Agent-Skills.md

Agent Skills: Security Skill

Security validation, vulnerability scanning, and compliance checking for development environments. Auto-activates on keywords security, vulnerability, audit, OWASP, encryption, GPG, SSH, signing, secrets, scan. Routes to specialized security workflows.

UncategorizedID: williaby/.claude/security

Repository

williaby/.claude
williaby

Install this agent skill to your local

pnpm dlx add-skill https://github.com/williaby/.claude/tree/HEAD/skills/security

Skill Files

Browse the full folder contents for security.

Download Skill

Loading file tree…

skills/security/SKILL.md

Skill Metadata

Name
security
Description
Security validation, vulnerability scanning, and compliance checking for development environments. Auto-activates on keywords security, vulnerability, audit, OWASP, encryption, GPG, SSH, signing, secrets, scan. Routes to specialized security workflows.

Security Skill

Comprehensive security domain for development environment validation, vulnerability scanning, and security compliance. Provides automated security workflows with intelligent routing based on user intent.

Auto-Activation Keywords

This skill activates automatically when you mention:

  • General: security, secure, vulnerability, vulnerabilities
  • Validation: validate security, security check, environment security
  • Scanning: scan, security scan, vulnerability scan, dependency scan
  • Encryption: encrypt, decrypt, GPG, PGP, secrets
  • Signing: sign commits, SSH key, GPG key, signed commits
  • Compliance: OWASP, audit, security audit, compliance
  • Tools: safety, bandit, semgrep, security tools

Routing Logic

Based on user intent, this skill routes to appropriate workflows:

Environment Validation

Keywords: "validate security", "check security environment", "security setup", "GPG key", "SSH key"

  • Simple validation → Use /security/validate-env workflow
  • Comprehensive audit → Invoke security-auditor agent

Vulnerability Scanning

Keywords: "scan dependencies", "security scan", "vulnerability check", "safety check", "bandit"

  • Dependency scanning → Use /security/scan workflow
  • Full security audit → Invoke security-auditor agent

File Encryption

Keywords: "encrypt", "decrypt", "GPG encrypt", "protect secrets", "encrypt .env"

  • File encryption/decryption → Use /security/encrypt workflow
  • Secrets management review → Invoke security-auditor agent

Security Audit

Keywords: "security audit", "penetration test", "threat assessment", "vulnerability assessment"

  • Complex security audit → Invoke security-auditor agent directly
  • Compliance validation → Use workflows + agent for comprehensive review

Workflow Quick Reference

# Validate security environment
/security/validate-env [--verbose]

# Scan for vulnerabilities
/security/scan [--type=dependencies|code|all]

# Encrypt/decrypt files
/security/encrypt [file-path]
/security/decrypt [file-path]

Complex Task Delegation

For comprehensive security analysis, invoke the security-auditor agent via Task tool:

Use security-auditor agent when:
- Conducting full security audits across multiple components
- Threat modeling and risk assessment
- Compliance validation against security standards
- Penetration testing simulation
- Security architecture review

Supporting Context

  • OWASP Top 10: See context/owasp-top-10.md for common vulnerabilities
  • Security commands: See context/security-commands.md for comprehensive command reference
  • Security standards: See /standards/security.md for project requirements

Integration Points

Agents

  • security-auditor: Comprehensive security audits and vulnerability assessment
  • test-engineer: Security testing integration (via testing/workflows/security.md)

MCP Tools

  • mcp__zen-core__chat: Multi-model consensus for security decisions

Hooks

  • Pre-commit: Security validation on file changes
  • Post-tool-use: MCP usage tracking

Standards

  • Security standards: /standards/security.md (GPG/SSH requirements, encrypted secrets)
  • Git workflow: /standards/git-workflow.md (signed commits requirement)

Security Requirements Summary

Required for all projects:

  • GPG key configured (for .env encryption)
  • SSH key configured and loaded (for signed commits)
  • Git signing enabled (commit.gpgsign = true)
  • No secrets in repository (use encrypted .env files)
  • Dependency scanning (safety check passes)
  • Static analysis (bandit passes)

Git signing configuration:

# SSH signing (recommended)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

# Or GPG signing
git config --global user.signingkey <GPG_KEY_ID>
git config --global commit.gpgsign true

Dependency scanning:

# Check Python dependencies
poetry run safety check --full-report

# Static security analysis
poetry run bandit -r src

Secrets encryption:

# Encrypt .env file
gpg --symmetric --cipher-algo AES256 .env

# Decrypt .env file
gpg --decrypt .env.gpg > .env

Examples

Example 1: Validate security environment

User: "Can you check if my security environment is properly configured?"
→ Security skill auto-activates
→ Routes to /security/validate-env workflow
→ Validates GPG keys, SSH keys, Git signing, environment setup

Example 2: Scan for vulnerabilities

User: "Scan my project for security vulnerabilities"
→ Security skill auto-activates
→ Routes to /security/scan workflow
→ Runs safety check and bandit analysis
→ Reports vulnerabilities with remediation steps

Example 3: Comprehensive security audit

User: "Perform a comprehensive security audit of the authentication system"
→ Security skill auto-activates
→ Invokes security-auditor agent
→ Agent performs:
  - Threat modeling
  - Vulnerability assessment
  - Code review for security issues
  - Compliance validation
  - Risk-prioritized recommendations

Example 4: Encrypt sensitive file

User: "Encrypt my .env file with GPG"
→ Security skill auto-activates
→ Routes to /security/encrypt workflow
→ Encrypts file with AES256
→ Provides decryption instructions

This skill consolidates check-security-env skill and security commands into a unified security domain with intelligent routing.