By wshobson
Automates security scanning, threat modeling, and compliance auditing across multi-language projects, integrating SAST, dependency vulnerability detection, and remediation into CI/CD pipelines.
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.
Orchestrate comprehensive security hardening with defense-in-depth strategy across all application layers
Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
Expert security auditor specializing in DevSecOps, comprehensive cybersecurity, and compliance frameworks. Masters vulnerability assessment, threat modeling, secure authentication (OAuth2/OIDC), OWASP standards, cloud security, and security automation. Handles DevSecOps integration, compliance (GDPR/HIPAA/SOC2), and incident response. Use PROACTIVELY for security audits, DevSecOps, or compliance implementation.
Expert in threat modeling methodologies, security architecture review, and risk assessment. Masters STRIDE, PASTA, attack trees, and security requirement extraction. Use PROACTIVELY for security architecture reviews, threat identification, or building secure-by-design systems.
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security documentation.
Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control effectiveness.
Uses power tools
Uses Bash, Write, or Edit tools
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
Production-ready agentic workflow building blocks: 92 plugins, 199 agents, 162 skills, 106 commands — built for Claude Code and consumed natively by OpenAI Codex CLI, Cursor, OpenCode, Gemini CLI, and GitHub Copilot from a single Markdown source.
[!NOTE] One source-of-truth (
plugins/), five harnesses. Each harness gets idiomatic, harness-native artifacts — not lowest-common-denominator translations. See docs/harnesses.md for the capability matrix.
Pick your harness:
/plugin marketplace add wshobson/agents
/plugin install python-development # or any of 92 plugins
→ Full Claude Code setup, troubleshooting, and plugin catalog
Codex and Cursor install natively from the committed registries (which point at the source plugins/):
npx codex-marketplace add wshobson/agents # Codex; then install individual plugins
# Cursor: add the marketplace, then `/plugin install <name>` (reads .cursor-plugin/ + source)
Gemini and OpenCode install via clone + generate (the transformed trees are gitignored):
gh repo clone wshobson/agents ~/agents && cd ~/agents
make generate HARNESS=gemini && gemini extensions install . # Gemini
make install-opencode # OpenCode (runs generate + symlinks)
Setup details and per-harness gotchas: docs/harnesses.md. Gemini-specific setup: GEMINI.md (also auto-loaded by Gemini CLI).
| Count | What it is | |
|---|---|---|
| Plugins | 92 | Granular, single-purpose installable units (88 local + 4 external via git-subdir) |
| Agents | 199 | Domain experts (architecture, languages, infra, security, data, ML, docs, business, SEO) |
| Skills | 162 | Modular knowledge packages with progressive disclosure (load when activated) |
| Commands | 106 | Slash commands: scaffolding, security scans, test gen, infrastructure setup |
| Orchestrators | 16 | Multi-agent coordination workflows (full-stack, security, ML, incident response) |
Browse the catalog: docs/plugins.md · docs/agents.md · docs/agent-skills.md
Each plugin is isolated and composable: agents, commands, and skills are auto-discovered from directory structure. Installing a plugin loads only its components into context — not the whole marketplace.
plugins/python-development/
├── .claude-plugin/plugin.json
├── agents/ # 3 Python agents (python-pro, django-pro, fastapi-pro)
├── commands/ # 1 scaffolding command
└── skills/ # 16 specialized skills (async, testing, packaging, …)
Tiered model strategy:
| Tier | Model | Use |
|---|---|---|
| 0 | Fable 5 | Longest-horizon autonomous work — large migrations, multi-hour runs (opt-in, premium cost) |
| 1 | Opus | Architecture, security, code review, production-critical |
| 2 | inherit | User-chosen — backend, frontend, AI/ML, specialized |
| 3 | Sonnet | Docs, testing, debugging, API references |
| 4 | Haiku | Fast operational tasks, SEO, deployment, content |
This marketplace ships to five agentic harnesses from one Markdown source. Each adapter emits harness-native artifacts (not lowest-common-denominator translations):
| Harness | Generates | Notes |
|---|---|---|
| Claude Code | (source-of-truth) | Native marketplace.json + plugins/ |
| Codex CLI | .agents/plugins/marketplace.json + plugins/*/.codex-plugin/plugin.json (committed); .codex/skills/, .codex/agents/ (gitignored) | 8 KB skill cap respected; commands → skills |
| Cursor | .cursor-plugin/, .cursor/rules/ | Thin marketplace + curated rules; reuses .claude/ |
| OpenCode | .opencode/agents/, .opencode/commands/, .opencode/skills/ | permission: block from tools: allowlist; OpenCode-safe skill names |
| Gemini CLI | skills/, agents/, commands/ (TOML) | Native skills + subagents (April 2026 spec) |
| Copilot | .copilot/agents/, .copilot/skills/, .copilot/commands/ | Markdown agent profiles + SKILL.md skills + commands-as-skills; model maps to native Claude models |
Modern Python development with Python 3.12+, Django, FastAPI, async patterns, and production best practices
Smart contract development with Solidity, DeFi protocol implementation, NFT platforms, and Web3 application architecture
OpenAPI specification generation, Mermaid diagram creation, tutorial writing, API reference documentation
Performance analysis, test coverage review, and AI-powered code quality assessment
Modern Julia development with Julia 1.10+, package management, scientific computing, high-performance numerical code, and production best practices
npx claudepluginhub wshobson/agents --plugin security-scanningImplements automated security scanning for dependencies, code, and containers using tools like Trivy, Snyk, and npm audit. Use when setting up CI/CD security gates, conducting pre-deployment audits, or meeting compliance requirements.
Agentic-Security is a powerful Claude Code plugin that automatically performs Application Security Testing (SAST, SCA, secrets detection, and more). Think of it as the easy button for making your Claude-generated code safe and secure.
Security scanning, dependency CVE audits, and exposure-aware risk prioritization.
Comprehensive vulnerability scanning for code, dependencies, and configurations with CVE detection
Open-source cybersecurity analysis agent. Scans any local project for vulnerabilities: code security (SAST), dependency CVEs (SCA), secret leaks, authentication/authorization flaws, cryptographic weaknesses, misconfigurations, supply chain risks, and CI/CD security. Covers all OWASP 2025 Top 10 and CWE Top 25 categories. Generates prioritized reports with remediation guidance. Invoke with /cyber-neo [path].
A team of AI security specialists embedded in your coding workflow. 8 agents covering every phase of the Secure SDLC: requirements, threat modelling, code review, IaC security, compliance, and release gating. Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.