Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From agentic-security
Walks a security finding Socratically, guiding developers through source-to-sink analysis and missing sanitizers. Activates on 'explain finding', 'why is X dangerous', or a finding-id reference.
npx claudepluginhub clear-capabilities/agentic-security --plugin agentic-securityHow this skill is triggered — by the user, by Claude, or both
Slash command
/agentic-security:security-tutorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Activates when the user wants to **understand** a finding, not just
Explains CVEs, GHSAs, and security findings in plain English with fix suggestions. Activates on CVE IDs or vulnerability questions.
Generates targeted security fixes from detect-dev SARIF findings with regression tests for backend or frontend scaffolds. Use when remediating vulnerabilities.
Applies fixes for security findings produced by /security-review. Use after detection to remediate vulnerabilities using language-idiomatic safe APIs.
Share bugs, ideas, or general feedback.
Activates when the user wants to understand a finding, not just
read its remediation field. The default /triage --explain and the security-
fixer agent both default to "here's the answer." This skill teaches.
ir-taint:app.js:14:py-cursor-execute)
and asks for contextIdentify the three actors. Every taint finding has:
Walk source → sink as a story. Not "CWE-89 is SQL injection."
Instead: "An attacker hits this endpoint. Their ?name= query string
becomes the name variable on line 12. Trace it: line 13 concatenates
it into query. Line 14 passes query to cursor.execute. The
database now interprets the attacker's apostrophe as a SQL string
delimiter."
Ask before showing. "What payload would make this dump every row?" Let the user try first. If they're stuck, give them ONE hint: "The attacker needs to escape the SQL string and append a clause that always evaluates to true."
Show the fix structurally. When the user names the payload, reveal:
cursor.execute("SELECT * FROM users WHERE name = %s", (name,))
And explain: parameterized form sends the value via a SEPARATE channel; the database never parses it as SQL.
Verify understanding. "Why doesn't name.replace('\\'', '')
work as a fix?" Common follow-up traps to test:
Apply the fix together. Once the user gets it, use
synthesize_fix → verify_fix → apply_fix from the deterministic
toolchain — same as security-fix-finding, but with the
understanding earned.
| CWE | Key question to ask first |
|---|---|
| CWE-89 (SQLi) | What's the difference between a SQL string literal and a SQL identifier? |
| CWE-79 (XSS) | What HTML metacharacters does the attacker need? Which contexts give them more / less power? |
| CWE-78 (cmd-inj) | What does /bin/sh -c parse that execve doesn't? |
| CWE-22 (path) | Why doesn't path.replace('../', '') work? |
| CWE-918 (SSRF) | What can an attacker reach FROM your server that they can't reach FROM their browser? |
| CWE-502 (deser) | Why is json.loads safe but pickle.loads not? |
| CWE-94 (SSTI) | What's the difference between rendering a template vs. compiling a template from input? |
| CWE-1321 (proto) | What's the prototype chain? What does __proto__ write to? |
/triage --explain <cwe> — encyclopedic CWE reference (read-only)/fix <finding-id> — apply the fix with verification/scan — re-scan after apply to confirm cleanThe security industry has a learned-helplessness problem with developers: tools say "you have a vulnerability, here's a patch," developers click "apply." Six months later the same dev creates the same bug class. This skill is the antidote — every finding is also a teaching moment. Stickiest use comes from junior devs, who become senior advocates.