Security guidance skills for AI coding assistants. Covers cryptography, web security, supply chain, MCP servers, Kubernetes, API gateways, fuzzing, static analysis, audit workflows, and more.
Verify and configure HTTP response security headers. Use when reviewing web server configuration, reverse proxy setup, or application middleware that sets response headers.
Enforce XSS prevention and secure rendering in React applications. Use when building, reviewing, or auditing React components, especially those that render user-controlled data or use server-side rendering.
Ruzzy is a coverage-guided Ruby fuzzer by Trail of Bits. Use for fuzzing pure Ruby code and Ruby C extensions.
Enforce secure token validation and storage in MCP servers. Use when implementing or reviewing token handling, JWT validation, or token storage in MCP servers.
AFL++ is a fork of AFL with better fuzzing performance and advanced features. Use for multi-core fuzzing of C/C++ projects.
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
Security skills for AI coding assistants and agentic systems. Skills encode security recommendations, guidelines, and best practices as structured markdown files that AI assistants (Claude Code, Cursor, Copilot, and others) consume directly while writing, testing, and auditing code.
The goal is to shift security left: apply security guidance during development, not after review.
make bootstrap
Installs ruff, ty, skillsaw, pre-commit, and wires up git hooks so linting and ADR validation run automatically before each commit. Requires uv on your PATH.
Reference any skill by path in your assistant prompt:
Using `module/skills/input-output-sanitization/SKILL.md`: review this MCP server for injection risks.
Using `module/skills/cargo-fuzz/SKILL.md`: write a fuzzing harness for this parser.
Using `module/skills/differential-review/SKILL.md`: review the security impact of this diff.
Skills are tool-agnostic — the same files work in any assistant that can read them.
Install all skills to your AI assistant in one command using Lola:
lola mod add https://github.com/RedHatProductSecurity/prodsec-skills.git
lola install prodsec-skills --assistant claude-code
For platforms that bake knowledge into runner images and expose it via add_dirs
(e.g. Ambient Code Platform):
1. Clone the module into your image at build time, pinned to a specific SHA:
ARG PRODSEC_SKILLS_REF=<pinned-sha>
RUN git clone https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills \
&& git -C /app/prodsec-skills checkout --detach "${PRODSEC_SKILLS_REF}" \
&& rm -rf /app/prodsec-skills/.git
2. Add /app/prodsec-skills/module to add_dirs — not the repo root. This
ensures the agent's context entry point is module/AGENTS.md (the AI Main Spec),
not the contributor-facing root AGENTS.md:
# bridge.py — during session setup
PRODSEC_MODULE_PATH = "/app/prodsec-skills/module"
if Path(f"{PRODSEC_MODULE_PATH}/skills").exists() and PRODSEC_MODULE_PATH not in add_dirs:
add_dirs.append(PRODSEC_MODULE_PATH)
3. Optionally inject a system prompt directing agents to the skill index and
the correct path pattern (module/skills/<skill-id>/SKILL.md):
PRODSEC_SKILLS_PROMPT = (
"## Security Skills\n"
"Product Security skills are available at `/app/prodsec-skills/module/skills/`.\n"
"Choose a skill by reading its `description` field in `SKILL.md` — it is written "
"as an invocation condition. When performing security-sensitive tasks, read the "
"relevant skill before proceeding.\n"
"See `/app/prodsec-skills/module/AGENTS.md` for the full index and usage guide.\n\n"
)
The module/AGENTS.md file (the AI Main Spec) is the single entry point — it
lists all 138 skills with their trigger conditions and category groupings.
The included .coderabbit.yaml translates prodsec-skills into automated PR review rules for CodeRabbit. It condenses ~60 skills into path-based review instructions, enables 8 security scanners, and defines pre-merge checks for the highest-severity concerns.
This condensed version will be updated as new applicable skills are added to prodsec-skills.
To adopt in your repository:
Copy .coderabbit.yaml to the root of your repo (must be on the default branch):
curl -fsSL https://raw.githubusercontent.com/RedHatProductSecurity/prodsec-skills/main/.coderabbit.yaml \
-o .coderabbit.yaml
Note: This fetches the latest version from
main. For reproducible installs, pin to a specific commit SHA:https://raw.githubusercontent.com/RedHatProductSecurity/prodsec-skills/<SHA>/.coderabbit.yaml
Customize the globs in path_instructions for your project structure. The defaults use common conventions (**/{auth,oauth}/**/*, **/*.go, etc.) but may need tuning.
Adjust pre-merge check modes. Start with warning, promote to error after 2-4 weeks:
pre_merge_checks:
custom_checks:
- name: "no-hardcoded-secrets"
mode: "warning" # change to "error" once tuned
Validate by commenting @coderabbitai configuration on any PR.
What you get:
npx claudepluginhub sidhpurwala-huzaifa/prodsec-skillsHarness-native ECC operator layer - 67 agents, 278 skills, 94 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses
Comprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Matt Pocock's agent skills for real engineering — grilling, spec/ticket flows, TDD, code review, domain modelling and more. Plug-and-play, not vibe coding.
Reliable automation, in-depth debugging, and performance analysis in Chrome using Chrome DevTools and Puppeteer
Core skills library for Claude Code: TDD, debugging, collaboration patterns, and proven techniques
Design fluency for frontend development. 1 skill with 23 commands (/impeccable polish, /impeccable audit, /impeccable critique, etc.) and curated anti-pattern detection.