Security
Security scanning and vulnerability detection
java-spring-framework
by AyrtonAldayr
Senior Java & Spring Boot 4 / Spring Framework 7 architect skill for 2026-standard development. Use when the user asks to build, scaffold, design, review, or explain Java applications using Spring Boot 4.x, Spring Framework 7.x, Spring Modulith, or any related Spring ecosystem project. Triggers include: creating REST APIs, designing microservices, configuring data access (JdbcClient, JPA 3.2, R2DBC), reactive programming (WebFlux), security (Spring Security 7), observability, GraalVM native images, Gradle/Maven build configuration, Jakarta EE 11 migration, and any task requiring idiomatic modern Java (Java 25: records, sealed classes, structured concurrency, scoped values, pattern matching, JSpecify null safety).
postgres-rls
by troykelly
MANDATORY when touching auth tables, tenant isolation, RLS policies, or multi-tenant database code - enforces Row Level Security best practices and catches common bypass vulnerabilities
skill-security-audit
by smartchainark
Detect malicious patterns in AI Agent skills — 13 detectors for backdoors, credential theft, data exfiltration, and supply-chain attacks. Based on SlowMist's ClawHub threat intelligence (472+ malicious skills). Pure Python, zero dependencies.
find-bugs
by derKlinke
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
security-prompts
by harperaa
Library of battle-tested security prompt templates for secure feature implementation. Use when implementing forms, endpoints, authentication, authorization, file uploads, or conducting security reviews. Triggers include "security prompt", "secure form", "RBAC", "threat model", "STRIDE", "admin endpoint", "file upload", "security testing", "code review", "OWASP".
security-testing-verification
by harperaa
Test security features and verify implementation before deployment. Use this skill when you need to test CSRF protection, rate limiting, input validation, verify security headers, run security audits, or check the pre-deployment security checklist. Triggers include "test security", "security testing", "verify security", "security checklist", "pre-deployment", "test CSRF", "test rate limit", "security verification".
attack-tree-construction
by xfstudio
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
supply-chain-dependency-risks-ai-code
by harperaa
Understand supply chain vulnerabilities and dependency risks in AI-generated code including outdated packages, malicious packages, and dependency confusion attacks. Use this skill when you need to learn about vulnerable dependencies in AI code, understand supply chain attacks, recognize typosquatting, or identify outdated package suggestions. Triggers include "supply chain attacks", "dependency vulnerabilities", "outdated packages", "malicious npm packages", "typosquatting", "dependency confusion", "vulnerable dependencies AI", "npm security".
security-prompts-threat-modeling
by harperaa
Security analysis and threat modeling prompt templates for STRIDE analysis, code review, OWASP compliance, and vulnerability assessment. Use for security planning, pre-deployment reviews, and ongoing threat assessment. Triggers include "STRIDE", "threat model", "security review", "code review", "OWASP", "payment security", "security analysis", "vulnerability assessment".
vibe-coding-security-awareness-overview
by harperaa
Understand the security risks inherent in AI-generated code and vibe coding. Use this skill when you need to understand why AI generates insecure code, statistics on vulnerabilities, real-world breach examples, or overall security awareness for AI-assisted development. Triggers include "vibe coding security", "AI code security", "AI vulnerabilities", "security risks AI code", "why AI insecure", "AI security awareness", "AI generated code risks".
security-review
by troykelly
MANDATORY for security-sensitive code changes - OWASP-based security review with dedicated checklist, required before PR for auth, input handling, API, database, or credential code
injection-vulnerabilities-ai-generated-code
by harperaa
Understand how AI generates SQL injection, command injection, and XSS vulnerabilities. Use this skill when you need to learn about injection attack patterns in AI code, see real-world examples of injection vulnerabilities, understand why AI generates insecure database queries, or recognize vulnerable code patterns. Triggers include "SQL injection AI", "command injection", "XSS vulnerabilities", "injection attacks", "AI database queries", "shell injection", "cross-site scripting AI code".
security-review
by dstiliadis
Mandatory security review gate for all code and architecture plans. Triggers on ANY plan, implementation, code generation, architecture design, API design, infrastructure change, deployment configuration, or system modification. Before executing or finalizing ANY plan that produces code, configuration, or infrastructure, run the full security review workflow: threat model, review against security checklist, emulate attack paths agentically, mitigate findings, and pen-test again before delivery. This skill acts as a security-conscious intern with CompTIA Security+ knowledge who reviews every output for authentication, authorization, encryption, logging, input validation, segmentation, privacy, and common vulnerability anti-patterns. Also triggers when the user asks to "review security", "threat model", "harden", "pen test", or "check for vulnerabilities".
security-operations-deployment
by harperaa
Operational security guidance for deployment, monitoring, and maintenance. Use this skill when you need to understand which middlewares to apply, configure environment variables, monitor security post-deployment, or follow the pre-deployment checklist. Triggers include "security operations", "deployment security", "security monitoring", "environment variables", "when to use middleware", "pre-deployment", "security checklist", "production security".
security-headers
by harperaa
Configure security headers to defend against clickjacking, XSS, MIME confusion, and SSL stripping attacks. Use this skill when you need to set up Content-Security-Policy, X-Frame-Options, HSTS, configure middleware headers, or understand browser security features. Triggers include "security headers", "CSP", "content security policy", "X-Frame-Options", "HSTS", "clickjacking", "MIME confusion", "middleware headers".
security-architecture-overview
by harperaa
Understand the defense-in-depth security architecture of Secure Vibe Coding OS. Use this skill when you need to understand the overall security approach, the 5-layer security stack, OWASP scoring, or when to use other security skills. Triggers include "security architecture", "defense in depth", "security layers", "how does security work", "OWASP score", "security overview", "security principles".
aave-security-foundations
by intenxus
Security baseline for AAVE integration and execution scripts. Use when user asks for AAVE security review, pre-trade checks, liquidation safety, allowance minimization, or execution hardening.
dependency-supply-chain-security
by harperaa
Manage dependencies and supply chain security to prevent vulnerable or malicious packages. Use this skill when you need to audit dependencies, update packages, check for vulnerabilities, understand supply chain attacks, or maintain dependency security. Triggers include "dependencies", "npm audit", "supply chain", "package security", "vulnerability", "npm update", "security audit", "outdated packages".
csrf-protection
by harperaa
Implement Cross-Site Request Forgery (CSRF) protection for API routes. Use this skill when you need to protect POST/PUT/DELETE endpoints, implement token validation, prevent cross-site attacks, or secure form submissions. Triggers include "CSRF", "cross-site request forgery", "protect form", "token validation", "withCsrf", "CSRF token", "session fixation".
authentication-authorization-vulnerabilities-ai-code
by harperaa
Understand authentication and authorization defects in AI-generated code including insecure password storage, broken session management, and access control bypasses. Use this skill when you need to learn about auth vulnerabilities in AI code, understand why AI suggests MD5/plaintext passwords, recognize broken session patterns, or identify access control gaps. Triggers include "auth vulnerabilities AI", "password storage AI", "session management", "broken access control", "authentication defects", "MD5 passwords", "session hijacking", "authorization bypass".
kali-docker-pentesting
by kroegha
Comprehensive pentesting toolkit using Kali Linux Docker container. Provides direct access to 200+ security tools without MCP overhead. Use when conducting security assessments, penetration testing, vulnerability scanning, or security research. Works via direct docker exec commands for maximum efficiency.
Security-First-Design Skill
by ilude
Apply this framework when security is a primary design concern. Work through phases sequentially, documenting findings and mitigations at each stage.
structured-analysis
by ilude
Apply structured analytical frameworks to any artifact (prompts, systems, documents, code). 12 frameworks in 3 tiers: Core (4 universal), Auto-Invoke (specialized), On-Demand (advanced). Includes adversarial-review for finding blind spots and post-plan validation workflow.
codereview-security
by xinbenlv
Zero-trust security analysis like Cursor BugBot. Focuses exclusively on finding exploitable vulnerabilities with high confidence (>95%). Use when reviewing files that handle input parsing, database queries, authentication, or external API calls.