Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aj-geddes/security

Name: security
Author: aj-geddes

skills/security/SKILL.md

npx skillsauth add aj-geddes/unicorn-team security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security: Think Like an Attacker

Core Principle

Defense in Depth + Least Privilege. Layer multiple controls. Grant minimum permissions. Assume every layer can fail.

Security Mindset

Six Questions (Every Feature)

Who can access this? (Authentication)
Are they allowed to? (Authorization)
Can they see more than they should? (Data exposure)
Can they do more than they should? (Privilege escalation)
Can they break it for others? (Denial of service)
Will we know if they do? (Audit logging)

OWASP Top 10 (Quick Reference)

| # | Vulnerability | Key Defense | |---|--------------|-------------| | 1 | Broken Access Control | Auth check per resource, deny by default | | 2 | Cryptographic Failures | Argon2/bcrypt, never MD5/SHA1 for passwords | | 3 | Injection (SQL, XSS, Command) | Parameterized queries, escaping, allowlists | | 4 | Insecure Design | Rate limiting, STRIDE threat modeling | | 5 | Security Misconfiguration | Debug off in prod, generic error messages | | 6 | Vulnerable Components | safety check / npm audit | | 7 | Authentication Failures | Secure cookies, crypto-random session IDs | | 8 | Data Integrity Failures | JSON with validation, never pickle | | 9 | Logging Failures | Log security events, failed auth, admin actions | | 10 | SSRF | URL allowlist, block internal IPs |

See references/owasp-top-10.md for detailed bad/good code examples per vulnerability.

Input Validation

Allowlist over Denylist:

# BAD: Denylist (easy to bypass)
if username in ['admin', 'root']:
    raise ValueError()

# GOOD: Allowlist (explicit)
if not re.match(r'^[a-zA-Z0-9_]{3,20}$', username):
    raise ValueError("Invalid format")

Layered Validation:

from pydantic import BaseModel, validator, constr

class UserInput(BaseModel):
    username: constr(min_length=3, max_length=20, regex=r'^[a-zA-Z0-9_]+$')
    email: str
    age: int

    @validator('email')
    def validate_email(cls, v):
        if not re.match(r'^[\w\.-]+@[\w\.-]+\.\w+$', v):
            raise ValueError('Invalid email')
        return v.lower()

    @validator('age')
    def validate_age(cls, v):
        if not (0 <= v <= 150):
            raise ValueError('Age 0-150')
        return v

Output Encoding

Context-Aware:

from markupsafe import escape
from urllib.parse import quote

html = f"<div>{escape(username)}</div>"          # HTML context
url = f"https://example.com/search?q={quote(term)}"  # URL context
js = f"var name = {json.dumps(username)};"        # JS context
db.execute("SELECT * FROM users WHERE name = ?", [username])  # SQL: parameterize

Secrets Management

# BAD: Hardcoded
API_KEY = "sk_live_abc123"

# GOOD: Environment with verification
import os
for secret in ['API_KEY', 'DATABASE_URL', 'SECRET_KEY']:
    if secret not in os.environ:
        raise RuntimeError(f"Missing: {secret}")

# .env (add to .gitignore, NEVER commit)
API_KEY=sk_live_abc123

# .env.example (commit this)
API_KEY=your_api_key_here

Production: Use AWS Secrets Manager, HashiCorp Vault, or platform-native secret stores.

Common Vulnerability Fixes

Path Traversal

from pathlib import Path
BASE_DIR = Path('/var/data')
file_path = (BASE_DIR / filename).resolve()
if not file_path.is_relative_to(BASE_DIR):
    abort(403)

Mass Assignment

# BAD: user.update(**request.json)  # Attack: {"is_admin": true}
ALLOWED = ['name', 'email', 'bio']
for field in ALLOWED:
    if field in request.json:
        setattr(user, field, request.json[field])

CSRF Protection

from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'

Security Tooling

bandit -r src/ -f json -o report.json   # Static analysis
safety check                            # Python dependency scan
npm audit                               # Node dependency scan
trivy image myapp:latest                # Container scan

See references/security-tooling.md for pre-commit hooks, security headers config, and CI/CD integration.

Quick Checklist

Auth:

[ ] Auth required for protected endpoints
[ ] Authorization checked per resource
[ ] Password hashing (bcrypt/argon2)
[ ] Secure session management
[ ] MFA for sensitive operations

Input/Output:

[ ] All inputs validated (allowlist)
[ ] Parameterized queries
[ ] Context-aware output encoding
[ ] CSP headers set
[ ] Generic error messages (no stack traces)

Secrets & Crypto:

[ ] No secrets in code or git
[ ] Environment variables or secret manager
[ ] TLS everywhere
[ ] secrets module for random tokens

Monitoring:

[ ] Security events logged
[ ] Failed auth attempts tracked
[ ] Audit trail for admin actions
[ ] Alerts configured

Config:

[ ] Debug off in production
[ ] Security headers (HSTS, CSP, X-Frame-Options)
[ ] Default credentials changed
[ ] Dependencies updated

aj-geddes/security

skills/security/SKILL.md

Guides secure development using defense-in-depth and attacker's mindset. ALWAYS trigger on "security review", "vulnerability", "authentication", "authorization", "input validation", "XSS", "SQL injection", "CSRF", "secrets management", "OWASP", "threat model", "security scan", "path traversal", "mass assignment", "privilege escalation", "security headers", "bandit", "dependency audit", "hardening". Use when implementing auth, handling user input, storing secrets, reviewing code for vulnerabilities, or preparing for production deployment. Different from devops skill which covers infrastructure; this covers application-level security patterns.

7 stars

development

Updated Apr 25, 2026

$ install --global

skillsauth

npx skillsauth add aj-geddes/unicorn-team security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 25, 2026, 4:46 PM53.6s3 files scanned

SKILL.md

name:: security
description:: >-

Security: Think Like an Attacker

Core Principle

Defense in Depth + Least Privilege. Layer multiple controls. Grant minimum permissions. Assume every layer can fail.

Security Mindset

Six Questions (Every Feature)

Who can access this? (Authentication)
Are they allowed to? (Authorization)
Can they see more than they should? (Data exposure)
Can they do more than they should? (Privilege escalation)
Can they break it for others? (Denial of service)
Will we know if they do? (Audit logging)

OWASP Top 10 (Quick Reference)

See references/owasp-top-10.md for detailed bad/good code examples per vulnerability.

Input Validation

Allowlist over Denylist:

# BAD: Denylist (easy to bypass)
if username in ['admin', 'root']:
    raise ValueError()

# GOOD: Allowlist (explicit)
if not re.match(r'^[a-zA-Z0-9_]{3,20}$', username):
    raise ValueError("Invalid format")

Layered Validation:

from pydantic import BaseModel, validator, constr

class UserInput(BaseModel):
    username: constr(min_length=3, max_length=20, regex=r'^[a-zA-Z0-9_]+$')
    email: str
    age: int

    @validator('email')
    def validate_email(cls, v):
        if not re.match(r'^[\w\.-]+@[\w\.-]+\.\w+$', v):
            raise ValueError('Invalid email')
        return v.lower()

    @validator('age')
    def validate_age(cls, v):
        if not (0 <= v <= 150):
            raise ValueError('Age 0-150')
        return v

Output Encoding

Context-Aware:

from markupsafe import escape
from urllib.parse import quote

html = f"<div>{escape(username)}</div>"          # HTML context
url = f"https://example.com/search?q={quote(term)}"  # URL context
js = f"var name = {json.dumps(username)};"        # JS context
db.execute("SELECT * FROM users WHERE name = ?", [username])  # SQL: parameterize

Secrets Management

# BAD: Hardcoded
API_KEY = "sk_live_abc123"

# GOOD: Environment with verification
import os
for secret in ['API_KEY', 'DATABASE_URL', 'SECRET_KEY']:
    if secret not in os.environ:
        raise RuntimeError(f"Missing: {secret}")

# .env (add to .gitignore, NEVER commit)
API_KEY=sk_live_abc123

# .env.example (commit this)
API_KEY=your_api_key_here

Production: Use AWS Secrets Manager, HashiCorp Vault, or platform-native secret stores.

Common Vulnerability Fixes

Path Traversal

from pathlib import Path
BASE_DIR = Path('/var/data')
file_path = (BASE_DIR / filename).resolve()
if not file_path.is_relative_to(BASE_DIR):
    abort(403)

Mass Assignment

# BAD: user.update(**request.json)  # Attack: {"is_admin": true}
ALLOWED = ['name', 'email', 'bio']
for field in ALLOWED:
    if field in request.json:
        setattr(user, field, request.json[field])

CSRF Protection

from flask_wtf.csrf import CSRFProtect
csrf = CSRFProtect(app)
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'

Security Tooling

bandit -r src/ -f json -o report.json   # Static analysis
safety check                            # Python dependency scan
npm audit                               # Node dependency scan
trivy image myapp:latest                # Container scan

See references/security-tooling.md for pre-commit hooks, security headers config, and CI/CD integration.

Quick Checklist

Auth:

[ ] Auth required for protected endpoints
[ ] Authorization checked per resource
[ ] Password hashing (bcrypt/argon2)
[ ] Secure session management
[ ] MFA for sensitive operations

Input/Output:

[ ] All inputs validated (allowlist)
[ ] Parameterized queries
[ ] Context-aware output encoding
[ ] CSP headers set
[ ] Generic error messages (no stack traces)

Secrets & Crypto:

[ ] No secrets in code or git
[ ] Environment variables or secret manager
[ ] TLS everywhere
[ ] secrets module for random tokens

Monitoring:

[ ] Security events logged
[ ] Failed auth attempts tracked
[ ] Audit trail for admin actions
[ ] Alerts configured

Config:

[ ] Debug off in production
[ ] Security headers (HSTS, CSP, X-Frame-Options)
[ ] Default credentials changed
[ ] Dependencies updated

Related Skills

aj-geddes/testing

development

VerifiedTrustedCommunity

Guides the user through test-first development and test strategy decisions. ALWAYS trigger on "write tests", "TDD", "test coverage", "mock", "test fails", "flaky test", "how to test", "unit test", "integration test", "e2e test", "test structure", "what to test", "test organization", "coverage report", "testing strategy", "arrange act assert". Use when writing new tests, choosing test types, setting up mocking, debugging flaky tests, improving coverage, or designing testable code. Different from qa-security agent which focuses on code review and security audits rather than test authoring.

7SKILL.mdUpdated Apr 25, 2026

aj-geddes/technical-debt

development

VerifiedTrustedCommunity

Guides deliberate management of technical debt: recognition, tracking, prioritization, and paydown. ALWAYS trigger on "technical debt", "code shortcut", "pay down debt", "debt tracking", "just for now", "temporary hack", "hardcoded value", "copy-paste code", "missing tests", "TODO cleanup", "refactor plan", "debt priority", "interest cost", "boy scout rule", "code quality backlog". Use when taking a shortcut, discovering suboptimal code, planning debt paydown, or quantifying ongoing cost of compromises.

7SKILL.mdUpdated Apr 25, 2026

aj-geddes/technical-debt

aj-geddes/self-verification

development

VerifiedTrustedCommunity

Guides the user through systematic pre-commit quality verification. ALWAYS trigger on "review my code", "check my work", "before commit", "self-review", "quality check", "am I ready to commit", "pre-commit review", "code quality", "verify my changes", "sanity check", "review before merge", "is this ready". Use before any commit, merge, or code review submission.

7SKILL.mdUpdated Apr 25, 2026

aj-geddes/self-verification

aj-geddes/python

tools

VerifiedTrustedCommunity

Guides Python development with modern idioms, tooling, and project structure. ALWAYS trigger on "python project", "pyproject.toml", "ruff", "mypy", "pytest", "poetry", "python setup", "type hints", "pydantic", "dataclass", "async python", "asyncio", "python anti-pattern", "python best practices", "python tooling", "python lint". Use when setting up Python projects, configuring tooling, choosing data modeling approaches, or writing tests. Different from testing skill which covers general test strategy; this covers Python-specific pytest patterns and tooling configs.

7SKILL.mdUpdated Apr 25, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aj-geddes/unicorn-team.git

# Copy into Claude Code skills folder (global)
cp -r unicorn-team/skills/security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aj-geddes/unicorn-team

7 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT