Security
Security scanning and vulnerability detection
vibe-code-health-check
by FuzulsFriend
Scans any codebase and grades it A through F across 6 health dimensions (security, error handling, code structure, performance, deployment readiness, UX basics). Use when asked to "check my code", "audit my project", "is my code ready to ship", "review my codebase", "health check", "code quality check", "is my app secure", "vibe check my code", "scan my project", or "what is wrong with my code". Takes a codebase path and returns a scored report card with plain-English fixes.
akamai-application-security-api
by Lap-Platform
"Akamai: Application Security API skill. Use when working with Akamai: Application Security for activations, api-discovery, configs. Covers 213 endpoints."
code-review-security
by KentoShimizu
"Run security-focused code review when changes cross trust boundaries or may affect authentication, authorization, input validation, secrets handling, or sensitive-data exposure. Use for merge decisions requiring explicit security findings; do not use for non-security-only review scope."
github-cleanup
by spm1001
Orchestrates progressive GitHub account cleanup using a 6-phase audit→approve→execute process that prevents accidental deletion. BEFORE any destructive repo action, invoke FIRST — traces Dependabot alerts to unused direct deps (prune) vs transitive-only (upgrade lock file). Triggers on 'clean up GitHub', 'audit my repos', 'Dependabot trouble', 'unused deps', 'stale forks', 'dependency audit'. Requires gh CLI. (user)
vibe-coding
by Exploration-labs
Comprehensive guide for AI-assisted vibe coding. Use when the user wants to build applications through natural language prompts using tools like Lovable, Cursor, Replit, or Bolt. Includes best practices, pitfall awareness, tool-specific guidance, architectural decision support, and MVP scope definition with a bias toward cutting features aggressively to ship faster.
compliance-frameworks
by Logos-Liber
SOC 2 compliance requirements, ISO 27001 standards, PCI DSS requirements, HIPAA security rules, GDPR data protection, NIST Cybersecurity Framework, and industry-specific compliance requirements
comprehensive-review
by troykelly
Use after implementing features - 7-criteria code review with MANDATORY artifact posting to GitHub issue; blocks PR creation until complete
clawpilot
by kcchien
Expert skill for OpenClaw (v2026.2.19) — self-hosted AI gateway connecting chat apps (WhatsApp, Telegram, Discord, Slack, iMessage, Signal, LINE, Matrix, Teams, Google Chat, BlueBubbles) to AI agents. Use when user asks about: (1) Installing, configuring, or updating OpenClaw, (2) Setting up or troubleshooting chat channels (e.g. "my WhatsApp bot isn't responding"), (3) Security hardening, auditing, or checking a local OpenClaw installation, (4) Inspecting openclaw.json config, prompts (SOUL.md/AGENTS.md), or session transcripts, (5) Multi-agent routing, session management, agent isolation, (6) Cloud deployment (AWS/GCP/Fly.io/Docker) and remote access (Tailscale/SSH), (7) Upgrading or migrating OpenClaw versions, (8) Discovering or installing OpenClaw skills from ClawHub, (9) Any mention of "openclaw", "openclaw.json", "~/.openclaw", or gateway config. Includes bundled scripts for security audit (CVE detection, OWASP/NIST mapping, supply chain scan), config inspection, prompt checking, and session scanning. Do NOT use for: general chatbot frameworks (Botpress, Rasa, etc.), non-OpenClaw AI gateways, or generic Docker/cloud questions unrelated to OpenClaw deployment.
drill-recovery
by quangrau
Disaster recovery drill exercises and security checklists for web application projects (SPA, SSR, full-stack web apps). Focused on solo/indie developers using free-tier infrastructure (Vercel, Supabase, Cloudflare, Netlify, Railway, etc.). Bridges big-tech best practices (NIST, Google SRE DiRT, ISO 22301) to indie scale. Use when the user mentions drills, disaster recovery, security audit, incident simulation, project health check, resilience testing, backup strategies, secret rotation, or incident response for web projects. Not for mobile apps, desktop software, CLI tools, or games.
solidity-auditor
by schwepps
Professional-grade Solidity smart contract security auditor. Performs comprehensive audits or targeted reviews (security vulnerabilities, gas optimization, storage optimization, code architecture, DeFi protocol analysis). Use this skill when users request smart contract audits, security reviews, vulnerability assessments, gas/storage optimization analysis, code quality reviews, or when analyzing Solidity code for any security or quality concerns. Supports all Solidity versions with version-specific vulnerability detection. Based on OWASP Smart Contract Top 10 (2025) and real-world exploit patterns.
role-architect:aws-architect
by rnavarych
AWS architecture expertise including Well-Architected Framework, account strategy, VPC and networking design, compute and serverless patterns, data architecture, security architecture, and cost optimization strategies. Use proactively when designing systems on AWS, evaluating AWS services, planning AWS landing zones, or architecting for AWS-specific capabilities.
seo-technical-audit
by schwepps
Professional technical SEO audit that analyzes crawlability, Core Web Vitals, site architecture, mobile readiness, security, structured data, and AI crawler configuration. Use when auditing websites for technical SEO issues, diagnosing indexation problems, or preparing comprehensive SEO reports.
frontend-security
by schalkneethling
Audit frontend codebases for security vulnerabilities and bad practices. Use when performing security reviews, auditing code for XSS/CSRF/DOM vulnerabilities, checking Content Security Policy configurations, validating input handling, reviewing file upload security, or examining Node.js/NPM dependencies. Target frameworks include web platform (vanilla HTML/CSS/JS), React, Astro, Twig templates, Node.js, and Bun. Based on OWASP security guidelines.
appsec-expert
by martinholovsky
"Elite Application Security engineer specializing in secure SDLC, OWASP Top 10 2025, SAST/DAST/SCA integration, threat modeling (STRIDE), and vulnerability remediation. Expert in security testing, cryptography, authentication patterns, and DevSecOps automation. Use when securing applications, implementing security controls, or conducting security assessments."
OS Keychain Skill
by martinholovsky
The OS keychain is your first line of defense. Misuse negates all downstream encryption.
using-rails-ai
by zerobearing2
Rails-AI introduction - explains how rails-ai (Rails domain layer) integrates with superpowers (universal workflows) for Rails development
linux-at-spi2
by martinholovsky
"Expert in AT-SPI2 (Assistive Technology Service Provider Interface) for Linux desktop automation. Specializes in accessible automation of GTK/Qt applications via D-Bus accessibility interface. HIGH-RISK skill requiring security controls for system-wide access."
rails-ai:security
by zerobearing2
CRITICAL - Use when securing Rails applications - XSS, SQL injection, CSRF, file uploads, command injection prevention
application-security
by oakoss
'Comprehensive application security covering threat modeling (STRIDE), OWASP Top 10 (2025), OWASP API Security Top 10 (2023), secure coding review, authentication/authorization patterns, input validation, encryption, security headers, supply chain security, compliance (GDPR/HIPAA/SOC2/PCI-DSS), and security monitoring. Use when reviewing code for vulnerabilities, implementing auth patterns, securing APIs, configuring security headers, hardening supply chain, preventing injection attacks, or preparing for compliance audits.'
nestjs-best-practices
by xirothedev
NestJS best practices and patterns for building scalable, maintainable backend applications. This skill should be used when writing, reviewing, or refactoring NestJS code to ensure proper architecture, security, performance, and code quality. Triggers on tasks involving NestJS modules, controllers, services, guards, pipes, middleware, Prisma database operations, authentication, or any NestJS-specific patterns.
db-enforcer
by oakoss
'Enforces database integrity for PostgreSQL and Prisma systems. Use when designing schemas, writing migrations, or configuring Row-Level Security. Use for type-safe SQL, naming alignment, constraint validation, zero-trust RLS policies, UUIDv7 primary keys, and zero-downtime deployments.'
review-gate
by troykelly
HARD GATE before PR creation - verifies review artifact exists in issue comments, all findings addressed or tracked, blocks PR creation if requirements not met
wfc-deepen
by sam-fakhreddine
Augments an existing /wfc-plan directory by researching codebase patterns, project documentation, and dependency constraints to add supporting evidence to tasks. Reads TASKS.md and PROPERTIES.md, simulates parallel analysis across 4 dimensions, and appends sourced findings as annotations. Does NOT modify task structure, add/remove tasks, or write implementation steps. Triggers: /wfc-deepen, /wfc-deepen <path>, "add research evidence to the plan", "validate plan against codebase patterns", "annotate plan with known pitfalls", "cross-reference plan with existing solutions". Not for: writing or expanding task implementation steps; decomposing tasks into subtasks; prioritizing or reordering tasks; adding or removing tasks; pre-planning research before a plan directory exists; targeted research on specific questions unrelated to plan validation; re-deepening plans with existing Research Findings sections (use --force to override); general research with no plan context.
tech-blog-seo-draft-creator
by masayan1126
テックブログ記事の下書きをSEO最適化込みで一括作成するスキル。雑なメモから体裁を整え、タイトル・メタディスクリプション・ハッシュタグまで生成。「SEO込みで記事にして」「SEO最適化された下書きを作成して」「公開できる形にして」などのリクエストで利用。