Security

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational requirements including feed integration capability, STIX/TAXII support, workflow automation, analyst interface, and total cost of ownership. Use when conducting a TIP procurement, migrating between TIP solutions, or assessing whether the current TIP meets program maturity requirements. Activates for requests involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP procurement decisions.

Performs regulatory gap analysis across 7 compliance frameworks with a scored report card and prioritized remediation roadmap. Use when assessing a website or application for GDPR, CCPA, ADA, PCI-DSS, CAN-SPAM, COPPA, or SOC 2 compliance. Trigger with "/compliance-audit" or "audit my website for regulatory compliance".

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

SOUL.md Maker — the personality builder for OpenClaw agents. Browse 12 pre-built souls, build your own with a guided interview (Quick or Deep), blend personalities, audit existing souls, and export production-ready SOUL.md files. Works standalone or alongside AI Persona OS. Built by Jeff J Hunter.

Reconcile payroll processor reports (Gusto, ADP, Paychex, Rippling) to general ledger journal entries in QuickBooks Online, Xero, or other accounting software. Automates journal entry creation from payroll summaries, validates wage/tax/benefit allocations to correct GL accounts, detects variances, and flags discrepancies before month-end close. Produces audit-ready reconciliation workpapers. Use when: reconciling payroll registers to GL, mapping payroll processor exports to chart of accounts, creating payroll journal entries, validating employee benefit deductions, or preparing payroll workpapers. NOT for: payroll processing or running payroll (use your payroll platform), tax filing (W-2, 941), on-chain payroll (use on-chain-payroll), HR onboarding, or benefits enrollment.

Safety guardrails for autonomous agents. Intercepts destructive actions, requires structured approval before irreversible operations, with CLI-backed cryptographic audit trails and policy enforcement. Your lobster has claws. Keel is the rubber band.

Every Twilio SendGrid endpoint, plus offline suppression diffs, stats time-series rollups, and a template-variable... Trigger phrases: `send transactional mail`, `manage SendGrid suppressions`, `audit SendGrid bounces`, `SendGrid templates lint`, `SendGrid stats rollup`, `use sendgrid`, `run sendgrid`.

Every Semrush Analytics + Projects feature, plus a local SQLite store and cross-domain joins no other Semrush tool has. Trigger phrases: `show me what changed for <domain> this week`, `find the keyword gap between <my domain> and <competitor>`, `show me new referring domains for <domain>`, `triage my Site Audit`, `what did Semrush cost me this month`, `detect keyword cannibalization on <domain>`, `track SERP feature changes for <keyword>`, `use semrush`, `run semrush`.

A Go CLI for Lunch Money's official v2 OpenAPI — offline SQLite store, subscription detection, and bulk smart... Trigger phrases: `categorize my transactions`, `find duplicate charges`, `subscription audit`, `what's my budget burn`, `net worth at a date`, `use lunch-money-pp`, `run lunch-money`.

Terminal-native CLI for Bird's Conversations and SMS APIs with offline search, batch reconcile, and a local SQLite mirror. Trigger phrases: `send an SMS via Bird`, `audit Bird message delivery`, `search Bird conversations`, `block list opt-outs from Bird`, `Bird tenant readiness check`, `use bird`, `run bird`.

Security audit and hardening for Clawdbot/Moltbot installations. Detects exposed gateways, fixes permissions, enables authentication, and guides firewall/Tailscale setup.

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Manage OpenClaw bot configuration - channels, agents, security, and autopilot settings

Admin: sub-account lifecycle, usage monitoring, number management, compliance SHAKEN/STIR TCR, audit logs

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Browser automation via Puppeteer CLI scripts (JSON output). Capabilities: screenshots, PDF generation, web scraping, form automation, network monitoring, performance profiling, JavaScript debugging, headless browsing. Actions: screenshot, scrape, automate, test, profile, monitor, debug browser. Keywords: Puppeteer, headless Chrome, screenshot, PDF, web scraping, form fill, click, navigate, network traffic, performance audit, Lighthouse, console logs, DOM manipulation, element selector, wait, scroll, automation script. Use when: taking screenshots, generating PDFs from web, scraping websites, automating form submissions, monitoring network requests, profiling page performance, debugging JavaScript, testing web UIs.

Use when assessing TYPO3 extension quality, conformance checking, standards compliance, modernization to v12/v13/v14 (v14.3 LTS is the default/gold standard), TER readiness, or best practices review. Also triggers on: extension audit, quality score, full assessment, fix all findings, conformance audit, Fluid 5 strict ViewHelpers, ext_tables.php removal, Extbase attributes (Authorize/RateLimit), HashService removal, Bootstrap 5 migration, CSP compliance, ViewHelper security, XLIFF hygiene, PHP 8.4/8.5 compat.

This skill should be used when the user asks to "scan for PHI", "detect PII", "HIPAA compliance check", "audit for protected health information", "find sensitive healthcare data", "generate HIPAA audit report", "check code for PHI leakage", "scan logs for PHI", "check authentication on PHI endpoints", "scan FHIR resources", "check HL7 messages", or mentions PHI detection, HIPAA compliance, healthcare data privacy, medical record security, logging PHI violations, authentication checks for health data, or healthcare data formats (FHIR, HL7, CDA).

Continuous formal verification of architectural constraints and code quality. Use when asked to verify, audit, or validate codebase integrity. Runs automatically via hooks on every edit (structural) and pre-commit (full). Catches ownership violations, boundary crossings, state machine bugs, and code smells that grep ratchets miss. Triggers: "verify", "formal verify", "check architecture", "audit code quality", "run verification", "/verify", "/verify --bootstrap", "/verify --grade".

Validate, lint, audit, or debug Ansible playbooks, roles, inventories, FQCN, tasks.

Apply whenever the task is to build, add, implement, or extend a FEATURE, endpoint, screen, flow, or job in an existing application — not a one-line fix. Enforces plan-before-code: a completed PLAN.md must pass the gate (scripts/plan_check.py) before any implementation begins. Drives the inner loop (compose this feature from the existing substrate, build only what's missing, place it via the boundary-discipline skill) and the outer loop (grow the reusable substrate via a promotion ratchet). Use this whenever someone says "build/add/implement X", "plan this feature", "how should I structure this feature", or is about to start writing feature code. Do NOT skip the gate because the feature "seems small"; the gate is what prevents duplication and entanglement. For a pure code review with no new feature, use boundary-discipline AUDIT mode directly instead.

This skill should be used when analyzing codebases, applications, databases, or systems for GDPR (General Data Protection Regulation) compliance. Use this skill when users need to audit data protection practices, identify potential compliance issues, assess data handling procedures, review privacy policies, or ensure adherence to EU data protection requirements.

English LaTeX assistant for existing .tex journal or conference papers. Use for compile repair, venue formatting, bibliography/citation checks, section writing, logic, related work, tables, pseudocode, de-AI polish, translation, adaptation, and submission readiness; use latex-thesis-zh for Chinese theses and paper-audit for critique.

Bitget Wallet: token prices, swap quotes, RWA stock trades, security audits. Use when researching tokens or trading via Bitget on supported chains (e.g. honeypot check, USDT→BNB swap quote, RWA TSLA order, K-line on Base).

This skill should be used when establishing comprehensive QA testing processes for any software project. Use when creating test strategies, writing test cases following Google Testing Standards, executing test plans, tracking bugs with P0-P4 classification, calculating quality metrics, or generating progress reports. Includes autonomous execution capability via master prompts and complete documentation templates for third-party QA team handoffs. Implements OWASP security testing and achieves 90% coverage targets.

Adversarial bug hunting with a sequential-first pipeline (Recon, Hunter, Skeptic, Referee) that can optionally use safe read-only parallel triage. Finds, verifies, and auto-fixes real bugs by default (with --scan-only opt-out) using checkpointed verification and resume state for large codebases. Use this skill whenever the user wants bug finding, security audits, regression checks, or code review focused on runtime behavior.

Use this skill whenever the user submits a non-trivial mathematical claim that needs a rigorous proof or audit. Trigger on IMO/Putnam/USAMO/Olympiad-style problems, ML/AI theoretical statements, research conjectures, suspected-false claims, multi-step proofs the user already failed on, proof drafts with possible hidden assumptions, or any request containing 'prove rigorously', 'verify this', 'is this true', 'find the gap', 'audit my proof', 'find a counterexample', or 'use EvoMath' that targets a mathematical claim. Activate also when the problem requires more than three reasoning steps. Do NOT use for single-step calculations, definition lookups, textbook exercises with a known recipe, code analysis tasks, literature survey questions, pure symbolic manipulation, or non-mathematical applications of those trigger phrases (e.g., 'is it true that GPT-4 can solve math?', 'verify this LaTeX syntax'); hand those back instead.

Retrofit, OkHttp, REST APIs, JSON serialization, network security.

Security audit and threat model for OpenClaw gateway hosts. Use to verify OpenClaw configuration, exposure, skills/plugins, filesystem hygiene, and to produce an OK/VULNERABLE report with evidence and fixes.

Refresh stale learning and pattern docs under docs/solutions/ by reviewing them against the current codebase, then updating, consolidating, or deleting drifted ones. Use when the user asks to "refresh my learnings", "audit docs/solutions/", "clean up stale learnings", or "consolidate overlapping docs", or when ce-compound flags an older doc as superseded. Do not trigger for general refactor, debugging, or code-review work unless the user has explicitly pointed at docs/solutions/.

Calculate Monaco payslips (bulletin de salaire) with social security contributions, taxes, and net salary. Use when user requests Monaco payslip calculations, salary breakdowns for Monaco employees, or needs to compute Monegasque employer/employee contributions.

Audit a repository against all 56 software engineering laws from lawsofsoftwareengineering.com. Produces per-law findings with evidence citations and a summary scorecard. Use when the user asks to "audit laws", "check software engineering laws", "score my repo against Conway/Hyrum/DRY/etc.", "run a software laws audit", or references specific named laws from that site.

This skill should be used when analyzing technical debt in a codebase, documenting code quality issues, creating technical debt registers, or assessing code maintainability. Use this for identifying code smells, architectural issues, dependency problems, missing documentation, security vulnerabilities, and creating comprehensive technical debt documentation.

Manage Linear tickets, projects, milestones, and documents. Use for coordinating work across skills (orca-security, multi-repo) or tracking remediation progress.

NestJS best practices and architecture patterns for building production-ready applications. This skill should be used when writing, reviewing, or refactoring NestJS code to ensure proper patterns for modules, dependency injection, security, and performance.

Query and manage Google NotebookLM notebooks with persistent profile auth, source sync, batch/multi queries, and structured exports. Use when user asks to query NotebookLM, 'ask my notebook', shares NotebookLM notebook URLs, wants to list/create notebooks, manage sources, do bulk folder sync, dedupe, or audit exports.

Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Runs deep audits, creates or updates a recurring cron job, and sends formatted reports to configured recipients.

Build local semantic review slices by combining clawpatch feature maps, deepsec threat candidates, visual review maps, and optional gitcrawl/discrawl evidence for repos such as openclaw/openclaw.

Handle security incidents with IR playbooks and procedures. Implement detection, containment, eradication, and recovery processes. Use when responding to security events or building incident response capabilities.

Odoo 17 development reference for Python models and ORM (search, domain, read_group, compute fields), XML/CSV data and views, OWL/JS client code, QWeb reports, security (ACL, record rules, groups), cron and server actions, migrations and module upgrades, tests, i18n, and performance. Use this skill whenever work involves Odoo 17 or custom addons—even if the user only pastes a traceback, mentions addons/ or __manifest__.py, describes form/tree/kanban/XML errors, HTTP controllers, or business rules on models—including building features, fixing bugs, refactoring, or reviewing addon code.

Implement Israeli web accessibility compliance per IS 5568 standard, anchored to WCAG 2.0 AA (IS 5568 adds some 2.1-aligned criteria; sources differ), for Hebrew RTL applications. Use when user asks about Israeli accessibility law, "negishot" (accessibility), IS 5568, "teken negishot" (accessibility standard), "nachim" (disabilities), Hebrew screen reader support, RTL ARIA patterns, or accessibility audit for Israeli websites. Covers mandatory legal requirements under the Equal Rights for Persons with Disabilities Act, who is exempt, enforcement and penalties, the accessibility coordinator role, Hebrew screen reader compatibility (NVDA, JAWS, VoiceOver), and RTL-specific ARIA patterns. Do NOT use for general WCAG guidance without Israeli context (use standard a11y resources instead).

Scan a software repository for ISO 27001:2022 compliance of its software development controls. Produces a per-control compliance report covering Annex A controls 8.4, 8.25–8.33 (source code access, secure SDLC, application security requirements, secure architecture, secure coding, security testing, outsourced development, environment separation, change management, and test data). Use this skill whenever a user mentions ISO 27001, ISMS compliance, security audit readiness, Annex A controls, secure SDLC compliance, or wants to check whether their codebase meets information security standards. Also trigger when the user asks about audit preparation for software development, security control gaps, or compliance posture of a repository — even if they don't mention ISO 27001 by name but describe wanting to verify security practices against a standard.

TRIGGERS for Workflow 10 (Release Architecture Version) — invoke this skill FIRST, do not plan or ask clarifying questions, when user says any of: 'release my architecture', 'release architecture', 'release architecture version', 'publish architecture', 'ship architecture', 'tag architecture version', 'freeze architecture', 'bump architecture version', 'finalize architecture' — these route here, NOT to architecture-docs-export (which only produces Word .docx files). Also use this skill for: creating/updating/maintaining ARCHITECTURE.md, generating Mermaid / C4 diagrams (Workflow 8), migrating to docs/ multi-file layout (Workflow 9), validating/auditing architecture (BIAN, META, standards), answering questions about documented components, data structures, integrations, security, performance, deployment, technology stack, or architectural decisions.

Analyzes code for quality, security, efficiency, and maintainability across any language. Use when the user asks to "review code", "review my changes", "check code quality", "security review", "audit this code", "review the diff", or "code review". Reviews files or git diffs using parallel sub-agents per dimension, produces structured reports with weighted scores and actionable recommendations. Supports auto-fix for unambiguous issues and respects project conventions from CLAUDE.md.

Use when preparing any project for production deployment, performing security audits, or release preparation. Triggers on "make production ready", "security audit", "prepare for release", "hardening", "pre-deployment checklist".

Consults external AI models (100+ via LiteLLM) for complex analysis. Use for architectural review, security audit, deep code understanding, or when extended reasoning is needed. Runs async with session management.

Use when performing security audits, vulnerability assessments, or compliance checks on Flutter or mobile applications. Covers OWASP Mobile Top 10 (2024) — hardcoded secrets (M1), insecure storage (M9), weak cryptography (M10), network issues (M5), and 6 more categories with automated scanners and remediation guidance.

Create, fix, and validate skills for AI agents. Use when user says 'create a skill', 'build a skill', 'fix my skill', 'skill not working', 'analyze my skill', 'validate skill', 'audit my skills', 'check character budget', 'create a skill from this session', 'turn this into a skill', 'make this reusable', 'can this become a skill', 'should this be a skill', or asks for reusable patterns in the session. Use even if the user does not explicitly say 'skill' but is sketching a reusable workflow.

Generates an x-ray.md pre-audit report covering overview, enhanced threat model (protocol-type profiling, git-weighted attack surfaces, temporal risk analysis, composability dependency mapping), invariants, integrations, docs quality, test analysis, and developer/git history. Triggers on 'x-ray', 'audit readiness', 'readiness report', 'pre-audit report', 'prep this protocol', 'protocol prep', 'summarize this protocol'.

Orchestrate Xcode build optimization by benchmarking first, running the specialist analysis skills, prioritizing findings, requesting explicit approval, delegating approved fixes to xcode-build-fixer, and re-benchmarking after changes. Use when a developer wants an end-to-end build optimization workflow, asks to speed up Xcode builds, wants a full build audit, or needs a recommend-first optimization pass covering compilation, project settings, and packages.

Analyze Istio, Consul, and Linkerd service mesh configurations for security vulnerabilities with NIST 800-53 control mappings. Use when users need to audit mesh security, identify misconfigurations, check mTLS settings, review ACL policies, or prepare for FedRAMP assessments. Triggers on keywords like "mesh config", "istio security", "consul ACL", "linkerd policy", "service mesh audit", or "NIST compliance".

Creation, editing, and review of RouterOS scripts (.rsc) with focus on idempotency, security, and best practices. Use when you need to generate, adjust, or import .rsc files for MikroTik: (1) create new configurations via script, (2) edit existing scripts with safe corrections, (3) review risks and execution policies, (4) validate with import dry-run and error handling.

Systematically surface, classify, and stress-test assumptions in decisions, strategies, and plans. Transforms hidden assumptions into visible, testable propositions with load-bearing analysis and counterfactual validation. PROACTIVELY activate for: (1) Pre-commitment decision reviews, (2) Strategy validation before execution, (3) Investment due diligence, (4) Architecture decision records, (5) Product direction pivots, (6) Risk assessments requiring assumption audit. Triggers: "validate assumptions", "test assumptions", "assumption check", "stress test this decision", "what are we assuming", "pre-mortem", "what could go wrong", "challenge this plan", "devil's advocate"

Web shell samples for detection and analysis: PHP, ASP, ASPX, JSP, Python, Perl shells. Use for security research and detection system testing.

Generate professional-quality diagrams as raw SVG. Use when the diagram-router selects SVG, or when the user needs pixel-precise control, custom visuals, threat models, comparisons, Venn diagrams, or any diagram type that other formats cannot handle well. SVG is the most expressive format -- unlimited visual possibilities, browser-native rendering.

This skill should be used when working with SwiftData — @Model definitions, @Query, @Relationship, ModelContext, ModelContainer, schema migration, Swift 6 concurrency, performance optimization, or architecture review. Also triggers on: "SwiftData audit", "@Model issues", "SwiftData crashes", "predicate problems", "background context patterns", "N+1 queries", "SwiftData vs SQLiteData vs GRDB", "CloudKit sync with SwiftData", "SwiftData migration fails", or "SwiftData migration diagnostics". Covers auditing existing code, writing new SwiftData code, migration debugging, and architecture review.

Create or refine promptfoo redteam setup configs: purpose, targets, plugins, strategies, frameworks, multi-input target inputs, policy text, grader guidance, contexts, and static-code-derived target/threat mapping. Use when preparing a red team scan plan from live probes, code evidence, or provider configs, or when generating adversarial test cases for QA. Do not use for basic provider wiring alone or for running/evaluating an already-generated redteam scan.

A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.

Security audit of Solidity code while you develop. Trigger on "audit", "check this contract", "review for security". Modes - default (full repo) or a specific filename.

Analyzes binaries using angr's Python framework for static analysis, symbolic execution, and vulnerability detection. Use when decompiling executables, recovering control flow graphs, finding vulnerabilities via symbolic execution, or analyzing stripped binaries without source access.

Comprehensive LinkedIn personal branding analysis, profile optimization, and visibility improvement skill using Claude for Chrome browser tools. Use when users request LinkedIn profile analysis, personal branding audit, profile optimization recommendations, LinkedIn visibility improvement, headline optimization, About section review, content strategy guidance, engagement analysis, or Social Selling Index improvement. Works with Claude for Chrome to analyze profile photos, banners, headlines, About sections, experience, skills, recommendations, featured content, activity/posts, and network engagement directly from the user's browser.

This skill should be used when the user asks to "review effect v4 code", "effect v4 review", "review my effect 4 code", "check effect v4 patterns", "run effect v4 review", "audit the effect codebase", or wants a comprehensive code review of an Effect v4 (effect-smol / the 4.0 beta line) codebase against v4 conventions for Context.Service, Layer composition, Schema.TaggedErrorClass, the flattened Cause, Effect.fn, branded Schema types, observability, effect-atom, and test coverage. Supports reviewing a PR/branch diff or the whole repository. For Effect v3 codebases, use the effect-review skill instead.

GDPR compliance audit of code, plans, schemas, or IaC. Produces a findings report with article citations, severity, confidence, and fixes; flags evidence gaps. Not a substitute for a DPO/lawyer.

Install a pre-commit hook that scans .specstory/history for secrets before commits. Run when user says "set up secret scanning", "install specstory guard", "protect my history", or "check for secrets".

Reviews pull requests and code changes for quality, security, and best practices. Use when user asks for code review, PR review, or mentions reviewing changes.

Interactive setup for AI-assisted development. Asks about your context (tech stack, compliance needs, security requirements), creates a minimal CLAUDE.md, then walks you through your first AI-generated feature. Adapts to regulated industries, offers add-ons only when relevant.

Execute bash commands and scripts safely with validation, error handling, and security checks. Use for system operations, file management, text processing, and command-line tools.

Audit codebases and product copy for deceptive dark patterns that are inferable from local source code and text. Produce a structured narrative report with confidence, source locations, concise reasoning, and the official pattern link for each detected pattern.

Drupal development and security patterns from Ivan Grynenko's cursor rules. Covers OWASP Top 10, authentication, access control, injection prevention, cryptography, configuration, database standards, file permissions, and more.

Audits Convex performance for reads, subscriptions, write contention, and function limits. Use for slow features, insights findings, OCC conflicts, or read amplification.

Performs intelligent compliance audits for software projects. Automatically detects which regulatory frameworks (GDPR, HIPAA, PCI-DSS, CCPA, SOC 2) apply based on project analysis and user context. Provides tiered reports with executive summaries and detailed technical findings. Use when the user asks about compliance, regulatory requirements, security standards, data protection, or wants to audit their codebase for legal/regulatory adherence.

Use when user mentions reviewing PRs, provides GitHub PR URLs/numbers, or discusses code review. Provides structured analysis of code quality, backward compatibility, security issues, test coverage, and unaddressed comments with categorized findings (Critical/High/Medium/Low). Creates isolated git worktree for safe review, ensures comprehensive security analysis, and generates actionable recommendations. Invoke before analyzing any pull request changes.

Luau best practices and clean code patterns for Roblox development. Use this skill when: - Writing new Luau modules, services, or controllers - Reviewing code for quality and maintainability - Setting up project structure and organization - Implementing error handling and validation - Managing memory and preventing leaks - Writing secure server-authoritative code - Following Roblox-specific conventions - Refactoring or improving existing code Triggers: "best practices", "clean code", "code review", "refactor", "code quality", "naming convention", "code style", "module pattern", "service pattern", "memory leak", "error handling", "pcall", "security", "server authority", "validation", "code organization"

Autonomous AI pentester for web apps and APIs. Run white-box security assessments with Shannon — analyzes source code, identifies attack vectors, and executes real exploits to prove vulnerabilities. Triggered by 'shannon', 'pentest', 'security audit', 'vuln scan'.

Use when the user asks for a production-readiness audit, project audit, kascheck, or runs /kascheck:audit. Spawns parallel subagents to assess security, code quality, infrastructure, and testing, then produces a scored report with severity-tagged findings and remediation effort estimates. Especially useful for vibe-coded/AI-generated projects.

Audit Trail investigations - who changed what, key compromise, cost spike root cause, compliance evidence (SOC 2/PCI), and AI activity auditing.

Comprehensive security analysis with tech stack detection, vulnerability scanning, and remediation planning

Elite Application Security engineer specializing in secure SDLC, OWASP Top 10 2025, SAST/DAST/SCA integration, threat modeling (STRIDE), and vulnerability remediation. Expert in security testing, cryptography, authentication patterns, and DevSecOps automation. Use when securing applications, implementing security controls, or conducting security assessments.

Ghost Security - Software Composition Analysis (SCA) scanner. Scans dependency lockfiles for known vulnerabilities, identifies CVEs, and generates findings with severity levels and remediation guidance. Use when the user asks about dependency vulnerabilities, vulnerable packages, CVE checks, security audits of dependencies, or wants to scan lockfiles like package-lock.json, yarn.lock, go.sum, or Gemfile.lock.

Legal and ethical guidelines for bug bounties, pentesting, and security research. Use when conducting authorized security testing.

Use when the user wants to create a visual code review on a Miro board from a pull/merge request (GitHub, GitLab, or any forge), local uncommitted changes, or a branch comparison — produces a file-changes table, summary/architecture/security docs, and architecture diagrams, then links them back from the PR/MR.

Review documentation (README.md and CLAUDE.md) for quality, completeness, and consistency. Use when asked to review docs, check documentation, validate README files, or audit CLAUDE.md coverage.

Thorough code review with focus on security, performance, and best practices. Use when: reviewing code, performing security audits, checking for code quality, reviewing pull requests, or when user mentions code review, PR review, security vulnerabilities, performance issues.

Reviews codebases, architectures, PRs, and technical plans for vanity engineering — code and systems built for the developer's ego, resume, or intellectual pleasure rather than delivering user or business value. Triggers on: "review this code", "is this over-engineered", "code review", "architecture review", "complexity audit", "vanity check", "is this necessary", "simplify this", "tech debt review", or any request to evaluate whether code or architecture is justified by actual requirements. Also trigger when the user shares a codebase and asks for feedback, when discussing framework/library choices, when reviewing PRs, or when someone is debating whether to refactor or rebuild. Nudge activation when you detect patterns of unnecessary abstraction, premature optimization, or resume-driven technology choices in code the user shares — even if they haven't asked for a vanity review.

Audit and improve web accessibility following WCAG 2.2 guidelines. Use when asked to "improve accessibility", "a11y audit", "WCAG compliance", "screen reader support", "keyboard navigation", or "make accessible".

Use after all tasks in an epic complete, after refactoring verifies, or before merging to main. Triggers when independent validation is needed that code meets requirements, has no security gaps, passes quality standards, and has no performance regressions. User phrases like "review this", "is this ready to merge", "validate the implementation".

Audit Glide apps for performance issues and optimization opportunities. Use when analyzing app performance, identifying bottlenecks in data structure or layout, or providing recommendations for improving app speed and user experience. Automatically triggered when user provides a Glide app URL for audit, including read-only support-mode URLs of the form https://go.glideapps.com/support/{uuid}.

AI governance readiness and gap assessment using ISO/IEC 42001:2023. Evaluate AI management-system practices for risk management, accountability, transparency, security, and continuous improvement.

Analyze SARIF files and generate security reports with CVSS scoring, exploitation scenarios, and remediation guidance. Use when reviewing static analysis results.

Develops resources for FiveM using vRP Creative Network with Lua. Covers resource creation, Proxy/Tunnel system, inventory, money, groups, identity, NUI, database (oxmysql), security, and performance. Use when the user works with FiveM, vRP, Lua scripts for GTA V servers, or mentions resources, client/server scripts, natives, NUI, or any system of the vRP Creative Network framework.

Strategic technical advisor with two modes. Use for second opinions, architecture decisions, debugging, security analysis, and research. REPO MODE explores your codebase autonomously (finds gaps, reviews code, traces bugs). WEB MODE researches external info via @steipete/oracle CLI (current best practices, library comparisons, docs). Run both in parallel when comparing your implementation against current standards.

Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

Generates a structured penetration testing report based on OWASP standards including OWASP Top 10, ASVS, and WSTG methodology. Scans code for vulnerabilities, maps findings to OWASP categories, assigns CVSS scores, and produces a professional pentest report. Use when the user says "pentest report", "penetration testing", "OWASP audit", "OWASP report", "security assessment", "vulnerability assessment", "application security test", or "OWASP compliance check".

Deep diagnostic of Claude/SDD configuration. Read-only. Produces audit-report.md consumed by /project-fix. Trigger: /project-audit, audit project, review claude config, project health check.

Quantifies technical debt across the codebase by scanning for code smells, outdated dependencies, complexity hotspots, missing tests, TODOs, dead code, and architectural issues. Produces a prioritized report with effort estimates and business impact. Saves output to project-decisions/ folder. Use when the user says "tech debt report", "how much tech debt", "technical debt", "code health", "codebase health check", "what needs cleanup", "debt audit", "code quality report", "health check", or "what's the state of our codebase?".

Comprehensive codebase audit with verification and specialized reviewers. Generates actionable reports. Use when asked to "audit the codebase", "review code quality", "check for issues", "security review", or "performance audit". By default, run the complete audit: mechanical checks first, then specialist reviewers, then a scored report.

Build or review audit trails in TypeScript/JavaScript apps using evlog (pipelines, typed actions, denials, retention, compliance-style reviews). For application code, not for extending the evlog package.

This skill should be used when the user asks to "audit code", "find technical debt", "perform a security review", "identify dead code", "analyze code quality", "check best practices", "run a code audit", or needs a systematic methodology for comprehensive codebase analysis.

Use picocom to interact with IoT device UART consoles for pentesting operations including device enumeration, vulnerability discovery, bootloader manipulation, and gaining root shells. Use when the user needs to interact with embedded devices, IoT hardware, or serial consoles.

Interactive document accessibility audit wizard. Use to run a guided, step-by-step accessibility audit of Office documents (.docx, .xlsx, .pptx) and PDFs. Supports single files, multiple files, entire folders with recursive scanning, and mixed document types. Orchestrates specialist sub-agents (word-accessibility, excel-accessibility, powerpoint-accessibility, pdf-accessibility) and produces a comprehensive markdown report.

Manage OpenClaw bot configuration - channels, agents, security, and autopilot settings

Secure project dependencies with INFYNON CLI (`infynon pkg`). Use when the user asks about CVE scanning, vulnerable packages, dependency auditing, secure installs, or when lock files are detected in the project.

Interactive web accessibility review wizard. Runs a guided, step-by-step WCAG audit of your web application. Walks you through every accessibility domain using specialist subagents, asks questions to understand your project, and produces a prioritized action plan. Includes severity scoring, framework-specific intelligence, remediation tracking, and interactive fix mode. For document accessibility (Word, Excel, PowerPoint, PDF), use the document-accessibility-wizard instead.

This skill helps Claude write secure web applications. Use this when working on any web application or when a user requests a scan or audit to ensure security best practices are followed.

Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. Triggers on: YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module.

This skill should be used when the user asks to review code, check a PR, audit a file or module, look at code quality, assess a codebase, or says things like "what do you think of this code", "review my changes", "look at this file", "check this PR", or "does this look right". Trigger on any request to evaluate, critique, or assess code — even casually phrased ones. Performs thorough, senior-engineer-quality code reviews that go beyond bug detection.

Techniques for writing effective fuzzing harnesses across languages. Use when creating new fuzz targets or improving existing harness code.

Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality suite) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.

Develop secure smart contracts using OpenZeppelin Contracts libraries. Use when users need to integrate OpenZeppelin library components — including token standards (ERC20, ERC721, ERC1155), access control (Ownable, AccessControl, AccessManager), security primitives (Pausable, ReentrancyGuard), governance (Governor, timelocks), or accounts (multisig, account abstraction) — into existing or new contracts. Covers pattern discovery from library source, CLI contract generators, and library-first integration. Supports Solidity, Cairo, Stylus, and Stellar.

Audit web pages for performance optimization following PageSpeed Insights guidelines. Use when analyzing page performance, optimizing web applications, reviewing performance metrics, implementing Core Web Vitals improvements, or when the user mentions page speed, performance optimization, Lighthouse scores, or Core Web Vitals.

Show current threat model status including asset counts, threat distribution, control verification status, and compliance coverage. Use when checking threat model status, getting overview of security posture, or reviewing current state.

When the user's app or update was rejected by Apple App Review or Google Play Review and they need to diagnose why, fix it, and resubmit fast. Use when the user mentions "app rejected", "App Review rejection", "guideline violation", "Apple rejected my app", "Google Play rejected", "Play policy violation", "Resolution Center", "metadata rejection", "binary rejection", "guideline 2.1", "guideline 4.3", "guideline 5.1.1", "Sign in with Apple required", "Apple ID rejection", "Play Store suspension", "appeal", "I need to respond to App Review", or "expedited review". For pre-submission listing health, see aso-audit. For metadata-only fixes, see metadata-optimization.

When the user wants to choose, change, or evaluate their App Store / Google Play category and subcategory — including primary vs secondary category trade-offs, chart-rank competitive analysis, category-driven discoverability, and how category choice affects featuring eligibility. Use when the user mentions "which category", "App Store category", "primary category", "secondary category", "change my category", "Health & Fitness vs Lifestyle", "Productivity vs Utilities", "rank higher in a smaller category", "category chart", "subcategory", "Play Store category", or "should I switch categories". For full ASO health beyond category, see aso-audit. For competitor analysis within the chosen category, see competitor-analysis. For chart movements within categories, see market-movers.

A clinical, pessimistic iteration loop for systematically destroying, rebuilding, and hardening ideas. Assumes everything is broken until proven otherwise. Use for code review (especially AI-generated), architecture review, pre-mortems, security review, incident response fixes, or any time you need to find everything wrong with an idea before shipping it. Invoke with /frank-grimes:grind or when asked to "red team", "critique", "find problems with", or "do a pre-mortem on" something.