appsec

Spawned after all parallel red team analysis agents complete their work. Merges, deduplicates, cross-references, and ranks findings from multiple agents into a single consolidated security report with attack chains and prioritized remediation order.

Simulates an ideologically motivated medium-skill attacker seeking maximum public embarrassment through data leaks, defacement, and service disruption

Simulates a malicious authenticated user with domain knowledge who attempts privilege escalation, data exfiltration, and persistent backdoor access using legitimate credentials

Spawned during red team analysis when critical infrastructure or high-value targets are assessed. Simulates an Advanced Persistent Threat actor with unlimited time, resources, and sophistication who chains multiple weaknesses together to achieve persistent access, covert exfiltration, and lateral movement across system boundaries.

Simulates a professional criminal operation with high technical skill seeking financial gain through payment data interception, credential harvesting, PII theft, and ransomware deployment vectors

Simulates a low-skill opportunistic attacker who uses automated tools, public exploit databases, and common scanning techniques to find easy wins in the codebase

Spawned during red team analysis to evaluate supply chain attack surface. Simulates a targeted dependency compromiser who has taken control of one of the project's dependencies and wants to maximize blast radius through build pipelines, update mechanisms, and transitive trust relationships.

This skill should be used when the user asks to "check for access control issues", "analyze authorization", "find IDOR vulnerabilities", "audit CORS configuration", "check for privilege escalation", or mentions "access control", "authorization", "IDOR", "CORS", "JWT tampering", or "directory traversal" in a security context. Maps to OWASP Top 10 2021 A01: Broken Access Control.

This skill should be used when the user asks to "check API security", "audit REST API", "find BOLA vulnerabilities", "check for mass assignment", "analyze API rate limiting", "detect excessive data exposure", or mentions "API security", "BOLA", "IDOR", "mass assignment", "rate limiting", "broken function-level authorization", "excessive data exposure", or "OWASP API Top 10" in a security context.

This skill should be used when the user asks to "map attack surface", "list entry points", "inventory API endpoints", "find all inputs", "enumerate routes", "discover exposed endpoints", or "map external interfaces". Also triggers when the user asks about exposed APIs, form handlers, file upload endpoints, WebSocket handlers, CLI argument parsers, or wants to understand where external data enters the system.

This skill should be used when the user asks to "check for authentication issues", "analyze auth", "find credential vulnerabilities", "review login security", "check session management", or mentions "authentication", "passwords", "MFA", "sessions", or "brute force" in a security context. Maps to OWASP Top 10 2021 A07: Identification and Authentication Failures.

This skill should be used when the user asks to "check business logic security", "find logic flaws", "audit workflow security", "check for coupon abuse", "detect negative amount exploits", "analyze state machine security", or mentions "business logic", "workflow bypass", "negative amount", "coupon abuse", "self-referral", "state manipulation", or "time-based exploit" in a security context.

This skill should be used when the user asks to "configure security", "appsec settings", "security preferences", or invokes /appsec:config. Manages security tool preferences and thresholds.

This skill should be used when the user asks to "check for cryptographic issues", "analyze encryption", "find weak hashing", "audit password storage", "check for hardcoded keys", or mentions "cryptography", "encryption", "hashing", "TLS", "certificates", or "random number generation" in a security context. Maps to OWASP Top 10 2021 A02: Cryptographic Failures.

This skill should be used when the user asks to "check for personal data disclosure", "analyze PII exposure", "find privacy issues related to data leakage", "check for unauthorized data sharing", or mentions "disclosure" in a privacy context. Maps to LINDDUN category D2. Focuses specifically on PERSONAL data disclosure, complementing STRIDE information disclosure.

This skill should be used when the user asks to "map data flows", "trace data through the system", "show how data moves", "identify trust boundaries", "find where data is encrypted or decrypted", "map PII flows", or "trace input to storage". Also triggers when the user asks about data transformation pipelines, where sensitive data is processed, or how user input reaches databases or external services.

This skill should be used when the user asks to "check for detectability", "analyze timing side channels", "find privacy issues related to traffic analysis", "check for metadata leakage", or mentions "detectability" in a privacy context. Maps to LINDDUN category D1.

This skill should be used when the user asks to "check for denial of service", "analyze availability risks", "find DoS vulnerabilities", or mentions "denial of service" or "DoS" in a security context. Maps to STRIDE category D.

This skill should be used when the user asks to "explain security concept", "what is OWASP", "explain this finding", "what does this vulnerability mean", "explain stride", "explain injection", "what is CSRF", "explain spoofing", "what does INJ-003 mean", "compare stride vs pasta", or asks any question about security terminology, frameworks, vulnerability categories, or specific findings. Works at framework, category, finding, and comparison levels.

This skill should be used when the user asks to "check file upload security", "analyze upload validation", "find upload vulnerabilities", "check for zip slip", "audit file upload handling", or mentions "file upload", "upload validation", "content-type check", "magic bytes", "zip slip", or "path traversal in upload" in a security context.

This skill should be used when the user asks to "fix security finding", "fix vulnerability", "generate security fix", "appsec fix", "patch vulnerability", "remediate finding", or "apply security patch". Also triggers when the user references a finding ID (e.g., INJ-001) and asks for a fix, or points to a file:line and asks to fix the security issue there.

This skill should be used when the user asks for a "full security audit", "exhaustive audit", "comprehensive security review", or invokes /appsec:full-audit. Launches every framework, every tool, and every red team agent, producing a dated report file.

This skill should be used when the user asks to "generate fuzz inputs", "create fuzz tests", "fuzz test generation", "generate test payloads", "create security test cases", or "generate edge case inputs". Also triggers when the user wants intelligent test inputs for input parsers, API endpoints, file format handlers, or needs context-aware injection payloads for security testing.

This skill should be used when the user asks "what is IDOR", "define CSRF", "security glossary", or wants quick security term definitions. Quick reference for security terms, acronyms, and categories.

This skill should be used when the user asks to "check GraphQL security", "analyze GraphQL endpoint", "find GraphQL vulnerabilities", "audit GraphQL schema", "check for introspection", "analyze query depth", or mentions "GraphQL", "introspection", "query depth limit", "query complexity", "GraphQL batching", "alias abuse", or "per-field authorization" in a security context.

This skill should be used when the user asks to "harden code", "security hardening", "improve security posture", "add security headers", "tighten security", "defensive coding suggestions", or "proactive security improvements". Also triggers when the user asks about CSP, CORS hardening, rate limiting, input validation improvements, security logging, or defense-in-depth measures.

This skill should be used when the user asks to "check for identifiability", "analyze re-identification risks", "find privacy issues related to anonymization", "check for PII exposure", or mentions "identifiability" in a privacy context. Maps to LINDDUN category I.

This skill should be used when the user asks to "check for information disclosure", "analyze data leakage risks", "find data exposure vulnerabilities", or mentions "information disclosure" in a security context. Maps to STRIDE category I.

This skill should be used when the user asks to "check for injection", "analyze SQL injection", "find injection vulnerabilities", "check for command injection", "find NoSQL injection", "check for LDAP injection", or mentions "injection" in a security context. Maps to OWASP Top 10 2021 A03:2021 - Injection.

This skill should be used when the user asks to "check for design flaws", "analyze security design", "find insecure design patterns", "review threat model", "check business logic security", "find missing security controls", or mentions "insecure design" in a security context. Maps to OWASP Top 10 2021 A04:2021 - Insecure Design.

This skill should be used when the user asks to "check for integrity issues", "analyze deserialization", "find supply chain vulnerabilities", "review CI/CD security", "check SRI", or mentions "deserialization", "integrity", "pipeline security", "code signing", or "supply chain" in a security context. Maps to OWASP Top 10 2021 A08: Software and Data Integrity Failures.

This skill should be used when the user asks to "learn about security", "teach me OWASP", "security tutorial", "learn threat modeling", or invokes /appsec:learn. Interactive guided walkthrough using your codebase as teaching material.

This skill should be used when the user asks to "run LINDDUN analysis", "check privacy threats", "privacy threat model", "GDPR analysis", "check data protection", or invokes /appsec:linddun. Dispatches 7 category subagents in parallel for comprehensive LINDDUN privacy threat coverage.

This skill should be used when the user asks to "check for linkability", "analyze cross-service tracking", "find privacy issues related to user correlation", "check for cross-domain tracking", or mentions "linkability" in a privacy context. Maps to LINDDUN category L.

This skill should be used when the user asks to "check for logging issues", "analyze security logging", "find missing audit logs", "check for log injection", "audit monitoring configuration", or mentions "logging", "audit trail", "log injection", "monitoring", or "alerting" in a security context. Maps to OWASP Top 10 2021 A09: Security Logging and Monitoring Failures.

This skill should be used when the user asks to "check for misconfigurations", "analyze security headers", "find misconfigured settings", "check CORS policy", "find debug mode", "audit server configuration", or mentions "misconfiguration" in a security context. Maps to OWASP Top 10 2021 A05: Security Misconfiguration.

This skill should be used when the user asks to "map to ATT&CK", "show attack techniques", "MITRE mapping", or wants to understand how findings relate to real-world attacker behavior. Maps security findings to MITRE ATT&CK tactics, techniques, and procedures.

This skill should be used when the user asks to "create threat model", "threat model architecture", "map security architecture", "build threat model", "STRIDE analysis", "data flow diagram", "DFD security", or "attack tree analysis". Also triggers when the user wants a systematic identification of threats against the application architecture, trust boundaries, data flows, or component interactions.

This skill should be used when the user asks to "check for non-compliance", "analyze GDPR compliance", "find CCPA violations", "check HIPAA compliance", "audit regulatory requirements", or mentions "non-compliance" in a privacy context. Maps to LINDDUN category N2. No STRIDE equivalent exists.

This skill should be used when the user asks to "check for non-repudiation privacy risks", "analyze excessive audit logging", "find privacy issues related to accountability", "check for forced identity linking", or mentions "non-repudiation" in a privacy context. Maps to LINDDUN category N. This is the INVERSE of STRIDE repudiation -- here too much proof is the threat.

This skill should be used when the user asks to "check for vulnerable dependencies", "audit dependencies", "find outdated packages", "scan for CVEs", "check for typosquatting", or mentions "vulnerable components", "outdated dependencies", or "supply chain" in a security context. Maps to OWASP Top 10 2021 A06: Vulnerable and Outdated Components.

This skill should be used when the user asks to "run OWASP analysis", "check OWASP Top 10", "OWASP scan", or invokes /appsec:owasp. Dispatches 10 category subagents (A01-A10) in parallel for comprehensive OWASP Top 10 coverage.

This skill should be used when the user asks to "simulate attacks", "build attack trees", "model exploit chains", "score exploitability", or is running PASTA stage 6. Also triggers when the user asks about attack scenarios, red team simulation, DREAD scoring, or detection gap analysis in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 6 of 7).

This skill should be used when the user asks to "decompose the application", "map trust boundaries", "identify components and roles", "catalog permissions", or is running PASTA stage 3. Also triggers when the user asks about role-based access control mapping, data classification, or service-to-service trust in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 3 of 7).

This skill should be used when the user asks to "define business objectives", "identify business-critical assets", "determine risk appetite", or is running PASTA stage 1. Also triggers when the user asks about compliance requirements, acceptable risk thresholds, or business impact analysis in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 1 of 7).

This skill should be used when the user asks to "calculate risk scores", "prioritize mitigations", "generate remediation roadmap", "analyze business impact", or is running PASTA stage 7. Also triggers when the user asks about risk-weighted findings, compliance gap analysis, or executive security summary in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 7 of 7).

This skill should be used when the user asks to "define technical scope", "map attack surface", "identify entry points", "build a data flow diagram", or is running PASTA stage 2. Also triggers when the user asks about DFDs, network boundaries, external dependencies, or deployment topology in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 2 of 7).

This skill should be used when the user asks to "analyze threats", "identify threat actors", "map attack vectors", "cross-reference MITRE ATT&CK", or is running PASTA stage 4. Also triggers when the user asks about adversary tactics, supply chain threats, or threat intelligence in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 4 of 7).

This skill should be used when the user asks to "analyze vulnerabilities", "find security weaknesses", "map CWEs", "run vulnerability analysis", or is running PASTA stage 5. Also triggers when the user asks about SAST, DAST, dependency scanning, or CWE mapping in a threat modeling context. Part of the PASTA threat modeling methodology (Stage 5 of 7).

This skill should be used when the user asks to "run PASTA analysis", "PASTA threat model", "risk-centric threat analysis", or invokes /appsec:pasta. Dispatches 7 stages SEQUENTIALLY -- each stage's output feeds the next. This is the ONLY framework that runs sequentially.

This skill should be used when the user asks to "check for privilege escalation", "analyze authorization risks", "find access control vulnerabilities", or mentions "elevation of privilege" in a security context. Maps to STRIDE category E.

This skill should be used when the user asks to "check for race conditions", "find TOCTOU bugs", "analyze concurrency issues", "detect double-spend vulnerabilities", "check for check-then-act patterns", "find shared state bugs", or mentions "race condition", "TOCTOU", "double-spend", "concurrency", "atomicity", or "thread safety" in a security context.

This skill should be used when the user asks to "check for regressions", "verify fixes still hold", "regression test security", "check for reintroduced vulnerabilities", "security regression check", or "verify no old bugs returned". Also triggers when the user wants to confirm that previously fixed vulnerabilities have not been reintroduced by recent code changes.

This skill should be used when the user asks to "generate security report", "create appsec report", "export findings", "security summary", "findings report", "executive security summary", or "export to SARIF". Also triggers when the user wants a formatted overview of all security findings, remediation progress, scanner coverage, or needs to share security status with stakeholders.

This skill should be used when the user asks to "check for repudiation", "analyze audit logging", "find logging gaps", or mentions "repudiation" or "non-repudiation" in a security context. Maps to STRIDE category R.

This skill should be used when the user asks to "review plan for security", "check plan for security issues", "security review of implementation plan", "audit the plan for vulnerabilities", or "check my plan before coding". Also triggers when the user mentions security in the context of an implementation plan, architecture proposal, or design document before code has been written. This is the FLAGSHIP pre-code security skill -- no other tool reviews plans at design time.

This skill should be used when the user asks to "run security scan", "scan for vulnerabilities", "security check", "check security", or invokes /appsec:run. Smart orchestrator that detects the tech stack, selects relevant security tools, and runs them in parallel.

This skill should be used when the user asks to "check CWE Top 25", "run SANS analysis", "check for common weaknesses", or mentions "CWE" or "SANS Top 25" in a security context. Checks code against the SANS/CWE Top 25 Most Dangerous Software Weaknesses.

This skill should be used when the user asks to "check for secrets", "find hardcoded credentials", "scan for API keys", "detect leaked tokens", "find passwords in code", "check for committed .env files", "scan for private keys", or mentions "secrets", "credentials", "API keys", or "leaked tokens" in a security context. Also triggers for git history secret scanning and high-entropy string detection.

This skill should be used when the user asks to "check serverless security", "audit Lambda functions", "analyze cloud function permissions", "check IAM policies", "find serverless vulnerabilities", or mentions "serverless", "Lambda", "Cloud Functions", "Azure Functions", "IAM policy", "event injection", "overprivileged", or "/tmp reuse" in a security context.

This skill should be used when the user asks to "check for spoofing", "analyze identity spoofing risks", "find authentication vulnerabilities", or mentions "spoofing" in a security context. Maps to STRIDE category S.

This skill should be used when the user asks to "check for SSRF", "analyze server-side request forgery", "find URL fetching vulnerabilities", "check for internal network access", or mentions "SSRF", "URL fetching", "cloud metadata", "169.254.169.254", or "request forgery" in a security context. Maps to OWASP Top 10 2021 A10: Server-Side Request Forgery.

This skill should be used when the user asks to "start security analysis", "assess security", "which security tools should I use", "appsec start", "what should I scan", "security assessment", or invokes /appsec:start. Assesses the project's tech stack, data sensitivity, architecture, and installed scanners, then recommends which /appsec:* tools to run in priority order with rationale.

This skill should be used when the user asks for "security status", "show findings", "security dashboard", "security posture", or invokes /appsec:status. Shows current security posture overview.

This skill should be used when the user asks to "run STRIDE analysis", "check STRIDE", "threat model with STRIDE", or invokes /appsec:stride. Dispatches 6 category subagents (S-T-R-I-D-E) in parallel for comprehensive STRIDE threat modeling coverage.

This skill should be used when the user asks to "check for tampering", "analyze data integrity risks", "find injection vulnerabilities", or mentions "tampering" in a security context. Maps to STRIDE category T.

This skill should be used when the user asks to "check for unawareness", "analyze consent mechanisms", "find privacy issues related to transparency", "check for hidden data collection", "audit user consent flows", or mentions "unawareness" in a privacy context. Maps to LINDDUN category U. No STRIDE equivalent exists.

This skill should be used when the user asks to "verify fix", "confirm fix", "check if vulnerability is fixed", "validate remediation", "recheck finding", or "test if patch works". Also triggers when the user has applied a security fix and wants confirmation that the vulnerability is actually resolved, or when referencing a finding ID and asking if it is still present.

This skill should be used when the user asks to "check WebSocket security", "analyze WebSocket authentication", "find WebSocket vulnerabilities", "audit WebSocket handlers", "check for CSWSH", or mentions "WebSocket", "ws://", "wss://", "socket.io", "CSWSH", "WebSocket origin check", "WebSocket rate limit", or "WebSocket authentication" in a security context.

2 hooks across 1 event