Reads security findings from JSON, CSV, or threat models and produces minimal, surgical code patches with structured documentation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/pproenca-dot-skills-1:threat-patchThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Reads security findings and produces minimal, surgical code patches with structured documentation. Fixes are code-grounded — each patch targets specific files and functions identified in the finding. Output includes a summary, validation steps, and the code changes.
Reads security findings and produces minimal, surgical code patches with structured documentation. Fixes are code-grounded — each patch targets specific files and functions identified in the finding. Output includes a summary, validation steps, and the code changes.
findings.json (from threat-model) and wants fixes| Source | What It Provides | How to Use |
|---|---|---|
| findings.json (from threat-model) | Structured findings with data flow traces, systemic groupings, exploit chains, and severity ratings | Read directly — richest input, already triaged and grouped |
| Codex CSV | Title, description, severity, relevant_paths per finding | Run scripts/parse-findings.sh <csv-path> to extract structured output |
| THREAT-MODEL.md | Human-readable threat model | Extract findings from Criticality Calibration section |
| Inline description | User describes a specific vulnerability | Parse from conversation context |
When findings.json is available, it's the preferred input — it includes data flow traces (entry → chain → sink) that directly inform where to apply fixes, and systemic groupings that suggest centralized fixes over individual patches.
1. Ingest Findings → Read findings.json / CSV / descriptions
2. Triage & Group → Sort by severity, use systemic groupings if available
3. For each finding:
a. Read Code → Open relevant_paths, understand the pattern
b. Confirm → Verify issue is still present in HEAD
c. Design Fix → Determine minimal fix approach
d. Implement → Write the code changes
e. Document → Summary + Validation + Attack-path (if needed)
f. Test → Run relevant tests
4. Output → Per-patch deliverable with summary and diff
5. Update State → Mark patched findings in findings.json (if present)
scripts/parse-findings.sh <csv-path> to extract structured outputThis skill modifies source code. Safety measures:
git checkout -- <files> to undo. With commits, use git revertCode patch — when a fix is implemented:
Analysis only — when the fix needs user decision or architectural changes:
| File | When to Read |
|---|---|
| references/workflow.md | Before starting — detailed approach for each patching phase |
| references/fix-patterns.md | When designing fixes — patterns by vulnerability class |
| references/output-format.md | When documenting — templates for both output modes |
npx claudepluginhub joshuarweaver/cascade-code-general-misc-1 --plugin pproenca-dot-skills-1Generates targeted security fixes with regression tests from detect-dev SARIF findings. Use when remediating vulnerabilities after a security audit.
Applies a deterministic remediation patch for a specific security scanner finding via MCP toolchain (synthesize→verify→apply). Handles single-finding and batch fixes with HMAC-verified writes and project test verification.
Applies fixes for security findings produced by /security-review. Use after detecting vulnerabilities to remediate them using language-idiomatic safe APIs.