Security

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

security-bounty-hunter helps you find bounty-worthy vulnerabilities in repositories, with a focus on remotely reachable, user-controlled issues that are likely to survive triage. Use it for Security Audit work when you want practical reportable findings instead of noisy local-only concerns.

safety-guard helps prevent destructive operations when agents work autonomously or on production systems. It adds careful mode, write freeze mode, and guard mode to block risky commands, confine edits to one directory, and reduce mistakes during deploys, migrations, and sensitive repo work.

postgres-patterns is a practical PostgreSQL quick-reference skill for query optimization, schema design, indexing, Row Level Security, and connection pooling. It helps Database Engineering workflows make faster, more reliable decisions using compact best practices rather than a generic prompt.

perl-security helps you review Perl code for safer input handling, taint mode, shell execution, DBI placeholders, and web security issues like XSS, SQLi, and CSRF. Use this perl-security skill for Security Audit work, remediation planning, and secure development when user-controlled data reaches sensitive sinks.

llm-trading-agent-security is a practical guide for securing autonomous trading agents with wallet authority. It covers prompt injection, spend limits, pre-send simulation, circuit breakers, MEV-aware execution, and key isolation to reduce financial-loss risk in a Security Audit.

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

hipaa-compliance is the HIPAA-specific entrypoint for healthcare privacy and security work. Use the hipaa-compliance skill when a task is explicitly about PHI, covered entities, BAAs, breach posture, or whether a workflow creates HIPAA exposure. It is a thin overlay for fast compliance triage and guidance.

healthcare-phi-compliance helps review healthcare apps for PHI/PII risk across data models, APIs, logs, and access paths. Use it to check data classification, access control, encryption, audit trails, and common leak vectors for HIPAA, DISHA, GDPR, and related security audit needs.

github-ops is a GitHub operations skill for triaging issues, managing PRs, checking CI failures, preparing releases, and monitoring repository health with the gh CLI. Use the github-ops skill when you need repeatable github-ops usage for a real repository, with auth via gh auth login and clear repo context.

flutter-dart-code-review is a library-agnostic Flutter and Dart code review checklist for architecture, widget quality, state management, performance, accessibility, security, and clean code. Use it as a structured flutter-dart-code-review guide for Code Review across BLoC, Riverpod, Provider, GetX, MobX, Signals, or custom patterns.

enterprise-agent-ops helps you operate long-lived or cloud-hosted agent systems with observability, safety controls, change management, and recovery planning. Use it when you need a practical guide for agent orchestration, not a one-shot prompt.

docker-patterns helps you design and review Docker and Docker Compose setups for local development, networking, volumes, health checks, and container security. It is especially useful as a docker-patterns guide for Backend Development and multi-service stacks where dev/prod separation matters.

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

agent-payment-x402 helps AI agents handle x402 payments with MCP tools, spending caps, recipient allowlists, and non-custodial wallets for paid APIs and agent orchestration.

code-reviewer is a lightweight skill for Code Review that turns code or diffs into a structured report covering security, performance, best practices, severity, affected lines or sections, recommended fixes, and an overall quality score.

code-reviewer is an AI code review skill that follows a strict review order: security, performance, correctness, and maintainability. It uses rule files for SQL injection, XSS, N+1 queries, error handling, naming, and type hints, making PR reviews more consistent than a generic review prompt.

cso is a Chief Security Officer–style security audit skill for agents. It helps review codebases and workflows for secrets exposure, dependency and supply-chain risk, CI/CD security, and LLM/AI security using OWASP Top 10 and STRIDE. Use cso for structured Security Audit reviews with confidence gates, active verification, and trend tracking.

memory-safety-patterns helps agents apply RAII, ownership, smart pointers, and resource cleanup across C, C++, and Rust. Use it to review backend or systems code, reduce leaks and dangling pointers, and guide safer refactors around files, sockets, buffers, and FFI boundaries.

attack-tree-construction helps build structured attack trees for Threat Modeling with clear root goals, AND/OR branches, and testable leaf attacks. Use it to map attack paths, expose defense gaps, and support security review, testing, and mitigation planning.

The sast-configuration skill helps configure Semgrep, SonarQube, and CodeQL for real SAST workflows. Use it to plan install steps, CI/CD integration, custom rules, quality gates, and false-positive tuning for Security Audit and repo-specific scanning.

security-requirement-extraction turns threat models and business context into testable security requirements, user stories, acceptance criteria, and backlog-ready outputs for Requirements Planning.

stride-analysis-patterns helps agents run a structured STRIDE threat-modeling pass for architectures, APIs, and data flows. Install from the wshobson/agents repo, read the SKILL.md file, and use it to turn system descriptions into categorized threats and control-focused review output.