Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From agentic-security
Fixes a specific security scanner finding using a deterministic MCP toolchain (synthesize→verify→apply) instead of direct file edits.
npx claudepluginhub clear-capabilities/agentic-security --plugin agentic-securityHow this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-security:security-fix-findingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Activates when the user is pointing at a specific finding from a prior
Generates targeted security fixes from detect-dev SARIF findings with regression tests for backend or frontend scaffolds. Use when remediating vulnerabilities.
Applies fixes for security findings produced by /security-review. Use after detection to remediate vulnerabilities using language-idiomatic safe APIs.
Reviews security fixes and patches for completeness and correctness. Useful for verifying vulnerability remediations after audits or scans.
Share bugs, ideas, or general feedback.
Activates when the user is pointing at a specific finding from a prior
scan and wants to remediate it. The deterministic toolchain
(synthesize_fix → verify_fix → apply_fix) is the only correct path —
do NOT use Edit directly.
struct:src/api.js:42:SQL_Injection)
or a stableId (abc12345) and asks for action.Confirm the finding still exists. Read
.agentic-security/last-scan.json and look up the finding by id /
stableId / file+line. If it's gone, tell the user and stop — don't
patch a finding that's already been resolved.
Decide appropriateness. Read the file around finding.line ± 30
via the Read tool. Is the canonical fix actually right here? If
the surrounding code already validates upstream, or there's a custom
sanitizer, or the file is a test fixture — STOP and report
refused: <reason>. Don't proceed.
Route via MCP, not Edit. The deterministic path is:
MCP synthesize_fix → MCP verify_fix → MCP apply_fix
synthesize_fix({ finding_id }) returns the stored replacement
text. You do NOT modify it. You do NOT retype it.verify_fix({ stable_id, files: {…} }) re-scans the patched file
in memory and runs the project linter. Read the structured
introduced[] array on failure (template-incomplete vs codebase-
prior vs lint-failed — see agents/security-fixer.md for the
decision tree).apply_fix({ finding_id, confirm: true }) writes via
fix-history.js with HMAC verification + reserved-path refusal +
attempt-budget enforcement.Batch mode. If the user wants to fix more than one finding, hand
off to the security-fixer subagent with a list (≤ 10 findings per
invocation per _CONFINEMENT.md). The subagent writes a PLAN.md
to the scratchpad.
Run the project tests after apply. If the project has
npm test, pytest, cargo test, or similar — invoke it via
Bash. Surface pass/fail in the final report.
Edit to apply security patches. The deterministic
toolchain is the only path with HMAC + audit + budget + backup.verify_fix./fix --one <id> — patch a single finding (interactive)/fix --all --critical — batch by severity/fix --pr — bundle into a PR branch