloud Infrastructure", or "OCI migration".
azure-cloud
by DauQuangThanh
Provides comprehensive Microsoft Azure guidance including Azure Virtual Machines, Azure Storage (Blob, Files, Disks), Azure SQL Database, Azure App Service, Azure Functions, AKS (Azure Kubernetes Service), Azure DevOps, ARM templates, Bicep, Terraform for Azure, Azure Active Directory, Azure Key Vault, Azure Monitor, cost optimization, and multi-region deployment. Produces infrastructure as code (Terraform/Bicep/ARM), deployment scripts, security configurations, and architecture designs. Use when deploying to Azure, designing Azure infrastructure, migrating to Microsoft Azure, configuring VMs, setting up Azure Storage, managing Azure SQL, working with AKS, or when users mention Azure, Microsoft Cloud, Azure Portal, ARM templates, Bicep, Azure Functions, App Service, or Azure DevOps.
ibm-cloud
by DauQuangThanh
Provides comprehensive IBM Cloud platform guidance including compute services (VPC, Virtual Servers, IKS, OpenShift, Code Engine, Cloud Functions), storage (Object Storage, Block Storage, File Storage), databases (Db2, Cloudant, PostgreSQL, MySQL, MongoDB, Redis), IAM security (access groups, service IDs, Key Protect, Secrets Manager), networking (VPC, load balancers, Direct Link), CLI automation, Terraform/Schematics infrastructure as code, monitoring, and cost optimization. Covers infrastructure provisioning, application deployment, security configuration, multi-zone high availability, and operational best practices. Use when working with IBM Cloud services, deploying cloud infrastructure, managing cloud resources, configuring security and networking, or when users mention "IBM Cloud", "IKS", "Code Engine", "Db2", "Cloudant", "VPC", "cloud provisioning", "IBM Kubernetes", "OpenShift", "Terraform IBM", "Schematics", or "IBM cloud platform".
keycloak-administration
by DauQuangThanh
Provides comprehensive KeyCloak administration guidance including realm management, user/group administration, client configuration, authentication flows, identity brokering, authorization policies, security hardening, and troubleshooting. Covers SSO configuration, SAML/OIDC setup, role-based access control (RBAC), user federation (LDAP/AD), social login integration, multi-factor authentication (MFA), and high availability deployments. Use when configuring KeyCloak, setting up SSO, managing realms and clients, troubleshooting authentication issues, implementing RBAC, or when users mention "KeyCloak", "SSO", "OIDC", "SAML", "identity provider", "IAM", "authentication flow", "user federation", "realm configuration", or "access management".
database-security
by oakoss
'Database security auditor specialized in Row Level Security (RLS) enforcement, Zero-Trust database architecture, and forensic audit trails. Covers Supabase RLS policies, Postgres security, Convex auth guards, PGAudit configuration, JIT access controls, and database-specific compliance validation. Use when auditing database access policies, implementing RLS in Supabase or Postgres, configuring Convex auth guards, setting up audit logging, reviewing database security, or validating database-level compliance requirements.'
application-security
by oakoss
'Comprehensive application security covering threat modeling (STRIDE), OWASP Top 10 (2025), OWASP API Security Top 10 (2023), secure coding review, authentication/authorization patterns, input validation, encryption, security headers, supply chain security, compliance (GDPR/HIPAA/SOC2/PCI-DSS), and security monitoring. Use when reviewing code for vulnerabilities, implementing auth patterns, securing APIs, configuring security headers, hardening supply chain, preventing injection attacks, or preparing for compliance audits.'