Columbia-Cloudworks-LLC/plumb
.cursor/skills/plumb/SKILL.md
Use when auditing security posture, secrets handling, input validation, privacy obligations, or compliance readiness against standards such as OWASP, GDPR, CCPA, or SOC 2.
$ install --global
skillsauthnpx skillsauth add Columbia-Cloudworks-LLC/EquipQR plumbInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:46 PM12.0s1 file scanned
SKILL.md
- name:
- plumb
- description:
- Use when auditing security posture, secrets handling, input validation, privacy obligations, or compliance readiness against standards such as OWASP, GDPR, CCPA, or SOC 2.
Plumb
Symbolism
The plumb line tests whether the work stands upright before its obligations.
Purpose
Audit the codebase for uprightness in security and regulation. Look for exposed secrets, missing validation, weak authorization, privacy gaps, and compliance risks that could leave the application leaning out of true.
In this repository, pay special attention to tenant scoping, role-gated actions, and handling of personal or operational data.
Invocation
/plumb/plumb <optional-scope-path>
Operating Rules
- Review secrets, authn/authz, validation, storage, logging, and privacy handling together.
- Verify organization or tenant boundaries wherever data access is involved.
- Distinguish exploitable issues from policy or documentation gaps.
- Map findings to recognizable standards when useful: OWASP, GDPR, CCPA/CPRA, SOC 2.
- Rank issues by severity, exploitability, and blast radius.
Workflow
Copy this checklist and track it while running:
Plumb Progress
- [ ] 1) Confirm scope and data sensitivity
- [ ] 2) Inspect secrets, auth, validation, and data handling
- [ ] 3) Check tenant scope, permissions, and privacy obligations
- [ ] 4) Rank security and compliance findings
- [ ] 5) Produce remediation guidance with evidence
1) Confirm scope and data sensitivity
Identify the relevant entry points, data classes, user roles, and operational impact if the scope were compromised.
2) Inspect secrets, auth, validation, and data handling
Look for:
- exposed keys, credentials, or privileged tokens
- unsanitized or weakly validated inputs
- missing authorization checks
- insecure storage or logging of sensitive data
3) Check tenant scope, permissions, and privacy obligations
Verify that sensitive reads and writes stay within intended organizational bounds and that regulated workflows honor disclosure, retention, deletion, or intake expectations where relevant.
4) Rank security and compliance findings
Group findings as:
CriticalHighModeratePolicy / Documentation Gap
5) Produce remediation guidance with evidence
For each finding, explain the risk, the affected surface, and the smallest responsible fix.
Output Contract
- Security and Compliance Snapshot
- Ranked Findings
- Standards Mapping (when applicable)
- Remediation Plan
- Next Step
Guardrails
- Do not expose real secrets in the response; redact or describe them.
- Do not claim formal compliance certification from code inspection alone.
- Do not confuse authentication with authorization.
- Do not ignore tenant isolation when reviewing multi-tenant data paths.
Related Skills
Columbia-Cloudworks-LLC/react-best-practices
development
VerifiedTrustedCommunity
React performance optimization guidelines from Vercel Engineering, with EquipQR-specific mappings (Vite + React Router + TanStack Query). Use when writing, reviewing, or refactoring React code in this repo, especially around waterfalls, bundle size, and re-renders.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/postgres-best-practices
testing
VerifiedTrustedCommunity
Postgres performance optimization and best practices from Supabase, adapted to EquipQR's Supabase (Postgres + RLS) workflow. Use when editing SQL, migrations, indexes, or RLS policies.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/brand-guidelines
development
VerifiedTrustedCommunity
Applies EquipQR's brand colors and design-system tokens to any artifact that should match EquipQR's look-and-feel. Use it when brand colors, style guidelines, visual formatting, or EquipQR design standards apply.
1SKILL.mdUpdated Apr 16, 2026
Columbia-Cloudworks-LLC/trowel
development
VerifiedTrustedCommunity
Use when auditing dependency health, API contract consistency, shared data shapes, or brittle integration seams between modules, services, and packages.
1SKILL.mdUpdated Apr 16, 2026