Security
Security scanning and vulnerability detection
utils/gemini
by codihaus
Large context processing using Gemini Flash for codebase scanning and summarization
security-audit
by kilogrametz
Comprehensive security audit for web applications and APIs. Performs a full-stack security review covering authentication, authorization, rate limiting, input validation, secrets management, security headers, cost controls (AI/API spend), email abuse prevention, dependency vulnerabilities, and data exposure risks. Produces a severity-ranked report with specific fix recommendations and code examples. Use this skill whenever the user mentions: security audit, security review, penetration test, vulnerability assessment, hardening, "is my app secure", "check for vulnerabilities", "before going live", "production readiness", rate limiting, auth review, API security, or wants to assess the security posture of any web project — even if they just say something like "review my code for security issues" or "what could go wrong if I deploy this". Also trigger for pre-launch checklists that include security concerns.
elysia-core-backend
by ahmed-lotfy-dev
Scaffold a Bun + Elysia backend with Better Auth, Drizzle ORM, Postgres, MCP endpoint, OpenAPI docs, CORS, and security defaults. Use when asked to create or regenerate this backend scaffold, or to add these components to a new or empty Elysia server project.
semgrep
by aleister1102
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
authentication
by AtulSinghShorthillsAI
Implement secure, production-grade authentication systems with token-based session management. Use this skill when the user asks to build user authentication, login/registration systems, session management, user identity features, or secure access control for web applications.
Security Scanning Tools
by jcastillotx
This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". It provides comprehensive guidance on security scanning tools and methodologies.
aave-security-foundations
by 0xWeakSheep
Security baseline for AAVE integration and execution scripts. Use when user asks for AAVE security review, pre-trade checks, liquidation safety, allowance minimization, or execution hardening.
azure-app-service-best-practices
by seligj95
Best practices for Azure App Service web app development, configuration, and operations. Use when reviewing/optimizing App Service configs, implementing security patterns (Managed Identity, Key Vault), optimizing performance (cold starts, scaling), setting up production deployments (slots, CI/CD, health checks), cost optimization, or troubleshooting. Triggers on "best practices", "recommendations", "patterns", "how should I configure".
semver
by stuckinforloop
Semantic versioning guidelines for software releases. Use when assigning version numbers, deciding between major/minor/patch bumps, managing unstable (0.x.x) software versions, evaluating breaking changes, or reviewing changelogs and release notes for correct semver compliance.
fortify-fod
by crance
"use this skill whenever the user wants to list and filter application security findings, run SAST/SCA/DAST scans, discover applications and releases, and manage security scanning using Fortify on Demand (FoD). Triggers include: any mention of 'FoD', 'Fortify on Demand', 'list vulnerabilities', 'run SAST scan', 'run SCA scan', 'run DAST scan', 'list applications', 'list releases', 'package source code', 'security scan', and similar requests indicating interaction with FoD for application security scanning and vulnerability management."
write-technical-rfc
by squirrel289
Create, revise, and maintain IETF-style Internet-Drafts and RFC-like technical specifications for protocols, APIs, interoperability contracts, and system behavior. Use when drafting a new spec, updating an existing draft, resolving review feedback, validating RFC 2119/8174 requirement language, or ensuring mandatory sections such as Security Considerations, IANA Considerations, and References are complete and consistent.
skill-oracle
by Aleffsalmeida
Universal Dynamic Orchestrator for Skills, Agents, Plugins, and MCP servers. Single entry point that indexes the full Claude Code ecosystem (5000+ assets), routes user tasks to domain Master Agents, debates ambiguous matches, suggests related domains proactively, and falls back to find-skills when no local match exists. Use as the FIRST step before any non-trivial task; replaces the legacy local-only skill matcher.
bezaleel-stack
by christopheraaronhogg
Provides comprehensive technology stack auditing with LIVE RESEARCH capability. Analyzes version currency, code patterns, conventions, anti-patterns, and security advisories for ANY framework (Laravel, React, Vue, Symfony, etc.). Use this skill when the user needs technology stack audit, framework best practices review, or package analysis. Produces detailed consultant-style reports with findings and prioritized recommendations — does NOT write implementation code.
SKILL.md — Web Research
by iamthetonyb
Never present speculation as fact
skill-auditor
by tomwangowa
Audit Claude Code skills for quality, security, and best practices. Use when reviewing SKILL.md files, ensuring skill quality standards, or before sharing skills with team.
general-frontend-security
by lenneTech
Framework-agnostic frontend security guide based on OWASP Secure Coding Practices. Covers XSS prevention, CSRF protection, Content Security Policy (CSP), secure cookie configuration, client-side authentication patterns, input validation, secure storage, and security headers. Activates for security audits, vulnerability reviews, or browser security questions in any web application. NOT for backend/NestJS security (use generating-nest-servers). NOT for Nuxt-specific implementation (use developing-lt-frontend).
SQL Injection Testing
by jcastillotx
This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database information through injection", "detect SQL injection flaws", or "exploit database query vulnerabilities". It provides comprehensive techniques for identifying, exploiting, and understanding SQL injection attack vectors across different database systems.
android-apk-audit
by DragonJAR
Comprehensive Android APK security audit with static analysis, dynamic instrumentation, source-to-sink tracing, IPC/component abuse analysis, and CVSS 4.0 reporting. Covers decompilation, manifest analysis, deep links and intent injection, secrets detection, crypto analysis, Frida/Objection integration, and APK repackaging. Use when user says "audit APK", "analyze android app", "mobile pentest", "APK security", "decompile APK", "android vulnerability assessment", "reverse engineer android", "modify APK", "intent injection", "deep link abuse", "bypass SSL pinning", "bypass root detection", or provides an APK for security review, decompiled Android sources, or decoded resources.
blueagent-x402
by madebyshun
Security OS for autonomous agents and builders on Base. 31 pay-per-use tools across Quantum Security, Agent Safety, Research, Data, and Earn. Built for AI agents, Zero-Human Companies (ZHC), and Base ecosystem builders. Pay USDC per call via x402 protocol — no subscription, no API key needed.
variant-analysis
by aleister1102
Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
External Research
by MaizeCobra
"Comprehensive external research methodology using web search, URL fetching, and documentation APIs for authoritative, version-aware documentation gathering"
high-risk-review
by janjaszczak
Apply enhanced verification (CoVe-like review, security/arch/perf checks, targeted web research) for high-risk tasks or uncertainty. Use for security, infra, data loss risk, major refactors, or when facts may be outdated.
dependency-update
by IHKREDDY
Check for outdated packages and create update PRs
kubernetes
by kprsnt2
Kubernetes deployment best practices including resource management, security, and observability.