Security

A comprehensive security review skill that provides checklists and code examples for secure coding practices. It covers secrets management, input validation, SQL injection prevention, XSS/CSRF protection, authentication, rate limiting, cloud IAM, logging, CI/CD pipeline security, and disaster recovery. This is purely educational documentation with no executable code.

Applies the STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to systematically identify security threats. Provides templates for threat model documents, Python code examples for building automated analysis tools, and guidance for conducting threat modeling sessions.

A comprehensive reference guide for implementing authentication and authorization systems. Covers JWT tokens, OAuth2/social login, session management, role-based access control (RBAC), and security best practices with TypeScript/Express code examples.

A comprehensive guide for implementing Kubernetes security policies including NetworkPolicy for network segmentation, RBAC for access control, Pod Security Standards for container hardening, and OPA Gatekeeper for policy enforcement. Provides ready-to-use YAML templates and best practices for production-grade cluster security.

A comprehensive guide to smart contract security for Solidity developers. Covers critical vulnerabilities like reentrancy, integer overflow, and access control issues, along with secure coding patterns, gas optimization techniques, and testing strategies for blockchain applications.

This skill provides comprehensive guidance for implementing secure secrets management in CI/CD pipelines. It covers HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager integration, along with best practices for secret rotation, scanning, and Kubernetes secrets synchronization.

A comprehensive marketplace plugin directory containing Stripe payment integration best practices, language server protocol support for multiple programming languages, security pattern detection hooks, and MCP integrations for popular services like GitHub, Slack, Linear, and Supabase.

This is the official Claude Code plugins marketplace containing curated extensions including Stripe payment integration best practices, language server protocols for code intelligence, security guidance hooks, and various productivity tools for development workflows.

This is Anthropic's official Claude Code plugins directory containing Stripe payment integration best practices, language server support for 11+ programming languages, security pattern detection hooks, and integrations with services like GitHub, GitLab, Slack, Linear, Asana, and Supabase. The Stripe skill specifically guides developers on using Checkout Sessions, Payment Elements, webhooks, and Connect platforms following Stripe's recommended patterns.

A comprehensive guide for using Semgrep, a fast static analysis tool for finding bugs and security vulnerabilities. Covers installation, custom rule writing, CI/CD integration with GitHub Actions, and best practices for security scanning without sharing code with third parties.

CodeQL is a powerful static analysis framework that queries code as a database for security vulnerabilities and code patterns. This skill provides comprehensive documentation on creating CodeQL databases, writing custom queries, integrating with CI/CD pipelines, and using the framework for interprocedural control flow and data flow analysis across C/C++, Go, Java, JavaScript, Python, and other supported languages.

A variant analysis skill that helps security researchers find similar vulnerabilities across a codebase after discovering an initial bug. It provides a structured methodology for pattern-based searching, ready-to-use Semgrep rule templates for multiple languages (Python, JavaScript, Java, Go, C++), and documentation templates for tracking findings.

Wycheproof is a documentation skill that teaches developers how to validate cryptographic implementations using test vectors. It covers testing workflows for AES-GCM, ECDSA, ECDH, RSA, and other algorithms, with examples in Python and JavaScript.

A comprehensive skill for parsing and analyzing SARIF (Static Analysis Results Interchange Format) files from security scanning tools. It provides ready-to-use jq queries, Python helper functions for extracting findings, and best practices for aggregating, deduplicating, and integrating SARIF data into CI/CD pipelines.

Sharp Edges is a security analysis skill that identifies error-prone APIs, dangerous configurations, and footgun designs that enable developer mistakes. It provides comprehensive reference documentation covering cryptographic API pitfalls, configuration security patterns, authentication footguns, and language-specific sharp edges across 11 programming languages.

This skill helps security engineers port existing Semgrep rules to new programming languages. It provides a structured 4-phase workflow including applicability analysis, test-first development, rule creation, and validation. The skill includes detailed guidance for translating patterns between languages and ensuring rules are properly tested.

A comprehensive Firebase security scanner for Android APKs that identifies misconfigurations in authentication, Realtime Database, Firestore, Storage, Cloud Functions, and Remote Config. It extracts Firebase configuration from decompiled APKs and tests endpoints for common vulnerabilities like open signups, unauthenticated database access, and exposed storage buckets.

A comprehensive security-focused code review skill for analyzing pull requests, commits, and diffs. It uses git history for context, calculates blast radius of changes, checks test coverage, performs adversarial vulnerability analysis, and generates detailed markdown security reports with findings and recommendations.

This skill helps identify timing side-channel vulnerabilities in cryptographic implementations by analyzing compiled assembly or bytecode for dangerous instructions like variable-time division, secret-dependent branches, and non-constant-time comparisons. It supports C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, and Ruby, and provides remediation guidance using patterns like Barrett reduction and constant-time selection.

A security auditing skill for TON blockchain smart contracts written in FunC. It detects three critical vulnerability patterns: integer-as-boolean misuse (where positive integers used as booleans cause logic errors), fake Jetton contract attacks (missing sender validation on transfer notifications), and gas drainage vulnerabilities (unchecked forward TON amounts). The skill provides detailed detection patterns, mitigation code, and testing recommendations.

This skill provides comprehensive security auditing guidelines for Substrate/FRAME blockchain runtime modules (pallets). It documents 7 critical vulnerability patterns including arithmetic overflow, panic DoS, incorrect weights, and origin validation issues, with detection patterns, mitigations, and testing recommendations.

A specialized security scanner for Solana blockchain programs that detects 6 critical vulnerability patterns including arbitrary cross-program invocations, improper PDA validation, and missing signer/ownership checks. It provides detailed vulnerability reports with code examples and mitigation strategies for both native Solana and Anchor framework programs.

A comprehensive security scanner for Cosmos SDK blockchains that identifies 9 consensus-critical vulnerabilities including non-determinism, incorrect signers, ABCI panics, and rounding errors. It provides detection patterns, mitigation strategies, and testing recommendations for auditing Cosmos chains and CosmWasm contracts.

A comprehensive security auditing skill for Cairo/StarkNet smart contracts. It systematically scans for 6 critical vulnerability patterns including arithmetic overflow, L1-L2 messaging issues, signature replay attacks, and unchecked access control, providing detailed remediation guidance and integration with the Caracal static analyzer.

A comprehensive security reference skill that provides OWASP security patterns, secrets management best practices, and automated security testing workflows. It includes code examples for input validation, authentication, JWT handling, password hashing, and security headers, along with GitHub Actions templates for CI/CD security scanning.

This skill provides comprehensive documentation for using OpenAI's Codex CLI to perform automated code reviews. It covers installation, authentication, interactive and headless usage modes, and includes ready-to-use CI/CD integration examples for GitHub Actions, GitLab CI, and Jenkins pipelines.

Ultimate Bug Scanner (UBS) is a comprehensive static analysis tool that automatically scans your code for bugs, security issues, and code quality problems. It integrates with Claude Code via hooks to run scans on file saves and blocks dangerous git commands like 'git reset --hard' or 'rm -rf' to prevent accidental data loss.

Secure environment variable management with Varlock. Use when handling secrets, API keys, credentials, or any sensitive configuration. Ensures secrets are never exposed in terminals, logs, traces, or Claude's context. Trigger phrases include "environment variables", "secrets", ".env", "API key", "credentials", "sensitive", "Varlock".

Security scanner for Claude Code skills. Use when users want to scan a skill before installing, check an installed skill's security, or analyze any skill from a GitHub URL, local path, or installed location. Triggers on "scan this skill", "check skill security", "is this skill safe", or when users provide a skill URL/path asking about its safety.