Security

Full access to Google Workspace (Drive, Docs, Sheets, Slides, Calendar, Gmail) using curl and the Google APIs directly - no MCP server or additional dependencies required. Use for searching files, reading/writing documents, managing calendar events, and email operations. First check if user has authenticated, if not guide them through the OAuth flow.

Electronデスクトップアプリケーションのアーキテクチャ設計を専門とするスキル。Main/Renderer/Preloadプロセスの責務分離、型安全なIPC通信設計、セキュリティ設定を支援する。Anchors:• Clean Architecture (Robert C. Martin) / 適用: 依存関係ルール / 目的: プロセス間の責務分離• Electron公式ドキュメント / 適用: プロセスモデル / 目的: セキュアな設計パターン• TypeScript / 適用: 型安全なIPC設計 / 目的: エンドツーエンドの型安全性Trigger:Use when designing Electron architecture, implementing IPC communication, configuring security settings, or separating Main/Renderer responsibilities.electron, ipc, main process, renderer, preload, contextIsolation, contextBridge

This skill assists with SOC2 audit preparation by automating tasks related to evidence gathering and documentation. It leverages the soc2-audit-helper plugin to generate reports, identify potential compliance gaps, and suggest remediation steps. Use this skill when the user requests help with "SOC2 audit", "compliance check", "security controls", "audit preparation", or "evidence gathering" related to SOC2. It streamlines the initial stages of SOC2 compliance, focusing on automated data collection and preliminary analysis.

API Key、JWT、OAuth 2.0、mTLS などの認証方式を比較し、適切なフロー設計と実装方針を整理するスキル。方式選定、トークン管理、署名戦略、セキュリティ対策を一貫して設計します。Anchors:• Web Application Security / 適用: 脅威整理 / 目的: 認証フローのリスク把握• OWASP Authentication Cheat Sheet / 適用: 実装ベストプラクティス / 目的: 安全な実装指針• RFC 6749 & RFC 7519 / 適用: OAuth/JWT仕様 / 目的: 標準準拠の設計Trigger:Use when selecting authentication flows (API Key/JWT/OAuth/mTLS), designing token strategy, or validating auth configuration.

Domain specialist for infrastructure, CI/CD, containers, observability, and DevOps operations. Scope: CI/CD pipelines, containerization, infrastructure as code, monitoring and observability, container security, release strategies, infrastructure reliability patterns. Excludes: code-level security, application architecture, database design, API design, performance profiling. Triggers: "CI/CD", "Docker", "Kubernetes", "K8s", "deployment", "pipeline", "monitoring", "observability", "Terraform", "Ansible", "infrastructure".

Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.

This skill enables Claude to scan container images and running containers for vulnerabilities using tools like Trivy and Snyk. It identifies potential security risks in container environments. Use this skill when the user requests a security assessment of a container image, asks to identify vulnerabilities in a container, or wants to improve the security posture of their containerized applications. Trigger terms include "scan container," "container security," "vulnerability assessment," "Trivy scan," or "Snyk scan."

Webhook implementation and consumption patterns. Use when implementing webhook endpoints, sending webhooks, handling retries, or ensuring reliable delivery. Keywords: webhooks, callbacks, HMAC, signature verification, retry, exponential backoff, idempotency, event delivery, webhook security.

This skill uses the owasp-compliance-checker plugin to automatically identify potential security vulnerabilities based on the OWASP Top 10 (2021) list. It helps ensure your application adheres to industry-standard security practices by providing a detailed analysis of compliance gaps and offering remediation guidance. Use this skill when you need to audit your code for OWASP compliance, identify and fix vulnerabilities, or generate a compliance report. Trigger this skill by asking to "check OWASP compliance", "scan for OWASP vulnerabilities", or using the `/owasp` shortcut.

This skill enables Claude to generate compliance reports based on various security standards and frameworks. It leverages the compliance-report-generator plugin to automate the report creation process. Use this skill when a user requests a "compliance report", "security audit report", or needs documentation for "regulatory compliance". The skill is particularly useful for generating reports related to standards like PCI DSS, HIPAA, SOC 2, or ISO 27001. It can also assist with documenting adherence to specific security policies. Activates when you request "generating compliance reports" functionality.

This skill creates Ansible playbooks for automating configuration management tasks. It generates production-ready, multi-platform playbooks based on user-defined requirements, incorporating best practices and a security-first approach. Use this skill when you need to automate server configurations, software deployments, or infrastructure management using Ansible. Trigger this skill by requesting "Ansible playbook," specifying configuration details, or asking for automation of a particular setup.

Implement security best practices including authentication, authorization, and protection against common vulnerabilities. Use when implementing user authentication, access control, or securing application endpoints.

Comprehensive security architecture combining threat modeling, security-first design, secure coding review, and compliance validation. Consolidated from threat-modeling, security-first-design, secure-coding-review, and compliance-validator.

Design REST and GraphQL APIs. Use when creating backend APIs, defining API contracts, or integrating third-party services. Covers endpoint design, authentication, versioning, documentation, and best practices.

This skill enables Claude to check session security implementations within a codebase. It analyzes session management practices to identify potential vulnerabilities. Use this skill when a user requests to "check session security", "audit session handling", "review session implementation", or asks about "session security best practices" in their code. It helps identify issues like insecure session IDs, lack of proper session expiration, or insufficient protection against session fixation attacks. This skill leverages the session-security-checker plugin.

Multi-language backend development skill for Node.js, Python, and Go applications.This skill should be used when: designing RESTful/GraphQL APIs, optimizing database queries,implementing authentication/authorization, reviewing API security, or building microservices.

This skill automates database backups using the database-backup-automator plugin. It creates scripts for scheduled backups, compression, encryption, and restore procedures across PostgreSQL, MySQL, MongoDB, and SQLite. Use this when the user requests database backup automation, disaster recovery planning, setting up backup schedules, or creating restore procedures. The skill is triggered by phrases like "create database backup", "automate database backups", "setup backup schedule", or "generate restore procedure".

環境分離とアクセス制御スキル。開発・ステージング・本番環境の厳格な分離、環境間Secret共有の防止、最小権限原則の徹底を提供します。Anchors:• Building Secure and Reliable Systems / 適用: Defense in Depth原則 / 目的: 多層防御設計• The Twelve-Factor App / 適用: Config要素とコードの分離 / 目的: 環境変数による設定管理• Railway Secret Management / 適用: 環境グループによるSecret分離 / 目的: 環境別SecretストアTrigger:Use when designing environment isolation strategy, managing secrets across dev/staging/prod environments,implementing access control policies, preventing cross-environment data contamination,or validating environment separation compliance.environment isolation, secret management, access control, Railway secrets, GitHub secrets, security boundaries

Audits project dependencies for outdated packages, duplicates, heavy/problematic libraries, security vulnerabilities, and risky version combinations. Generates prioritized reports with security, performance, and maintainability insights, upgrade paths, and safe pinning recommendations. Use when users request dependency audits, package updates, security checks, or dependency optimization.

Guide for configuring Claude Code permissions in settings.json with security best practices for allow, ask, and deny rules. Use when: (1) Setting up or modifying permissions in settings.json, (2) Discussing tool permissions, access control, or security configuration, (3) User mentions allowing, blocking, or restricting specific tools or file access, (4) Configuring Bash command permissions, file access (Read/Edit/Write), or WebFetch restrictions, (5) Questions about what permissions are safe vs risky, (6) Troubleshooting permission-related errors or "permission denied" issues, (7) Reviewing security configuration or hardening Claude Code access.