From agentic-security
Applies a deterministic remediation patch for a specific security scanner finding via MCP toolchain (synthesize→verify→apply). Handles single-finding and batch fixes with HMAC-verified writes and project test verification.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-security:security-fix-findingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Activates when the user is pointing at a specific finding from a prior
Activates when the user is pointing at a specific finding from a prior
scan and wants to remediate it. The deterministic toolchain
(synthesize_fix → verify_fix → apply_fix) is the only correct path —
do NOT use Edit directly.
struct:src/api.js:42:SQL_Injection)
or a stableId (abc12345) and asks for action.Confirm the finding still exists. Read
.agentic-security/last-scan.json and look up the finding by id /
stableId / file+line. If it's gone, tell the user and stop — don't
patch a finding that's already been resolved.
Decide appropriateness. Read the file around finding.line ± 30
via the Read tool. Is the canonical fix actually right here? If
the surrounding code already validates upstream, or there's a custom
sanitizer, or the file is a test fixture — STOP and report
refused: <reason>. Don't proceed.
Route via MCP, not Edit. The deterministic path is:
MCP synthesize_fix → MCP verify_fix → MCP apply_fix
synthesize_fix({ finding_id }) returns the stored replacement
text. You do NOT modify it. You do NOT retype it.verify_fix({ stable_id, files: {…} }) re-scans the patched file
in memory and runs the project linter. Read the structured
introduced[] array on failure (template-incomplete vs codebase-
prior vs lint-failed — see agents/security-fixer.md for the
decision tree).apply_fix({ finding_id, confirm: true }) writes via
fix-history.js with HMAC verification + reserved-path refusal +
attempt-budget enforcement.Batch mode. If the user wants to fix more than one finding, hand
off to the security-fixer subagent with a list (≤ 10 findings per
invocation per _CONFINEMENT.md). The subagent writes a PLAN.md
to the scratchpad.
Run the project tests after apply. If the project has
npm test, pytest, cargo test, or similar — invoke it via
Bash. Surface pass/fail in the final report.
Edit to apply security patches. The deterministic
toolchain is the only path with HMAC + audit + budget + backup.verify_fix./fix --one <id> — patch a single finding (interactive)/fix --all --critical — batch by severity/fix --pr — bundle into a PR branchnpx claudepluginhub clear-capabilities/agentic-security --plugin agentic-security2plugins reuse this skill
First indexed Jun 3, 2026
Reads security findings from JSON, CSV, or threat models and produces minimal, surgical code patches with structured documentation.
Generates targeted security fixes with regression tests from detect-dev SARIF findings. Use when remediating vulnerabilities after a security audit.
Applies fixes for security findings produced by /security-review. Use after detecting vulnerabilities to remediate them using language-idiomatic safe APIs.