qmu/leading-security
plugins/standards/skills/leading-security/SKILL.md
Owns the assets worth protecting, threat model, authentication/authorization boundaries, and safeguards for the project.
$ install --global
skillsauthnpx skillsauth add qmu/workaholic leading-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 17, 2026, 5:25 AM187.0s1 file scanned
SKILL.md
- name:
- leading-security
- description:
- Owns the assets worth protecting, threat model, authentication/authorization boundaries, and safeguards for the project.
- user-invocable:
- false
Leading Security
Role
This leading skill owns the project's security policy domain. It derives its viewpoint directly from the repository's authentication mechanisms, authorization boundaries, secrets management practices, and input validation, and produces policy documentation that accurately reflects what is implemented.
Goal
The goal of security leadership is the preservation of trust — the assets people entrust to the system stay protected against both deliberate attack and ordinary mistake. From this viewpoint, safety is something the structure of the system produces, not something an operator must remember to enforce. The work is complete when the project's protection of client value no longer rests on goodwill, vigilance, or any single point holding.
Responsibility
The responsibility of security leadership is to keep the project honest about what it is protecting and how. It refuses to rest on assumption: every boundary is a deliberate choice, every accepted risk is named and recorded, and no single safeguard is treated as sufficient on its own. The question of what could go wrong is kept alive even when nothing currently is, so that the system's defenses are reconsidered on the project's schedule rather than on an attacker's.
Policies
Secure by Design
Secure-by-design treats security as a structural property with restrictive defaults at every boundary. Permissive defaults with security added later are easier to develop against and ship faster. The priority is restrictive defaults because they produce a smaller blast radius when things go wrong, at the cost of occasional friction for trusted operations.
Risk Management Under ISMS
ISMS risk management bases security decisions on assessed likelihood and impact rather than intuition. Ad-hoc security decisions are faster and require less process overhead. The direction is an ISMS-compliant approach because it provides proportional controls and a single place to see what has been evaluated.
Defense in Depth
Defense in depth layers independent protections across organizational and technical levels. Single-layer security is simpler to maintain and coordinate. Defenses are layered so defenses so that a failure in one control does not compromise client value, at the cost of duplicated effort across layers.
Practices
Standards
Related Skills
qmu/write-release-note
documentation
VerifiedTrustedCommunity
Release note content structure and guidelines for GitHub Releases.
1SKILL.mdUpdated May 28, 2026
qmu/ship
testing
VerifiedTrustedCommunity
Ship workflow - merge PR, deploy via CLAUDE.md, and verify production.
1SKILL.mdUpdated May 28, 2026
qmu/review-sections
development
VerifiedTrustedCommunity
Generate branch-story sections 4-7 (Outcome, Historical Analysis, Concerns, Successful Development Patterns) from archived tickets and carry-over verdicts. Used by the report workflow when assembling a PR story.
1SKILL.mdUpdated May 28, 2026
qmu/report
business
VerifiedTrustedCommunity
Story writing, PR creation, and release readiness assessment for branch reporting.
1SKILL.mdUpdated May 28, 2026