Agent Skills: Security Skills Discovery

Security Skills Discovery

Provides automatic access to comprehensive application security, vulnerability assessment, and security best practices skills.

When This Skill Activates

This skill auto-activates when you're working with:

• Authentication and authorization systems
• Input validation and sanitization
• Security headers (CSP, HSTS, CORS)
• Vulnerability scanning and penetration testing
• OWASP Top 10 vulnerabilities
• Secrets management (Vault, AWS Secrets Manager)
• SQL injection, XSS, or other attack prevention
• Security hardening and compliance
• Password hashing and credential management
• API security and access control

Available Skills

Quick Reference

The Security category contains 6 specialized skills:

1. authentication - Authentication patterns (JWT, OAuth2, sessions, MFA, password security)
2. authorization - Access control (RBAC, ABAC, policy engines, permissions)
3. input-validation - Input validation and sanitization (SQL injection, XSS, command injection)
4. security-headers - HTTP security headers (CSP, HSTS, X-Frame-Options, CORS)
5. vulnerability-assessment - Security testing (OWASP Top 10, scanning tools, pentesting)
6. secrets-management - Secrets handling (Vault, AWS Secrets Manager, key rotation)

Load Full Category Details

For complete descriptions and workflows:

Read <cc-polymath-root>/skills/security/INDEX.md

This loads the full Security category index with:

• Detailed skill descriptions
• Usage triggers for each skill
• Common workflow combinations
• Cross-references to related skills

Load Specific Skills

Load individual skills as needed:

Identity and access

Read <cc-polymath-root>/skills/security/authentication.md Read <cc-polymath-root>/skills/security/authorization.md

Input security

Read <cc-polymath-root>/skills/security/input-validation.md Read <cc-polymath-root>/skills/security/security-headers.md

Security operations

Read <cc-polymath-root>/skills/security/vulnerability-assessment.md Read <cc-polymath-root>/skills/security/secrets-management.md

Common Workflows

Secure Web Application

Sequence: Authentication → Authorization → Input validation → Security headers

Read <cc-polymath-root>/skills/security/authentication.md # User login Read <cc-polymath-root>/skills/security/authorization.md # Access control Read <cc-polymath-root>/skills/security/input-validation.md # XSS/SQL injection prevention Read <cc-polymath-root>/skills/security/security-headers.md # Browser protection

Security Audit

Sequence: Vulnerability assessment → Input validation → Headers → Secrets

Read <cc-polymath-root>/skills/security/vulnerability-assessment.md # OWASP Top 10 testing Read <cc-polymath-root>/skills/security/input-validation.md # Injection testing Read <cc-polymath-root>/skills/security/security-headers.md # Header configuration Read <cc-polymath-root>/skills/security/secrets-management.md # Credential security

API Security

Sequence: Authentication → Authorization → Input validation → Secrets

Read <cc-polymath-root>/skills/security/authentication.md # JWT/OAuth2 Read <cc-polymath-root>/skills/security/authorization.md # API access control Read <cc-polymath-root>/skills/security/input-validation.md # Request validation Read <cc-polymath-root>/skills/security/secrets-management.md # API key management

DevSecOps Pipeline

Sequence: Vulnerability assessment → Secrets → Input validation

Read <cc-polymath-root>/skills/security/vulnerability-assessment.md # Security scanning Read <cc-polymath-root>/skills/security/secrets-management.md # CI/CD secrets Read <cc-polymath-root>/skills/security/input-validation.md # SAST validation

Secure New Application

Full security implementation from scratch:

1. Identity and access

Read <cc-polymath-root>/skills/security/authentication.md Read <cc-polymath-root>/skills/security/authorization.md

2. Input protection

Read <cc-polymath-root>/skills/security/input-validation.md Read <cc-polymath-root>/skills/security/security-headers.md

3. Operations

Read <cc-polymath-root>/skills/security/secrets-management.md Read <cc-polymath-root>/skills/security/vulnerability-assessment.md

Skill Selection Guide

Choose Authentication when:

• Implementing user login systems
• Working with JWT, OAuth2, or sessions
• Adding multi-factor authentication
• Managing passwords and credentials

Choose Authorization when:

• Implementing access control
• Building role-based permissions (RBAC)
• Working with policy engines (OPA, Casbin)
• Preventing privilege escalation

Choose Input Validation when:

• Processing user input
• Preventing SQL injection
• Protecting against XSS attacks
• Validating file uploads
• Preventing command injection

Choose Security Headers when:

• Configuring Content Security Policy (CSP)
• Implementing HTTPS enforcement (HSTS)
• Setting up CORS for APIs
• Preventing clickjacking
• Hardening web applications

Choose Vulnerability Assessment when:

• Testing for OWASP Top 10
• Running security scans (SAST/DAST)
• Performing penetration tests
• Auditing application security
• Setting up security CI/CD

Choose Secrets Management when:

• Storing API keys or credentials
• Integrating with HashiCorp Vault
• Using AWS Secrets Manager or GCP Secret Manager
• Rotating encryption keys
• Managing CI/CD secrets

Integration with Other Skills

Security skills commonly combine with:

API skills (discover-api):

• API authentication and authorization
• API input validation
• API rate limiting (abuse prevention)
• Securing REST and GraphQL endpoints

Database skills (discover-database):

• SQL injection prevention
• Database connection security
• Credential management
• Row-level security

Frontend skills (discover-frontend):

• XSS prevention in React/Vue
• Content Security Policy
• Secure cookie handling
• Client-side validation

Infrastructure skills (discover-infrastructure, discover-cloud):

• Secrets management in deployments
• Network security
• Container security scanning
• TLS/SSL configuration

Testing skills (discover-testing):

• Security integration tests
• Penetration testing
• Automated security scans
• Vulnerability regression tests

Usage Instructions

1. Auto-activation: This skill loads automatically when Claude Code detects security-related work
2. Browse skills: Run Read <cc-polymath-root>/skills/security/INDEX.md for full category overview
3. Load specific skills: Use bash commands above to load individual skills
4. Follow workflows: Use recommended sequences for common security patterns
5. Combine skills: Load multiple skills for comprehensive security coverage

Progressive Loading

This gateway skill (~200 lines, ~2K tokens) enables progressive loading:

• Level 1: Gateway loads automatically (you're here now)
• Level 2: Load category INDEX.md (~3K tokens) for full overview
• Level 3: Load specific skills (~2-4K tokens each) as needed

Total context: 2K + 3K + skill(s) = 5-12K tokens vs 30K+ for entire index.

Quick Start Examples

"Implement user authentication": Read <cc-polymath-root>/skills/security/authentication.md

"Add role-based access control": Read <cc-polymath-root>/skills/security/authorization.md

"Prevent SQL injection": Read <cc-polymath-root>/skills/security/input-validation.md

"Configure Content Security Policy": Read <cc-polymath-root>/skills/security/security-headers.md

"Test for OWASP vulnerabilities": Read <cc-polymath-root>/skills/security/vulnerability-assessment.md

"Integrate HashiCorp Vault": Read <cc-polymath-root>/skills/security/secrets-management.md

"Secure API with JWT": Read <cc-polymath-root>/skills/security/authentication.md Read <cc-polymath-root>/skills/security/authorization.md

Next Steps: Run Read <cc-polymath-root>/skills/security/INDEX.md to see full category details, or load specific skills using the bash commands above.