Threat Modeling

security-bounty-hunter helps you find bounty-worthy vulnerabilities in repositories, with a focus on remotely reachable, user-controlled issues that are likely to survive triage. Use it for Security Audit work when you want practical reportable findings instead of noisy local-only concerns.

llm-trading-agent-security is a practical guide for securing autonomous trading agents with wallet authority. It covers prompt injection, spend limits, pre-send simulation, circuit breakers, MEV-aware execution, and key isolation to reduce financial-loss risk in a Security Audit.

defi-amm-security is a focused security checklist for Solidity AMMs, liquidity pools, LP vaults, and swap flows. It helps auditors and engineers review reentrancy, CEI ordering, donation or inflation attacks, oracle assumptions, slippage, admin controls, and integer math with less guesswork than a generic prompt.

cso is a Chief Security Officer–style security audit skill for agents. It helps review codebases and workflows for secrets exposure, dependency and supply-chain risk, CI/CD security, and LLM/AI security using OWASP Top 10 and STRIDE. Use cso for structured Security Audit reviews with confidence gates, active verification, and trend tracking.

attack-tree-construction helps build structured attack trees for Threat Modeling with clear root goals, AND/OR branches, and testable leaf attacks. Use it to map attack paths, expose defense gaps, and support security review, testing, and mitigation planning.

security-requirement-extraction turns threat models and business context into testable security requirements, user stories, acceptance criteria, and backlog-ready outputs for Requirements Planning.

stride-analysis-patterns helps agents run a structured STRIDE threat-modeling pass for architectures, APIs, and data flows. Install from the wshobson/agents repo, read the SKILL.md file, and use it to turn system descriptions into categorized threats and control-focused review output.

The threat-mitigation-mapping skill helps map identified threats to preventive, detective, and corrective controls across layers, supporting defense-in-depth, remediation planning, and control coverage review.

anti-reversing-techniques is a reverse-engineering skill for authorized malware analysis, CTF work, packed binary triage, and security audits. It helps you identify anti-debugging, anti-VM, packing, and obfuscation patterns, then choose a practical analysis workflow using the core skill and advanced reference.

solidity-security is a focused Solidity audit and secure-coding skill for reviewing reentrancy, access control, unsafe external calls, and remediation patterns. Use it to prepare contracts for Security Audit, improve prompts, and get more structured review output than a generic audit request.

The security-and-hardening skill helps harden application code before release. Use it for user input, auth, sessions, sensitive data, file uploads, webhooks, and external services, with concrete checks like input validation, parameterized queries, output encoding, secure cookies, HTTPS, and secrets handling.

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

detecting-modbus-command-injection-attacks helps security analysts spot suspicious Modbus TCP/RTU write activity, anomalous function codes, malformed frames, and baseline deviations in ICS and SCADA environments. Use it for incident triage, OT monitoring, and a Security Audit when you need Modbus-aware detection guidance, not a generic anomaly prompt.

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

detecting-azure-lateral-movement helps security analysts hunt lateral movement in Azure AD/Entra ID and Microsoft Sentinel using Microsoft Graph audit logs, sign-in telemetry, and KQL correlation. Use it for incident triage, detection engineering, and security audit workflows covering consent abuse, service principal misuse, token theft, and cross-tenant pivoting.

detecting-aws-iam-privilege-escalation helps audit AWS IAM for privilege escalation paths using boto3 and Cloudsplaining-style analysis. Use it to identify dangerous permission combinations, least-privilege violations, and security audit findings before they become incidents.

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

analyzing-campaign-attribution-evidence helps analysts weigh infrastructure overlap, ATT&CK consistency, malware similarity, timing, and language artifacts for defensible campaign attribution. Use this analyzing-campaign-attribution-evidence guide for CTI, incident analysis, and Security Audit reviews.

analyzing-azure-activity-logs-for-threats skill for querying Azure Monitor activity logs and sign-in logs to spot suspicious admin actions, impossible travel, privilege escalation, and resource tampering. Built for incident triage with KQL patterns, an execution path, and practical Azure log table guidance.

analyzing-apt-group-with-mitre-navigator helps analysts map APT group techniques into MITRE ATT&CK Navigator layers for detection gap analysis, threat modeling, and repeatable threat intelligence workflows. It includes practical guidance for ATT&CK data lookup, layer generation, and comparing adversary TTP coverage.

constant-time-testing is a practical skill for auditing cryptographic code for timing side channels. Use the constant-time-testing skill to inspect secret-dependent branches, memory access patterns, and microarchitectural behavior, then apply a focused constant-time-testing guide for Security Audit workflows.

ton-vulnerability-scanner is a focused audit skill for TON smart contracts written in FunC. It helps identify integer-as-boolean misuse, fake Jetton contract handling, and missing gas checks when forwarding TON. Use it for a fast first-pass Security Audit before deeper manual review.

substrate-vulnerability-scanner helps audit Substrate and FRAME pallets for critical issues like arithmetic overflow, panic DoS, bad origin checks, incorrect weights, and unsafe unsigned extrinsics. Use this substrate-vulnerability-scanner skill for Security Audit reviews of runtimes, pallet extrinsics, and weight logic.

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.