Security skills for AI coding agents.
A collection of security skills for AI coding agents: Claude Code, Cursor, Copilot, Windsurf, Cline, Codex, and other major platforms. These skills guide agents to follow secure coding practices, prevent common vulnerabilities (OWASP Top 10), and avoid security anti-patterns.
The fastest way to add security skills to your project:
npx skillvault initThis will detect your platform (Claude Code, Cursor, Windsurf, Copilot, Cline, and 9 more), let you pick which skills to install, and copy the files into your project.
npx skillvault init # Install skills (interactive)
npx skillvault list # Show installed and available skills
npx skillvault update # Re-copy installed skills (pick up new versions)
npx skillvault remove # Uninstall selected skills
npx skillvault doctor # Show diagnostic overview
npx skillvault --version # Print version numbernpx skillvault init --all # Install everything, no prompts
npx skillvault init --claude # Target Claude Code only
npx skillvault init --cursor # Target Cursor only
npx skillvault init --windsurf # Target Windsurf only
npx skillvault init --copilot # Target GitHub Copilot only
npx skillvault init --cline # Target Cline only
npx skillvault init --codex # Target Codex CLI only
npx skillvault init --no-guardrails # Skip guardrail files
npx skillvault init --category developer # Filter by category (repeatable)
npx skillvault init --dry-run # Preview without writing files
npx skillvault init --json # Machine-readable JSON output
npx skillvault init --save # Save selections to .skillvaultrc
npx skillvault remove --all # Remove all installed skills
npx skillvault update --category security # Update only security skills
npx skillvault doctor # Diagnostic overview
npx skillvault doctor --json # Machine-readable diagnosticsSave your selections with --save so skillvault init is reproducible across team members:
{
"skills": ["review", "scan-secrets"],
"platform": "claude",
"includeGuardrails": true
}Clone the repo and copy the files you need:
git clone https://github.com/Vligai/skillvault.git
cp -r skillvault/.claude/commands/ your-project/.claude/commands/
cp skillvault/Claude.md your-project/CLAUDE.mdAll platforms share a single guardrail source (guardrails.md). The CLI injects the platform name and copies it to the right location. Claude uses its own format (Claude.md) for CLAUDE.md append behavior.
Run npx skillvault init to install guardrails automatically, or copy manually:
| Platform | Target location |
|---|---|
| Claude | Appended to CLAUDE.md |
| Cursor | .cursor/rules/security-guardrails.md |
| Windsurf | .windsurf/rules/security-guardrails.md |
| GitHub Copilot | Appended to .github/copilot-instructions.md |
| Cline | .cline/rules/security-guardrails.md |
| Roo Code | .roo/rules/security-guardrails.md |
| Continue | .continue/rules/security-guardrails.md |
| Codex CLI | Appended to AGENTS.md |
| Amazon Q | .q/rules/security-guardrails.md |
| Sourcegraph Cody | .cody/rules/security-guardrails.md |
| JetBrains AI | .junie/guidelines/security-guardrails.md |
| Tabnine | .tabnine/rules/security-guardrails.md |
| Aider | .aider/rules/security-guardrails.md |
| Augment Code | Appended to augment-guidelines.md |
Specialized security skill prompts organized by persona. Each skill is a standalone system prompt with structured I/O, detailed instructions, and worked examples.
| Skill | Description | File |
|---|---|---|
| Code Security Reviewer | Scan code for OWASP Top 10 vulnerabilities, secrets, and insecure patterns | code-security-reviewer.md |
| Secret Scanner | Detect hardcoded secrets, API keys, and credentials in code and config | secret-scanner.md |
| Dependency Auditor | Audit dependency manifests for known vulnerabilities and suggest upgrades | dependency-auditor.md |
| Input Validation Generator | Generate validation schemas and sanitization logic for endpoints and forms | input-validation-generator.md |
| CI/CD Security Hardener | Review pipeline configs for secret leaks, injection risks, and excessive permissions | cicd-security-hardener.md |
| Auth Flow Scaffolder | Scaffold secure OAuth2, OIDC, JWT, and session-based authentication flows | auth-flow-scaffolder.md |
| Dockerfile Security Linter | Analyze Dockerfiles for root execution, unverified images, and secret leakage | dockerfile-security-linter.md |
| SBOM Generator | Produce Software Bill of Materials in SPDX or CycloneDX format for compliance | sbom-generator.md |
| Secure API Design Reviewer | Review OpenAPI specs for auth gaps, data exposure, and missing rate limiting | secure-api-design-reviewer.md |
| Skill | Description | File |
|---|---|---|
| Threat Model Generator | Produce structured threat models (STRIDE) from architecture descriptions | threat-model-generator.md |
| Incident Response Playbook Builder | Generate IR runbooks for specific incident scenarios | incident-response-playbook-builder.md |
| Hardening Checklist Generator | Produce CIS-benchmark-style hardening checklists for OS/service/cloud configs | hardening-checklist-generator.md |
| Detection Rule Generator | Write SIEM detection rules in Sigma, Splunk SPL, and KQL from threat descriptions | detection-rule-generator.md |
| CVE Analyzer | Summarize CVEs, assess stack-specific impact, and provide prioritized remediation | cve-analyzer.md |
| Skill | Description | File |
|---|---|---|
| IAM Policy Analyzer | Review AWS/GCP/Azure IAM policies for over-permissive access | iam-policy-analyzer.md |
| IaC Scanner | Review Terraform and CloudFormation for public exposure, missing encryption, and IAM risks | iac-scanner.md |
| Skill | Description | File |
|---|---|---|
| PR Security Review Checklist | Generate security-focused PR review checklists tailored to the diff and change type | pr-security-checklist.md |
| Skill | Description | File |
|---|---|---|
| Phishing Email Analyzer | Analyze suspicious emails for phishing indicators and recommend actions | phishing-email-analyzer.md |
Tests use the Node.js built-in test runner (node:test + node:assert) — zero dependencies required.
npm testTests run automatically on every push and PR via GitHub Actions across Node 18, 20, and 22.
skillvault/
├── guardrails.md # Single guardrail template (all platforms)
├── Claude.md # Claude-specific guardrails (CLAUDE.md append)
├── bin/cli.js # CLI entry point
├── lib/installer.js # Core install logic (testable)
├── test/cli.test.js # Unit tests
├── .github/workflows/ci.yml # CI pipeline
├── ideation.md # Roadmap and planned skills by persona
├── README.md
└── skills/
└── claude/
├── developer/ # Developer-focused skills (9 skills)
├── security/ # Security professional skills (5 skills)
├── cloud/ # Cloud/infrastructure skills (2 skills)
├── team/ # Team lead / engineering manager skills (1 skill)
└── user/ # Non-technical user skills (1 skill)
See ideation.md for the full skill ideation map with 40+ planned skills across 5 personas.
SkillVault supports 14 platforms with auto-detection:
| Platform | Config location | Status |
|---|---|---|
| Claude Code | .claude/commands/ + CLAUDE.md |
Shipped |
| Cursor | .cursor/rules/ |
Shipped |
| Windsurf | .windsurf/rules/ |
Shipped |
| GitHub Copilot | .github/copilot/skills/ + .github/copilot-instructions.md |
Shipped |
| Cline | .cline/rules/ |
Shipped |
| Roo Code | .roo/rules/ |
Shipped |
| Continue | .continue/rules/ |
Shipped |
| Codex CLI | codex-skills/ + AGENTS.md |
Shipped |
| Amazon Q Developer | .q/rules/ |
Shipped |
| Sourcegraph Cody | .cody/rules/ |
Shipped |
| JetBrains AI | .junie/guidelines/ |
Shipped |
| Tabnine | .tabnine/rules/ |
Shipped |
| Aider | .aider/rules/ |
Shipped |
| Augment Code | augment-skills/ + augment-guidelines.md |
Shipped |
Auto-detection is built in — skillvault init detects any of these and offers the right installer.
| Feature | Description | Status |
|---|---|---|
skillvault list |
Show installed and available skills | Shipped |
skillvault update |
Re-copy skills to pick up new versions | Shipped |
skillvault remove |
Uninstall selected skills cleanly | Shipped |
--category <name> |
Filter by category (repeatable) | Shipped |
.skillvaultrc config |
Project-level config for reproducible installs | Shipped |
--dry-run |
Preview without writing files | Shipped |
--json |
Machine-readable output for CI/scripting | Shipped |
--version / -v |
Print version number | Shipped |
skillvault doctor |
Diagnostic overview (platforms, config, skills) | Shipped |
| Unknown flag warnings | Warn on stderr for unrecognized flags | Shipped |
| Feature | Description |
|---|---|
| Skill authoring template | skillvault create-skill scaffolds a new skill with the standard sections (Input, Output, Instructions, Examples, Edge Cases) |
| Custom skill directories | Point to a local folder or git repo of custom skills via .skillvaultrc |
| Composable skill packs | Publish themed skill bundles as npm packages (@skillvault/devsecops, @skillvault/cloud) that plug into the CLI |
| Severity profiles | --profile strict vs --profile standard — strict adds extra guardrails, blocks more patterns |
| Team sharing | skillvault export / skillvault import to share curated skill sets as portable JSON configs |
Next Skills (from ideation.md)
| Skill | Persona | Priority | Status |
|---|---|---|---|
| Auth Flow Scaffolder | Developer | High | Shipped |
| Dockerfile Security Linter | Developer | High | Shipped |
| Detection Rule Generator (Sigma/SPL/KQL) | Security | High | Shipped |
| IaC Scanner (Terraform/CloudFormation) | Cloud | High | Shipped |
| SBOM Generator | Developer | Medium | Shipped |
| CVE Analyzer | Security | Medium | Shipped |
| Secure API Design Reviewer | Developer | Medium | Shipped |
| PR Security Review Checklist | Team Lead | Medium | Shipped |
| Attack Surface Mapper | Security | High | Planned |
| Network Security Reviewer | Cloud | High | Planned |
| Cloud Misconfiguration Scanner | Cloud | High | Planned |
| Parameterized Query Converter | Developer | Medium | Planned |
| Log Analysis Assistant | Security | Medium | Planned |
| Policy & Compliance Drafter | Security | Medium | Planned |
Contributions welcome. Keep skills concise, actionable, and platform-appropriate. Each skill should follow the standard template with Input, Output, Instructions, Examples, and Edge Cases sections.