Post-cycle second-pass review of the last `/sst-dev-cycle` commit on any project. Reads what shipped (code + tests + spec + TODO + docs), evaluates it against the spec item it…
Score 70/100
Secure WebContainer deployments: CSP headers, sandbox isolation, input validation. Use when working with WebContainers or StackBlitz SDK. Trigger: "stackblitz security".
Score 70/100
Senior Staff Engineer code review with SOLID principles, security analysis, and architecture critique.
Score 70/100
Guidance on non-obvious runtime behaviors of Salesforce standard objects — polymorphic lookups, lead conversion field loss, PersonAccount dual-nature, CaseComment trigger…
Score 70/100
Inject short-lived, scoped service credentials into Claude Code sessions so agents can reach approved systems without exposing raw secrets.
Score 70/100
StateRAMP expert for state and local government cloud services. Deep knowledge of State Risk and Authorization Management Program including Low/Moderate impact levels, NIST 800-53…
Score 70/100
Professional stock price tracking, fundamental analysis, and financial reporting tool. Supports global markets (US, KR, etc.), Crypto, and Forex with real-time data.
Score 70/100
Run a STRIDE threat-modelling pass against an access-surface map a software engineer has already produced for a feature they're about to ship.
Score 70/100
Verifies Stripe webhook payload signatures using the Stripe.js SDK and the stripe.webhooks.constructEvent method.
Score 70/100
Use when asked to map, crosswalk, align, compare, or gap-analyze any two cybersecurity frameworks, control catalogs, or regulatory requirements using NIST IR 8477 Set-Theory…
Score 70/100
Audit a media production studio or post-production facility. Analyzes facility scheduling and utilization, equipment lifecycle tracking, editorial and VFX pipelines, color grading…
Score 70/100
Subfinder is a passive subdomain discovery tool by ProjectDiscovery that finds valid subdomains for websites using curated online sources.
Score 70/100
Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks.
Score 70/100
Apply Supabase security best practices: anon vs service_role key separation, RLS enforcement, policy patterns, JWT verification, and API hardening.
Score 70/100
Detect and remediate software supply chain attacks in npm, PyPI, crates.io, GitHub Actions, and CI/CD pipelines by scanning for known compromised packages, malicious versions,…
Score 70/100
Assess supply chain risk exposure and resilience posture. Analyzes supplier dependency mapping (Tier 1/2/3), geographic concentration risk, single-source vulnerability, disruption…
Score 70/100
Activate when reviewing or modifying dependency resolution, lockfile schema, package downloaders, signature/integrity checks, file integration cleanup, or anything that could…
Score 70/100
Search public GitHub broadly for leaked secrets and triage exposures when the workflow is recon and remediation, not generic secret scanning.
Score 70/100
Use when working with iOS/macOS Keychain Services (SecItem queries, kSecClass, OSStatus errors), biometric authentication (LAContext, Face ID, Touch ID), CryptoKit (AES-GCM,…
Score 70/100
Perform a detailed SWOT analysis — strengths, weaknesses, opportunities, and threats with actionable recommendations.
Score 70/100
Synchronize a security issue in with the state of its GitHub discussion, the mailing thread, and any PRs that fix it.
Score 70/100
System architecture skill for designing scalable, maintainable software systems. Covers microservices/monolith decisions, API design, DB selection, caching, security, and…
Score 70/100
Use when practitioners need to understand system-managed fields (CreatedDate, LastModifiedDate, SystemModstamp, CreatedById, LastModifiedById, IsDeleted) — their update behavior,…
Score 70/100
Domain knowledge for the tachi orchestrator agent: input format detection, DFD classification, trust boundary notation, STRIDE-per-Element dispatch rules, coverage requirements…
Score 70/100
Domain knowledge for PDF security report assembly — artifact detection patterns with tier selection rules, Typst data variable contract with type specifications and image path…
Score 70/100
Domain knowledge for quantitative risk scoring — four-dimensional scoring model (CVSS 3.1, exploitability, scalability, reachability), CVSS base vector mappings, composite score…
Score 70/100
Domain knowledge for narrative threat report generation — executive summary structure, architecture overview patterns, per-category narrative templates, attack tree construction…
Score 70/100
Build TAM databases from scratch using a 7-phase methodology (Source Discovery → Keyword Expansion → Config → Collection → Dedup → Exclusion → Enrichment hand-off).
Score 70/100
Automatically export audit findings, security issues, performance problems, or accessibility violations to Teamwork tasks when other agents complete their analysis.
Score 70/100
Technical due diligence for M&A, investment, or acquisition. Reads a target company's codebase and generates a comprehensive tech DD report with architecture assessment, tech debt…
Score 70/100
Comprehensive technology stack evaluation and comparison tool with TCO analysis, security assessment, and intelligent recommendations for engineering teams
Score 70/100
Technical analysis capabilities for APIs, data models, integrations, and security requirements. Use when analyzing technical aspects of systems or documenting technical…
Score 70/100
Use when auditing a Salesforce org for technical debt: dead code, unused automations, overlapping Flow and Apex triggers, deprecated features, configuration complexity, and legacy…
Score 70/100
TechSmith security basics for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation.
Score 70/100
Validates Tekton pipeline supply chain security using Sigstore cosign verification and SLSA provenance checks.
Score 70/100
Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation.
Score 70/100
Battle-tested Playwright patterns for writing, debugging, and scaling reliable test suites. Use when you need guidance for E2E, API, component, visual, accessibility, or security…
Score 70/100
Tests Android inter-process communication (IPC) through intents for vulnerabilities including intent injection,
Score 70/100
Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they
Score 70/100
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated
Score 70/100
Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege
Score 70/100
Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid
Score 70/100
Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters,
Score 70/100
Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks
Score 70/100
Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into
Score 70/100
Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater
Score 70/100
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF,
Score 70/100
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization
Score 70/100
Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification,
Score 70/100
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket
Score 70/100
theHarvester is an open-source OSINT tool for gathering emails, subdomains, hosts, employee names, open ports, and banners from public sources.
Score 70/100
Audit therapy and behavioral health documentation platforms for clinical quality and regulatory compliance.
Score 70/100
Deliberately attack your own plans, systems, and assumptions to find weaknesses before adversaries or reality does.
Score 70/100
Generate a personalized threat advisory based on your tech stack — what CVEs, breaches, and supply chain attacks matter to YOU.
Score 70/100
Use when hunting for threats in an environment, analyzing IOCs, or detecting behavioral anomalies in telemetry.
Score 70/100
Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control…
Score 70/100
Generate a threat model from spec.md using STRIDE methodology. Use when you need to identify security threats, attack surfaces, and mitigations for a feature before…
Score 70/100
Full STRIDE-A threat model analysis and incremental update skill for repositories and systems. Supports two modes: (1) Single analysis — full STRIDE-A threat model of a…
Score 70/100
Threat Model Creator - Auto-activating skill for Security Advanced. Triggers on: threat model creator, threat model creator Part of the Security Advanced skill category.
Score 70/100
Produces structured threat models for software systems using STRIDE on data flow diagrams. Generates DFDs with trust boundaries, identifies threats per element, scores risks, and…
Score 70/100