滲透測試

OWASP Cheat Sheet Series に基づくセキュリティレビューと実装支援。コードレビュー依頼、セキュリティ関連の実装・調査、脆弱性チェック時に使用する。XSS, SQL Injection, CSRF, 認証認可などのセキュリティトピックを扱う。

AI security co-pilot for identifying, testing, and fixing vulnerabilities in LLM-powered applications.Use when: (1) Securing LLM applications or agents, (2) Generating security test suites with promptfoo,(3) Testing for prompt injection, jailbreaking, data exfiltration, (4) Hardening system prompts,(5) Compliance mapping for OWASP LLM Top 10, NIST AI RMF, CJIS, SOC2, (6) Threat modeling AI systems,(7) Analyzing security eval results, (8) Research on LLM attack/defense techniques.Triggers: "secure my LLM", "prompt injection", "jailbreak test", "AI security", "red team","system prompt hardening", "LLM vulnerability", "promptfoo", "OWASP LLM", "AI compliance".

Clean Architecture and SOLID principles implementation including dependency injection, layer separation, domain-driven design, hexagonal architecture, and code quality patterns

Execute Gray Swan AI Arena indirect prompt injection (IPI) and machine-in-the-middle (MITM) challenges with optimized payloads, reconnaissance workflows, and evidence collection for CTF competition success

Comprehensive Django best practices covering project structure, models (field choices, Meta options, managers, QuerySets, migrations), views (CBVs vs FBVs, generic views), Django REST Framework (serializers, ViewSets, permissions), forms, templates, security (CSRF, XSS, SQL injection), performance (N+1 queries, select_related, prefetch_related, caching), testing, and common anti-patterns. Essential reference for Django code reviews and development.

WordPress security best practices and vulnerability prevention patterns. Use when reviewing WordPress code for security issues, writing secure WordPress code, or checking for common vulnerabilities like SQL injection, XSS, CSRF, and authentication issues.

Security auditing with OWASP Top 10 2025 compliance and vulnerability detection

WHEN: Security scan, vulnerability detection, XSS/CSRF analysis, secret exposure, OWASP Top 10WHAT: XSS/injection detection + hardcoded secrets + auth/authz issues + severity-based vulnerability listWHEN NOT: Performance → perf-analyzer, Cloud security → cloud-security-expert

Detects OS command injection vulnerabilities by identifying unsafe system/popen/exec calls with user-controlled input. Use when analyzing command execution, shell operations, or investigating potential command injection points.

Transforms security audits and vulnerability assessments into prioritized remediation tasks with 15 enrichments (10 universal + 5 security-specific). Use when user says 'format security audit', 'process vulnerabilities', 'convert security findings', 'prioritize security issues', or when detect-input-type returns 'security'. Handles CVE reports, penetration test results, and security scans in .md files. (plugin:task-streams)

Implement comprehensive input validation on both client and server sides with clear error messages, type checking, and sanitization to prevent security vulnerabilities. Use this skill when validating user input, implementing form validation, checking data types and formats, sanitizing input to prevent injection attacks (SQL, XSS, command injection), validating business rules, providing field-specific error messages, implementing server-side validation for all entry points (API endpoints, web forms, background jobs), using client-side validation for immediate user feedback, applying allowlists over blocklists, validating ranges and required fields, or ensuring consistent validation across the application. Apply this skill when handling any user input, building forms, creating API endpoints, or reviewing code for security and data integrity.

MVVM pattern, Clean Architecture, Repository pattern, dependency injection, SOLID principles. Use when designing app architecture.

WordPress block development including Gutenberg blocks, Block Hooks API for dynamic injection, Interactivity API for frontend features, custom post types, shortcodes, widgets, and meta boxes. Use when building blocks, adding interactivity, or creating content structures.

Complete FastAPI development including framework fundamentals, architecture patterns (Clean Architecture, Hexagonal Architecture, DDD), dependency injection, async patterns, and best practices. Use when implementing FastAPI endpoints, architecting backend systems, or applying architectural patterns to FastAPI applications.

Generate security assessment reports in docx format with findings, risk ratings, and remediation recommendations.Use when: User asks for security audit report, vulnerability assessment document, penetration test report, or compliance gap analysis document.Keywords: security report, audit findings, vulnerability report, pentest report

Implement comprehensive input validation on server-side with complementary client-side validation for user experience, using allowlists, type checking, and sanitization to prevent injection attacks. Use this skill when validating user inputs, form data, API requests, file uploads, query parameters, or any external data entering the application. Apply this skill when implementing server-side validation as the primary security layer, adding client-side validation for immediate user feedback, validating data types and formats, checking ranges and required fields, sanitizing inputs to prevent SQL injection and XSS attacks, using allowlists over blocklists, providing field-specific error messages, or enforcing business rules at appropriate application layers. This skill ensures validation happens at all entry points consistently, security is never dependent on client-side checks alone, users receive helpful immediate feedback, and data integrity is maintained through multiple layers of validation.