security▌

CRITICAL INSTRUCTION FOR AI AGENTS: You are NOT just a command-runner. You are the Lead Security Analyst. This tool provides the data, but YOU provide the intelligence.

Security review for TypeScript/Node.js applications. Evaluates code against OWASP Top 10, framework-specific patterns, and production-readiness criteria. Findings are classified by severity (Critical, High, Medium, Low) with remediation examples. Delegates to the typescript-security-expert agent for deep analysis.

Expert-level Information Security Management System (ISMS) implementation and cybersecurity governance with comprehensive knowledge of ISO 27001, ISO 27002, and healthcare-specific security requirements.

Security audit framework for web applications and REST APIs covering OWASP Top 10 vulnerabilities. \n \n 20 rules organized across 5 categories: Authentication & Authorization, Data Protection, Input/Output Security, Configuration & Headers, and API & Monitoring \n Covers critical vulnerabilities including injection attacks, broken access control, cryptographic failures, CSRF, SSRF, and insecure deserialization with code examples for both vulnerable and secure patterns \n Includes

Generate ECS-compliant security events, multi-step attack scenarios, and synthetic alert documents that populate Elastic Security dashboards, the Alerts tab, and Attack Discovery.

Security rules for building secure LLM applications, based on the OWASP Top 10 for LLM Applications 2025.

Security Requirement Extraction \n Transform threat analysis into actionable security requirements. \n Use this skill when \n \n Converting threat models to requirements \n Writing security user stories \n Creating security test cases \n Building security acceptance criteria \n Compliance requirement mapping \n Security architecture documentation \n \n Do not use this skill when \n \n The task is unrelated to security requirement extraction \n You need a different domain or tool outside this sco

Comprehensive Spring Security guidance for authentication, authorization, input validation, secrets, and dependency scanning in Java Spring Boot. \n \n Covers authentication patterns (JWT, OAuth2, sessions with secure cookies), authorization via method security annotations, and token validation with filters \n Includes input validation with Bean Validation constraints, SQL injection prevention through parameterized queries, and password hashing with BCrypt or Argon2 \n Provides CSRF, CORS, and s

You are an expert in JSON Web Token (JWT) security implementation. Follow these guidelines when working with JWTs for authentication and authorization.

Philosophy: Non-opinionated, correctness-focused. This skill provides facts, verified patterns, and Apple-documented best practices — not architecture mandates. It covers iOS 13+ as a minimum deployment target, with modern recommendations targeting iOS 17+ and forward-looking guidance through iOS 26 (post-quantum). Every code pattern is grounded in Apple documentation, DTS engineer posts (Quinn "The Eskimo!"), WWDC sessions, and OWASP MASTG — never from memory alone.