From axiom
Stores credentials, encrypts data, implements passkeys, secures AI agents against prompt injection, handles code signing, and manages certificates/provisioning profiles.
How this skill is triggered — by the user, by Claude, or both
Slash command
/axiom:axiom-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**You MUST use this skill for ANY keychain, encryption, passkey, app integrity, agentic/AI feature security, file protection, or code signing work.**
You MUST use this skill for ANY keychain, encryption, passkey, app integrity, agentic/AI feature security, file protection, or code signing work.
| Symptom / Task | Reference |
|---|---|
| Store tokens, passwords, API keys securely | See skills/keychain.md |
| Choose kSecAttrAccessible level, biometric protection | See skills/keychain.md |
| SecItem function signatures, attribute constants | See skills/keychain-ref.md |
| errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed | See skills/keychain-diag.md |
| Encrypt data, sign payloads, key management | See skills/cryptokit.md |
| Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement | See skills/cryptokit-ref.md |
| Passkey sign-in, WebAuthn, ASAuthorizationController | See skills/passkeys.md |
One-time code AutoFill for credential providers OS27 | See skills/passkeys.md (Delivered Verification Codes) |
| App integrity verification, DCAppAttestService, fraud metric | See skills/app-attest.md |
| Prompt injection, securing AI agents / agentic features, tool confirmation | See skills/agentic-security.md |
| NSFileProtection levels, data protection at rest | See skills/file-protection-ref.md |
| SensitiveContentAnalysis verdict must never leave the device (no analytics/moderation queue/synced cache; license §3.3.3) | See axiom-vision (skills/vision-ref.md) |
| Certificate management, provisioning profiles, CI/CD signing | See skills/code-signing.md |
| Certificate not found, profile mismatch, entitlement errors | See skills/code-signing-diag.md |
| Certificate CLI, profile inspection, entitlement extraction | See skills/code-signing-ref.md |
| Apple Pay payment certs / pass type certs / Tap to Pay entitlement | See axiom-payments suite |
digraph security {
start [label="Security task" shape=ellipse];
what [label="What do you need?" shape=diamond];
start -> what;
what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
what -> "skills/agentic-security.md" [label="AI agent security,\nprompt injection"];
what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}
skills/keychain.md
1a. Need SecItem function signatures, attribute constants? → skills/keychain-ref.md
1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? → skills/keychain-diag.mdskills/cryptokit.md
2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? → skills/cryptokit-ref.mdskills/passkeys.mdskills/app-attest.mdskills/agentic-security.mdskills/file-protection-ref.mdskills/code-signing.md
7a. Code signing error troubleshooting? → skills/code-signing-diag.md
7b. Certificate CLI commands, profile inspection? → skills/code-signing-ref.md/skill axiom-shipping/skill axiom-data/skill axiom-networkingsecurity vs axiom-build: When build fails with signing errors:
CODESIGN, ITMS-90xxx, errSec → securitysecurity vs shipping: When preparing for App Store:
security vs axiom-data: When storing sensitive data:
.db/-wal/-shm trio, widget-while-locked access) → See axiom-data (skills/grdb-app-groups.md) §4security vs axiom-networking: When securing network communication:
Keychain (skills/keychain.md):
Keychain API (skills/keychain-ref.md):
Keychain Diagnostics (skills/keychain-diag.md):
CryptoKit (skills/cryptokit.md):
CryptoKit API (skills/cryptokit-ref.md):
Passkeys (skills/passkeys.md):
App Attest (skills/app-attest.md):
Agentic Security (skills/agentic-security.md):
File Protection (skills/file-protection-ref.md):
Code Signing (skills/code-signing.md):
Code Signing Diagnostics (skills/code-signing-diag.md):
Code Signing CLI (skills/code-signing-ref.md):
security find-identity, security cms -D for profile inspectioncodesign -d --entitlements for entitlement extractionSecurity audit → Launch security-privacy-scanner agent (scans for hardcoded credentials, insecure token storage, Privacy Manifest coverage gaps, ATS violations, missing ATT descriptions, missing export compliance, weak Keychain ACLs, and compound rejection risks; scores posture HARDENED/GAPS/VULNERABLE)
| Thought | Reality |
|---|---|
| "I'll store the token in UserDefaults for now" | UserDefaults is a plist file readable by any process with file access. Keychain takes 10 lines. skills/keychain.md shows the pattern. |
| "My app doesn't need encryption" | If you store any user data at rest, iOS file protection is free. skills/file-protection-ref.md covers protection levels. |
| "CommonCrypto works fine, no need to migrate" | CommonCrypto is C API with manual memory management and no compile-time safety. CryptoKit prevents buffer overflows and key misuse. |
| "I'll just use automatic signing" | Automatic signing works until CI, team scaling, or capability changes break it. Understand manual signing before you need it. skills/code-signing.md covers both. |
| "Passkeys are too new, passwords are fine" | Passkeys are phishing-resistant and supported since iOS 16. The migration path supports both simultaneously. skills/passkeys.md shows combined flows. |
| "I'll regenerate all certificates to fix this" | Regenerating revokes existing certs and breaks every teammate's build. Diagnose first. skills/code-signing-diag.md has the diagnostic flow. |
| "App Attest is overkill for my app" | If your app has any server-verified purchase, promotion, or competitive feature, tampered clients will exploit it. skills/app-attest.md covers gradual rollout. |
| "I'll use @unchecked Sendable on my crypto wrapper" | Hiding thread-safety issues from the compiler in security code is how data corruption happens. See axiom-concurrency for safe patterns. |
| "kSecAttrAccessibleAlways is fine" | Deprecated since iOS 12. Items are accessible even when device is locked and unencrypted during backup. Use kSecAttrAccessibleAfterFirstUnlock at minimum. |
| "Prompt injection won't hit our little AI feature" | Any external content reaching your model (a calendar invite, a feed post) is the attack surface, and the model picks the actions. skills/agentic-security.md has the threat model and the deterministic mitigations. |
User: "How do I store an auth token securely?"
→ Read: skills/keychain.md
User: "errSecDuplicateItem when saving to keychain"
→ Read: skills/keychain-diag.md
User: "What are the SecItem attribute constants?"
→ Read: skills/keychain-ref.md
User: "How do I encrypt user data with AES?"
→ Read: skills/cryptokit.md
User: "What's the CryptoKit API for ECDSA signing?"
→ Read: skills/cryptokit-ref.md
User: "How do I add passkey sign-in to my app?"
→ Read: skills/passkeys.md
User: "How do I verify my app hasn't been tampered with?"
→ Read: skills/app-attest.md
User: "How do I protect my app's AI agent from prompt injection?"
→ Read: skills/agentic-security.md
User: "Should my Siri intent work from the lock screen?"
→ Read: skills/agentic-security.md
User: "What NSFileProtection level should I use?"
→ Read: skills/file-protection-ref.md
User: "My build fails with 'No signing certificate found'"
→ Read: skills/code-signing-diag.md
User: "How do I set up fastlane match for CI?"
→ Read: skills/code-signing.md
User: "How do I inspect a provisioning profile?"
→ Read: skills/code-signing-ref.md
User: "Scan my code for security issues"
→ Invoke: security-privacy-scanner agent
npx claudepluginhub charleswiltgen/axiom --plugin axiomGuides iOS/macOS security work: Keychain Services, biometric authentication, CryptoKit, Secure Enclave, credential storage, certificate pinning, and OWASP mobile compliance.
Designs and implements secure mobile auth: OAuth2 PKCE, biometric unlock, social login, token management, session security. Use for login flows, adding biometrics, integrating social providers, or auditing auth security.
Provides expert guidance for secure mobile coding practices including input validation, WebView security, data storage protection, and authentication patterns for iOS and Android apps.