Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue
Assess and improve Azure Functions and App Service reliability through zone redundancy, storage replication, health probes, and multi-region failover. Scans deployed resources for zone redundancy on compute, zone-redundant storage (ZRS/GZRS), health probes, and multi-region failover configuration Presents findings as a feature-pivoted checklist, then guides staged remediation via Azure CLI commands or IaC patches (Bicep/Terraform) with user confirmation at each step Supports two fix paths: immediate CLI changes against live resources, or persistent IaC updates with automatic deployment via azd up or terraform apply Handles storage migration separately (live conversion from LRS/GRS to ZRS) with polling and two-deploy flow to keep IaC in sync Multi-region setup (secondary region + Front Door) only offered after core single-region reliability is complete; requires explicit user consent before any deployment
Automated security auditor for Firestore rules using red-team methodology. Evaluates rules against a mandatory checklist covering update bypasses, authority sources, business logic alignment, resource exhaustion, and type safety Identifies vulnerabilities across six critical dimensions: privilege escalation, data integrity, PII exposure, validation inconsistencies, and access control gaps Scores findings on a 1–5 scale (critical to secure) with detailed recommendations for each issue discovered Includes special handling for admin bootstrapping patterns to avoid false positives on legitimate hardcoded admin email checks
Security best practices and vulnerability prevention for Golang. Covers injection (SQL, command, XSS), cryptography, filesystem safety, network security,…
Email verification, password reset flows, and customizable password policies for Better Auth. Supports email verification with optional enforcement to block sign-in until verified, plus configurable token expiration and single-use reset tokens Password reset flows with built-in security: background email sending, timing attack prevention, dummy operations on invalid requests, and optional session revocation on reset Configurable password length limits (default 8–256 characters) and custom hashing algorithms via pluggable hash and verify functions Requires absolute callback URLs and sendVerificationEmail / sendResetPassword functions to integrate with your email provider
Review docs/prose for Writing Guidelines compliance. Use when asked to "review my docs", "check writing style", "audit prose", "review docs voice and tone", or…
Automated security auditor for Firestore rules using red-team methodology and structured scoring. Evaluates rules against a mandatory checklist covering update bypasses, authority sources, business logic alignment, storage abuse, and type safety Applies a 1–5 severity scale (critical to secure) with detailed findings for each identified vulnerability Identifies privilege escalation risks, data integrity flaws, and field-level vs. identity-level security gaps Includes admin bootstrapping validation to distinguish legitimate hardcoded admin checks from escalation risks Returns structured JSON assessment with score, summary, and actionable recommendations for each finding
Pre-install security vetting for OpenClaw skills using a structured red-flag checklist. Evaluates metadata, permission scope, and content against critical, warning, and informational risk categories Detects typosquatting, credential file references, obfuscated content, and command injection patterns Flags high-risk permission combinations like network + shell that enable data exfiltration Produces a standardized vetting report with verdict (Safe/Warning/Danger/Block) and install recommendation
Google Workspace IT administration with security monitoring and configuration capabilities. Requires three prerequisite skills: gws-gmail, gws-drive, and gws-calendar for full functionality Includes standup-report workflow to review pending IT requests and security alerts at the start of each day Supports monitoring of suspicious login activity, audit log review, and Drive sharing policy configuration Recommends using --dry-run flag before bulk operations and regular permission verification via gws auth status
Google Model Armor: Filter user-generated content for safety. Provides three core helper commands: sanitize prompts, sanitize responses, and create custom filtering templates Integrates with Google Workspace services via the gws CLI tool with shared authentication and security rules Requires schema inspection via gws schema to discover available resources, methods, and parameter requirements before executing API calls
Create Google Model Armor templates to filter prompts and responses for safety. Requires GCP project ID, location, and template ID; supports preset templates (jailbreak) or custom JSON configuration Templates work with companion sanitize-prompt and sanitize-response commands for comprehensive content filtering Write operation requiring user confirmation before execution Defaults to jailbreak preset if no preset or JSON configuration is specified
Sanitize user prompts through Google Model Armor safety templates. Requires a Model Armor template resource name and accepts text input via flag, stdin, or full JSON request body Designed for inbound prompt safety; use the companion +sanitize-response command for outbound response filtering Integrates with Google Cloud authentication and global flags defined in gws-shared
Sanitize model responses through Google Model Armor templates for outbound safety. Applies Model Armor templates to filter model outputs before delivery to users Accepts text input via --text flag or piped stdin, with optional full JSON request body override Requires template resource name in format projects/PROJECT/locations/LOCATION/templates/TEMPLATE Complements the +sanitize-prompt command for inbound user input safety
Transform threat analysis into actionable security requirements. Converts STRIDE threat categories into functional, non-functional, and constraint requirements with automatic priority calculation based on impact and likelihood Generates security user stories, acceptance criteria, and test cases directly from threats; includes traceability matrices linking threats to requirements Maps requirements to compliance frameworks (PCI-DSS, HIPAA, GDPR, SOC2, NIST, ISO 27001, OWASP) and identifies coverage gaps Organizes requirements by security domain (authentication, authorization, data protection, audit logging, input validation, cryptography, and six others) with built-in filtering and export to markdown
Comprehensive security hardening for web applications covering HTTPS, input validation, authentication, and OWASP Top 10 vulnerabilities. Enforces HTTPS, security headers (CSP, HSTS), and rate limiting via Helmet and Express middleware to prevent DDoS and common attacks Prevents SQL Injection and XSS through parameterized queries, input validation with Joi, and output encoding with DOMPurify Implements CSRF token protection, JWT-based authentication with refresh token rotation, and secret management via environment variables Includes OWASP Top 10 checklist and best practices for access control, defense in depth, and principle of least privilege
better-auth-security-best-practices — an installable skill for AI agents, published by better-auth/skills.
Comprehensive smart contract security patterns, vulnerability prevention, and secure Solidity development practices. Covers critical vulnerabilities including reentrancy, integer overflow/underflow, access control failures, and front-running with vulnerable code examples and secure patterns Teaches Checks-Effects-Interactions pattern, pull-over-push payment design, input validation, and emergency stop mechanisms for production-ready contracts Includes gas optimization techniques such as storage packing, calldata usage, and event-based data storage Provides security checklist, Hardhat testing examples for vulnerability detection, and audit preparation guidelines with proper documentation standards
Defense-in-depth Kubernetes security through network policies, pod security standards, RBAC, and admission control. Covers three pod security levels (Privileged, Baseline, Restricted) enforced via namespace labels for graduated security posture Provides NetworkPolicy templates for default-deny, service-to-service communication, and DNS egress patterns Includes RBAC configuration examples for roles, cluster roles, and bindings to implement least-privilege access Demonstrates OPA Gatekeeper constraint templates and Istio mTLS/AuthorizationPolicy for policy enforcement and service mesh security References CIS Kubernetes Benchmark and NIST Cybersecurity Framework compliance patterns with troubleshooting commands for NetworkPolicy and RBAC validation
Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.