Use for security audits, vulnerability analysis, threat modeling, compliance, and incident response. Triggers on OWASP, XSS, SQL injection, CSRF, security audit, penetration testing, pen test, CVE, vulnerability, threat model, security review, SOC2, GDPR, PCI-DSS, HIPAA, compliance audit, CSP headers, HSTS, CORS policy, RBAC, ABAC, key rotation, encryption, AES-256, TLS, mTLS, bcrypt, argon2, Semgrep, OWASP ZAP, Snyk, Trivy, SBOM, container hardening, supply chain security, Cosign, SLSA, incident response, security posture, HashiCorp Vault, key management.
From george-setupnpx claudepluginhub george11642/george-plugins --plugin george-setupThis skill uses the workspace's default tool permissions.
references/api-security.mdreferences/authentication-authorization.mdreferences/compliance-frameworks.mdreferences/container-supply-chain.mdreferences/cryptography-secrets.mdreferences/incident-response.mdreferences/owasp-top10.mdreferences/sast-dast-tools.mdreferences/secure-coding-patterns.mdreferences/security-headers-hardening.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Deep security skill for architecture-level security decisions: auth design, cryptography, compliance, tooling, and incident response. Basic security checks (parameterized queries, no hardcoded secrets, input validation) belong in convention-check hooks -- this skill covers the WHY and HOW of security engineering.
| Task | Reference |
|---|---|
| OWASP Top 10, injection, broken auth, crypto failures | references/owasp-top10.md |
| JWT, OAuth2/OIDC, session mgmt, RBAC/ABAC, MFA | references/authentication-authorization.md |
| AES-GCM, RSA, TLS config, Vault, key lifecycle | references/cryptography-secrets.md |
| Input validation, SQLi, XSS, CSRF, SSRF, file upload | references/secure-coding-patterns.md |
| Semgrep, Bandit, ESLint security, ZAP, Snyk, Trivy | references/sast-dast-tools.md |
| CSP, HSTS, CORS, cookie flags, rate limiting | references/security-headers-hardening.md |
| API auth, rate limiting, GraphQL, gRPC, error leakage | references/api-security.md |
| SOC2, GDPR, PCI-DSS, HIPAA, ISO 27001 | references/compliance-frameworks.md |
| Credential leak, data breach, RCE, CVE, post-mortem | references/incident-response.md |
| Container hardening, Cosign, SLSA, SBOM, supply chain | references/container-supply-chain.md |
| Score | Severity | Patch SLA | Examples |
|---|---|---|---|
| 9.0-10.0 | Critical | 24h (4h if exploited) | RCE, SQLi with full DB access, auth bypass |
| 7.0-8.9 | High | 7 days | Stored XSS, privilege escalation, SSRF |
| 4.0-6.9 | Medium | 30 days | Reflected XSS, CSRF, info disclosure |
| 0.1-3.9 | Low | 90 days | Open redirect, verbose errors |