Security

Use when you need to plan technical solutions that are scalable, secure, and maintainable.

Validate PM environment and authentication status. Use when (1) new PM onboarding, (2) checking required tools (gh CLI, Git, GitHub Projects access), (3) verifying GitHub auth and project permissions, (4) orchestrator auto-runs at work start.

Performs comprehensive code review analyzing bugs, security issues, best practices, performance, and suggesting improvements

Review code changes for FFP project standards including multi-tenant security, British English, architecture patterns, and SOLID principles. Use when reviewing PRs, checking branch changes, or auditing code quality.

Post tweets, read threads, search X/Twitter from the terminal using bird CLI. Use when automating Twitter, posting from scripts, analyzing tweet threads, monitoring mentions, or working with the Twitter/X API without OAuth.

Command-line interface for managing Miniflux feeds. Use for authentication, adding feeds, and searching entries.

Intelligently detects document type (review, spec, ADR, tech-debt, security, generic) from content and filename to route to appropriate format skill. Use when user says 'detect document type', 'what type of document is this', 'analyze document', 'classify document', or when converting documents without specifying type. Analyzes .md files for type indicators and structural patterns. (plugin:task-streams)

Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.

Comprehensive code review for quality, security, performance, and best practices

System design, software architecture, API design, cybersecurity, and threat modeling. Build secure, scalable systems at scale.

Execute commands on remote servers via SSH, transfer files with SCP, and manage multiple hosts. Use when working with remote servers, deployments, system administration, log analysis, or any task requiring remote command execution. Supports SSH agent, key-based, and password authentication via environment variables, never exposing credentials.

Use this skill when designing REST, GraphQL, or gRPC APIs. Provides comprehensive API design patterns, versioning strategies, error handling conventions, authentication approaches, and OpenAPI/AsyncAPI templates. Ensures consistent, well-documented, and developer-friendly APIs across all backend services.

Manage Google Sheets with comprehensive spreadsheet operations including reading/writing cell values, formulas, formatting, sheet management, and batch operations. Use for spreadsheet data operations, cell ranges, formulas, formatting, batch updates, and data analysis workflows. Shares OAuth token with email, calendar, contacts, drive, and docs skills.

Comprehensive security scanning for SAST, secrets, OWASP vulnerabilities, container and IaC security

This skill should be used when the user requests to generate, create, or configure Content Security Policy (CSP) headers for Next.js applications to prevent XSS attacks and control resource loading. It analyzes the application to determine appropriate CSP directives and generates configuration via next.config or middleware. Trigger terms include CSP, Content Security Policy, security headers, XSS protection, generate CSP, configure CSP, strict CSP, nonce-based CSP, CSP directives.

This skill should be used when the user requests to audit, check, or generate authentication and authorization protection for Next.js routes, server components, API routes, and server actions. It analyzes existing routes for missing auth checks and generates protection logic based on user roles and permissions. Trigger terms include auth check, route protection, protect routes, secure endpoints, auth middleware, role-based routes, authorization check, api security, server action security, protect pages.

Guides creation of high-quality MCP (Model Context Protocol) servers that enable LLMsto interact with external services through well-designed tools. Use when building MCPservers to integrate external APIs or services, whether in Python (FastMCP) orNode/TypeScript (MCP SDK). Covers tool design, authentication, Docker deployment,and evaluation creation. NOT when consuming existing MCP servers (use the server directly).

Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.

This skill should be used when the user asks about "Ashby API", "how to use Ashby tools", "Ashby authentication", "Ashby MCP tools", "what can I do with Ashby", or needs help understanding available Ashby operations. Provides complete API documentation and tool usage guidance.

Deploys web applications on Render with automatic builds, managed databases, and zero-config SSL. Use when deploying web services, static sites, or setting up managed infrastructure.