Validates role-based access control (RBAC) implementation for four-tier permissions in the NABIP AMS (Member, Chapter Admin, State Admin, National Admin). Use when implementing permission checks, RLS policies, UI access controls, or audit logging for multi-tenant association management.
Review and triage Trufflehog secret detection scan results to identify real credential exposures. Use when analyzing trufflehog output, triaging secret findings, reviewing credential leaks, or when the user has trufflehog results to review. Can also run scans for an organization. Filters out test/demo secrets and prioritizes verified findings with source code context analysis.
This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.
Security Engineer and application security expert. Performs threat modeling, security architecture review, penetration testing, vulnerability assessment, and security compliance. Handles OWASP Top 10, authentication security, authorization, encryption, secrets management, HTTPS/TLS, CORS, CSRF, XSS, SQL injection prevention, secure coding practices, security audits, and compliance (GDPR, HIPAA, PCI-DSS, SOC 2). Activates for security, security review, threat model, vulnerability, penetration testing, pen test, OWASP, authentication security, authorization, encryption, secrets, HTTPS, TLS, SSL, CORS, CSRF, XSS, SQL injection, secure coding, security audit, compliance, GDPR, HIPAA, PCI-DSS, SOC 2, security architecture, secrets management, rate limiting, brute force protection, session security, token security, JWT security, is this secure, security check, review security, find vulnerabilities, security scan, security test, hack proof, prevent hacking, protect from attacks, DDoS protection, bot protection, WAF,
Generates a Laravel Policy class for authorization logic. Use when adding permission checks for a model or resource (e.g., "Create a policy for the Course model").
Implements Supabase Authentication with email, OAuth, magic links, and phone auth. Use when building apps with Supabase, needing auth integrated with Row Level Security, or implementing passwordless login.
Review code for application-level security hardening issues beyond framework checklists. Focuses on abuse prevention, API protection, business logic exploitation, rate limiting, input validation, and early request rejection. Use when auditing code for security, reviewing endpoints for abuse potential, or checking application resilience to real-world attacks.
Hunt for authorization bypass vulnerabilities including IDOR, privilege escalation, missing access controls, broken object-level authorization. Use when auditing authentication/authorization code or API endpoints.
Authentication security patterns and standards for NextAuth.js v5. Use when implementing or reviewing authentication code.
Guide for working with team-based permissions and authorization in the WODsmith codebase. Use when touching TEAM_PERMISSIONS constants, hasTeamPermission/requireTeamPermission functions, adding permission checks to actions or server functions, creating features requiring authorization, or ensuring client-server permission consistency.
セキュリティ観測。認可漏れ、インジェクション、機密漏えい、暗号誤用、依存脆弱性を検出。Use when: 認証/認可実装、外部入力処理、依存更新、コミット前チェック、セキュリティレビューして、脅威分析が必要な時。
CRITICAL security skill teaching proper credential and password handling. NEVER store passwords, use bcrypt/argon2, NEVER accept third-party credentials. Use when handling authentication, passwords, API keys, or any sensitive credentials.
Manages authentication flow for MutuaPIX (Laravel Sanctum + Next.js), handles mock mode security, and validates environment configurations
This skill should be used when implementing secure, reusable JWT verification dependency for FastAPI routes. It ensures strict user isolation and identity verification using Better Auth secrets.
Implement comprehensive input validation with server-side validation (security), client-side validation (UX), fail-early patterns (KISS), specific error messages, allowlists over blocklists, and reusable validators (DRY). Use this skill when validating user input in forms, API endpoints, or data processing functions. Use when implementing validation rules for data types, formats, ranges, required fields, or business rules (SRP). Use when creating validator functions, validation schemas (Zod, Joi, Yup), form validation logic, or input sanitization to prevent injection attacks (SQL, XSS). Use when working with backend validators, frontend form libraries (React Hook Form, Formik), or consistent validation across web forms, API endpoints, and background jobs. Apply validation at multiple layers for defense in depth.
Verifies that an authorized user has approved the fix plan before proceeding with implementation.
Configuration validation and testing utilities for OpenRouter API. Use when validating API keys, testing model availability, checking routing configuration, troubleshooting connection issues, analyzing usage costs, or when user mentions OpenRouter validation, config testing, API troubleshooting, model availability, or cost analysis.
Get a secret value. Requires authentication. Use for Agentuity cloud platform operations
Audit protected files, generate protection reports, and verify protection consistency. Use for protection system maintenance and compliance.
Comprehensive security audit with OWASP Top 10 analysis, compliance evaluation, and threat modeling using PAL MCP. Use for security reviews, vulnerability assessment, or compliance checks. Triggers on security audit requests, vulnerability scanning, or compliance reviews.
Verification mode that stops and analyzes on failures, workarounds, or resolution issues
Apply input validation best practices including server-side validation, early failure, specific error messages, and input sanitization. Use this skill when validating user input in n8n nodes, implementing parameter validation, checking data types and formats, sanitizing input to prevent injection attacks, or writing business rule validation. Apply when handling API endpoints, form inputs, or any data entry points in n8n node development.
