_template
skill-name: [REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.
Installation
Details
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
npx agent-skills-cli listSkill Instructions
name: skill-name description: > [REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters. version: 0.1.0 maintainer: your-github-username category: [appsec|devsecops|secsdlc|threatmodel|compliance|incident-response] tags: [relevant, security, tags] frameworks: [OWASP|CWE|MITRE-ATT&CK|NIST|SOC2]
<!-- PROGRESSIVE DISCLOSURE GUIDELINES: - Keep this SKILL.md file under 500 lines - Only include core workflows and common patterns here - Move detailed content to references/ directory - Link clearly to when references should be consulted - See: references/WORKFLOW_CHECKLIST.md for workflow pattern examples - Challenge every sentence: "Does Claude really need this?" -->Skill Name
Overview
Brief overview of what this skill provides and its security operations context.
Quick Start
Provide the minimal example to get started immediately:
# Example command or workflow
tool-name --option value
Core Workflow
Sequential Workflow
For straightforward step-by-step operations:
- First action with specific command or operation
- Second action with expected output or validation
- Third action with decision points if needed
Workflow Checklist (for complex operations)
For complex multi-step operations, use a checkable workflow:
Progress: [ ] 1. Initial setup and configuration [ ] 2. Run primary security scan or analysis [ ] 3. Review findings and classify by severity [ ] 4. Apply remediation patterns [ ] 5. Validate fixes with re-scan [ ] 6. Document findings and generate report
Work through each step systematically. Check off completed items.
For more workflow patterns, see references/WORKFLOW_CHECKLIST.md
Feedback Loop Pattern (for validation)
When validation and iteration are needed:
- Generate initial output (configuration, code, etc.)
- Run validation:
./scripts/validator_example.py output.yaml - Review validation errors and warnings
- Fix identified issues
- Repeat steps 2-4 until validation passes
- Apply the validated output
Note: Move detailed validation criteria to references/ if complex.
Security Considerations
- Sensitive Data Handling: Guidance on handling secrets, credentials, PII
- Access Control: Required permissions and authorization contexts
- Audit Logging: What should be logged for security auditing
- Compliance: Relevant compliance requirements (SOC2, GDPR, etc.)
Bundled Resources
Scripts (scripts/)
Executable scripts for deterministic operations. Use scripts for low-freedom operations requiring consistency.
example_script.py- Python script template with argparse, error handling, and JSON outputexample_script.sh- Bash script template with argument parsing and colored outputvalidator_example.py- Validation script demonstrating feedback loop pattern
When to use scripts:
- Deterministic operations that must be consistent
- Complex parsing or data transformation
- Validation and quality checks
References (references/)
On-demand documentation loaded when needed. Keep SKILL.md concise by moving detailed content here.
EXAMPLE.md- Template for reference documentation with security standards sectionsWORKFLOW_CHECKLIST.md- Multiple workflow pattern examples (sequential, conditional, iterative, feedback loop)
When to use references:
- Detailed framework mappings (OWASP, CWE, MITRE ATT&CK)
- Advanced configuration options
- Language-specific patterns
- Content exceeding 100 lines
Assets (assets/)
Templates and configuration files used in output (not loaded into context). These are referenced but not read until needed.
ci-config-template.yml- Security-enhanced CI/CD pipeline with SAST, dependency scanning, secrets detectionrule-template.yaml- Security rule template with OWASP/CWE mappings and remediation guidance
When to use assets:
- Configuration templates
- Policy templates
- Boilerplate secure code
- CI/CD pipeline examples
Common Patterns
Pattern 1: [Pattern Name]
Description and example of common usage pattern.
Pattern 2: [Pattern Name]
Additional patterns as needed.
Integration Points
- CI/CD: How this integrates with build pipelines
- Security Tools: Compatible security scanning/monitoring tools
- SDLC: Where this fits in the secure development lifecycle
Troubleshooting
Issue: [Common Problem]
Solution: Steps to resolve.
References
More by AgentSecOps
View alldast-ffuf: Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.
dast-nuclei: Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications, APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs, (3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds, (4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning multiple targets efficiently with concurrent execution and rate limiting controls.
dast-zap: Dynamic application security testing (DAST) using OWASP ZAP (Zed Attack Proxy) with passive and active scanning, API testing, and OWASP Top 10 vulnerability detection. Use when: (1) Performing runtime security testing of web applications and APIs, (2) Detecting vulnerabilities like XSS, SQL injection, and authentication flaws in deployed applications, (3) Automating security scans in CI/CD pipelines with Docker containers, (4) Conducting authenticated testing with session management, (5) Generating security reports with OWASP and CWE mappings for compliance.
api-spectral: API specification linting and security validation using Stoplight's Spectral with support for OpenAPI, AsyncAPI, and Arazzo specifications. Validates API definitions against security best practices, OWASP API Security Top 10, and custom organizational standards. Use when: (1) Validating OpenAPI/AsyncAPI specifications for security issues and design flaws, (2) Enforcing API design standards and governance policies across API portfolios, (3) Creating custom security rules for API specifications in CI/CD pipelines, (4) Detecting authentication, authorization, and data exposure issues in API definitions, (5) Ensuring API specifications comply with organizational security standards and regulatory requirements.