Security

Comprehensive security and quality audit for shell scripts (bash, sh, zsh) using defensive programming principles and ShellCheck static analysis. Use when user asks to audit, review, check, lint, validate, or analyze shell scripts for security vulnerabilities, bugs, errors, defensive programming compliance, or best practices. Also triggers for improving script quality, finding script errors or issues, checking portability problems (macOS vs Linux), validating error handling, fixing shellcheck warnings, reviewing legacy automation scripts before release, setting up CI/CD linting infrastructure, configuring pre-commit hooks, understanding ShellCheck error codes, suppressing false positives, or ensuring script portability and quality.

Builds full-stack React applications with Next.js App Router, Server Components, Server Actions, and edge deployment. Use when creating Next.js projects, implementing routing, data fetching, caching, authentication, or deploying to Vercel.

Write secure, performant database queries that prevent SQL injection and avoid N+1 problems. Use this skill when writing SQL queries, ORM queries, or database access code. When working on files containing SELECT, INSERT, UPDATE, DELETE statements or ORM query methods. When implementing eager loading, joins, or query optimization. When adding database transactions, query timeouts, or caching for expensive queries.

A comprehensive security middleware system for Next.js 13+ App Router API routes that provides authentication, rate limiting, CSRF protection, audit logging, and security headers in a composable, production-ready pattern. Use when building secure Next.js APIs that need protection against common web vulnerabilities.

Develop and maintain Convex backend functions including queries, mutations, and actions. Use when working with database operations, authentication, game management, scoring logic, and real-time data updates in the dev-quiz-battle app.

Get code review from Codex AI for implementation quality, bug detection, and best practices. Use when asked to review code, check for bugs, find security issues, or get feedback on implementation patterns.

Run security scans locally (Semgrep, Trivy, Gitleaks) to detect vulnerabilities, secrets, and code issues before pushing. Use when the user wants to check for security issues, scan dependencies, or validate code security.

Breaks cryptographic systems and decrypts ciphertext. Use when working with RSA, AES, XOR, classical ciphers, hash functions, or when challenge involves encryption, decryption, keys, or mathematical crypto attacks.

Comprehensive API security for REST, GraphQL, and gRPC services with OAuth 2.1 authentication, JWT validation, rate limiting, and enterprise protection patterns.

Deep security analysis with high reasoning effort for threat detection

AWS infrastructure patterns and best practices for Terraform. Provides VPC, IAM, S3, and security group scaffolds. Use when developing AWS infrastructure.

Thorough code review for Rust/WebAssembly projects. Identifies bugs, securityissues, performance problems, and maintainability concerns. Provides actionablefeedback with specific suggestions.

Common patterns in PR reviews including false positives, security vulnerabilities, N+1 queries, breaking changes, and edge cases. Use when analyzing code, verifying findings, or understanding typical issues.

Comprehensive pull request review covering code quality, security vulnerabilities, performance issues, and design patterns. Use when reviewing PRs, analyzing code changes, checking for bugs, or when user mentions pull request, PR review, code review, or merge request.

Skill cho việc review code quality, security, và best practices compliance.

Production-ready security analysis with CMMC Level 2 compliance. USE WHEN user needs vulnerability scanning, STRIDE threat modeling, security code review, CMMC compliance mapping, or multi-agent security analysis. Detects 50+ vulnerability patterns with remediation guidance.

Export Google Docs and Google Sheets (spreadsheets) to Markdown files or stdout. Use when asked to fetch, download, or ingest Google Docs/Sheets content for summarization, analysis, or context loading. Tries gcloud ADC first with browser OAuth fallback.

Manage deployment, Docker, CI/CD, server hardening, and infrastructure security. EXCLUSIVE to devops-engineer agent.

Intelligent session initialization combining Goldfish memory recall, Julie workspace re-indexing, and Sherpa workflow suggestion. MANDATORY at session start - automatically restores context, suggests next steps, and resumes work seamlessly. Activates at the beginning of every coding session.

Complete OpenSSF Scorecard achievement guide. Understand all 18 security checks, fix false positives, navigate controversial recommendations, and progress from 7 to 10/10.