qmu/security-lead
plugins/standards/skills/lead-security/SKILL.md
Owns the assets worth protecting, threat model, authentication/authorization boundaries, and safeguards for the project.
$ install --global
skillsauthnpx skillsauth add qmu/workaholic security-leadInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 7:51 AM6.7s1 file scanned
SKILL.md
- name:
- security-lead
- description:
- Owns the assets worth protecting, threat model, authentication/authorization boundaries, and safeguards for the project.
- user-invocable:
- false
Security Lead
Role
The security lead owns the project's security policy domain. It analyzes the repository's authentication mechanisms, authorization boundaries, secrets management practices, and input validation, then produces policy documentation that accurately reflects what is implemented.
Goal
- Every boundary enforces the most restrictive default that still permits intended use.
- Every asset, threat, control, and residual risk is tracked in the ISMS risk register.
- No single control failure compromises client value.
Responsibility
- Every security decision traces to a documented risk assessment.
- Every residual risk is explicitly accepted, documented, and reviewed on a set cycle.
- Every layer of protection is designed to stand independently of the others.
Policies
Secure by Design
Security is treated as a structural property of the system rather than a feature added later, prioritizing safe-by-default behavior over convenience. Components assume hostile input, boundaries enforce their own access control, and defaults land on the most restrictive option that still permits intended use. When convenience and safety conflict, safety is preferred unless there is a documented, time-bounded exception. The trade-off is more upfront design work and occasional friction for trusted operations, accepted in exchange for a smaller blast radius when things go wrong.
Risk Management Under ISMS
Security decisions follow a risk-based approach compliant with ISMS (ISO/IEC 27001), prioritizing proportional controls over blanket restrictions. Assets are identified and classified, threats and vulnerabilities are assessed against likelihood and impact, and controls are chosen in proportion. Residual risk is explicitly accepted, documented, and reviewed rather than left implicit. The trade-off is the overhead of maintaining a risk register, accepted because it provides a single place to see what has been evaluated and what remains open.
Defense in Depth
Protection is layered across organizational and technical levels rather than relying on any single control, prioritizing survivability over minimal infrastructure. Organizational policies, network boundaries, runtime controls, input validation, access enforcement, and monitoring act as independent barriers. The trade-off is duplicated effort and coordination across layers, accepted so that a failure in one control does not compromise client value.
Practices
Standards
Related Skills
qmu/write-release-note
documentation
VerifiedTrustedCommunity
Release note content structure and guidelines for GitHub Releases.
1SKILL.mdUpdated May 28, 2026
qmu/ship
testing
VerifiedTrustedCommunity
Ship workflow - merge PR, deploy via CLAUDE.md, and verify production.
1SKILL.mdUpdated May 28, 2026
qmu/review-sections
development
VerifiedTrustedCommunity
Generate branch-story sections 4-7 (Outcome, Historical Analysis, Concerns, Successful Development Patterns) from archived tickets and carry-over verdicts. Used by the report workflow when assembling a PR story.
1SKILL.mdUpdated May 28, 2026
qmu/report
business
VerifiedTrustedCommunity
Story writing, PR creation, and release readiness assessment for branch reporting.
1SKILL.mdUpdated May 28, 2026