Security

This skill allows Claude to check infrastructure compliance against industry standards such as SOC2, HIPAA, and PCI-DSS. It analyzes existing infrastructure configurations and reports on potential compliance violations. Use this skill when the user asks to assess compliance, identify security risks related to compliance, or generate reports on compliance status for SOC2, HIPAA, or PCI-DSS. Trigger terms include: "compliance check", "SOC2 compliance", "HIPAA compliance", "PCI-DSS compliance", "compliance report", "infrastructure compliance", "security audit", "assess compliance".

Use when working with Electron - IPC security, renderer isolation, Node API access

OAuth 2.0認可フローの実装パターンとセキュリティベストプラクティス。Authorization Code Flow、PKCE、Refresh Token Flowの正確な実装を提供。Web/SPA/モバイルアプリでの安全な認可フロー実装を支援。Anchors:• OAuth 2.0 Simplified (Aaron Parecki) / 適用: 認可フロー全般 / 目的: RFC準拠の正確な実装• Web Application Security (Andrew Hoffman) / 適用: セキュリティ設計 / 目的: 脅威モデリングと対策• RFC 6749 (OAuth 2.0 Framework) / 適用: プロトコル仕様 / 目的: 標準準拠の担保Trigger:Use when implementing OAuth 2.0 authentication, configuring authorization flows, integrating with OAuth providers, implementing PKCE for SPAs, or managing token lifecycle.oauth2, authorization code, pkce, access token, refresh token, oauth provider, google auth, github oauth

Scans codebase for common security vulnerabilities including input validation gaps, authentication bypasses, data exposure risks, SQL injection, XSS, CSRF, insecure dependencies, and secrets in code. Identifies security patterns without executing code. Use when user requests "security scan", "check vulnerabilities", "audit security", or mentions security review.

Secure backend applications against OWASP threats. Implement authentication, encryption, scanning, compliance, and incident response procedures.

Domain specialist for API design, development, and best practices. Scope: RESTful API design, GraphQL, API documentation, authentication, authorization, rate limiting, CORS, error handling, pagination, filtering, HATEOAS, API testing, API security. Excludes: database design, business logic, infrastructure, frontend, security beyond API. Triggers: "API", "REST", "GraphQL", "endpoint", "OpenAPI", "Swagger", "CORS".

依存関係の脆弱性スキャン、CVE評価、レポート作成を体系化するスキル。SCAの運用と修正計画の整理を支援する。Anchors:• OWASP Dependency-Check / 適用: 依存スキャン / 目的: 検出の標準化• CVSS v3.1 Specification / 適用: 重大度評価 / 目的: 優先度の整合性• Web Application Security / 適用: 脅威評価 / 目的: リスク判定の一貫性Trigger:Use when scanning dependencies for vulnerabilities, evaluating CVE reports, producing audit reports, or planning remediation.dependency scan, CVE, CVSS, SCA, supply chain security, audit report

GitHub Actionsワークフローのセキュリティ強化スキル。Repository/Environment Secretsの安全管理、ログマスキング、品質ゲート統合、CI/CDパイプラインの脅威対策を行う。Anchors:• OWASP Top 10 CI/CD Security Risks / 適用: リスク評価・脅威特定 / 目的: 業界標準に基づくリスク優先度決定• GitHub Actions Security Hardening Guide / 適用: ワークフロー実装 / 目的: 公式ベストプラクティス準拠• Threat Modeling (Adam Shostack) / 適用: STRIDE脅威分析 / 目的: 体系的なセキュリティ設計Trigger:Use when securing GitHub Actions workflows, configuring Environment/Repository Secrets, implementing log masking, adding quality gates to CI/CD pipelines, or performing threat modeling on workflows.github actions security, secrets management, log masking, quality gate, CI/CD security, threat modeling

Domain specialist for data persistence, database design, query optimization, and data modeling. Scope: SQL injection prevention, indexing strategies, normalization, migrations, scaling, backup/recovery, ORM patterns, N+1 query detection, query optimization, relationship mapping. Excludes: API design, business logic, infrastructure, frontend, security beyond database. Triggers: "database", "SQL", "query", "index", "schema", "migration", "sharding", "replication", "backup", "N+1", "ORM", "Eloquent", "Django", "query optimization", "slow query", "relationship", "foreign key", "join".

Domain specialist for security operations, vulnerability management, compliance, and secure coding practices. Scope: OWASP Top 10, authentication (OAuth2, JWT, SAML, OIDC), input validation (SQLi, XSS, CSRF), secrets management, security headers, file upload security, vulnerability scanning, compliance (SOC2, GDPR, PCI-DSS). Excludes: code-level design patterns, infrastructure security, database design, performance optimization. Triggers: "security", "OWASP", "authentication", "authorization", "OAuth", "JWT", "SAML", "OIDC", "SQL injection", "XSS", "CSRF", "input validation", "secrets management", "vulnerability scan", "compliance", "SOC2", "GDPR", "security headers".

Creates repeatable security review checklist for PRs with required checks, common pitfalls, and automated gating. Use for "security review", "PR checklist", "code review", or "security gates".

Automated compliance auditing for SOC2, HIPAA, GDPR, and PCI-DSS. Activates for compliance checks, security audits, regulatory requirements, and compliance automation.

This skill enables comprehensive vulnerability scanning using the vulnerability-scanner plugin. It identifies security vulnerabilities in code, dependencies, and configurations, including CVE detection. Use this skill when the user asks to scan for vulnerabilities, security issues, or CVEs in their project. Trigger phrases include "scan for vulnerabilities", "find security issues", "check for CVEs", "/scan", or "/vuln". The plugin performs static analysis, dependency checking, and configuration analysis to provide a detailed vulnerability report.

This skill enables Claude to validate Cross-Origin Resource Sharing (CORS) policies. It uses the cors-policy-validator plugin to analyze CORS configurations and identify potential security vulnerabilities. Use this skill when the user requests to "validate CORS policy", "check CORS configuration", "analyze CORS headers", or asks about "CORS security". It helps ensure that CORS policies are correctly implemented, preventing unauthorized cross-origin requests and protecting sensitive data.

HTTPプロトコルの仕様に基づき、RESTful APIおよびWebサービス実装における通信設計を提供。ステータスコード、ヘッダー、キャッシュ、冪等性設計を網羅。Anchors:• HTTP/2 in Action (Barry Pollard) / 適用: プロトコル仕様・パフォーマンス / 目的: 効率的なHTTP通信• RESTful Web Services (Richardson, Ruby) / 適用: REST設計原則 / 目的: 一貫したAPI設計• Web API Design (Brian Mulloy) / 適用: 実践的なAPI設計パターン / 目的: 使いやすいAPITrigger:Use when designing REST APIs, implementing HTTP clients, configuring cache strategies, setting security headers, or ensuring idempotency.http, rest api, status codes, cache-control, cors, idempotency, headers, http/2, keep-alive

Electronデスクトップアプリケーションのセキュリティ強化専門知識。XSS、コードインジェクション、プロセス隔離違反などの脅威から保護。Anchors:• Electron Security / 適用: プロセス隔離・IPC保護 / 目的: 安全なデスクトップアプリ• OWASP / 適用: 脆弱性評価・脅威モデリング / 目的: 継続的なセキュリティ監査• Content Security Policy / 適用: CSP実装 / 目的: XSS防御とリソース制限Trigger:Use when implementing Electron security hardening, configuring CSP, designing secure IPC channels, conducting security audits, managing vulnerabilities, or implementing sandboxing.electron security, CSP, IPC protection, context isolation, sandbox, preload

ロールベースアクセス制御（RBAC）の設計と実装パターンを提供するスキル。最小権限の原則に基づくロール体系設計、多層アクセス制御、権限チェックロジック、ポリシーエンジン構築を支援。Anchors:• 『Web Application Security』（Hoffman）/ 適用: アクセス制御設計 / 目的: セキュアな権限実装• NIST RBAC Model / 適用: ロール階層設計 / 目的: 標準準拠の権限モデル• OWASP Access Control Cheat Sheet / 適用: 実装パターン / 目的: セキュリティベストプラクティスTrigger:Use when designing role-based access control, implementing permission checks, building policy engines, or setting up multi-layer authorization.rbac, role, permission, authorization, access control, policy, middleware, least privilege

Turns npm audit/Snyk results into prioritized patch plans with severity assessment, safe upgrade paths, breaking change analysis, and rollback strategies. Use for "dependency security", "vulnerability patching", "npm audit", or "security updates".

This skill uses the owasp-compliance-checker plugin to automatically identify potential security vulnerabilities based on the OWASP Top 10 (2021) list. It helps ensure your application adheres to industry-standard security practices by providing a detailed analysis of compliance gaps and offering remediation guidance. Use this skill when you need to audit your code for OWASP compliance, identify and fix vulnerabilities, or generate a compliance report. Trigger this skill by asking to "check OWASP compliance", "scan for OWASP vulnerabilities", or using the `/owasp` shortcut.

This skill configures auto-scaling policies for applications and infrastructure. It generates production-ready configurations based on user requirements, implementing best practices for scalability and security. Use this skill when the user requests help with auto-scaling setup, high availability, or dynamic resource allocation, specifically mentioning terms like "auto-scaling," "HPA," "scaling policies," or "dynamic scaling." This skill provides complete configuration code for various platforms.