threat-vector-security/coding-workspace
skills/coding-workspace/SKILL.md
Use when the request is about a repo, codebase, implementation, bugfix, or backend-owned coding session that should stay anchored to the active workspace.
$ install --global
skillsauthnpx skillsauth add threat-vector-security/guardian-agent coding-workspaceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:22 PM4.2s2 files scanned
SKILL.md
- name:
- coding-workspace
- description:
- Use when the request is about a repo, codebase, implementation, bugfix, or backend-owned coding session that should stay anchored to the active workspace.
Coding Workspace
Overview / When to Use
Use this workflow for backend-owned coding sessions inside a project workspace when Guardian should do the coding work directly with built-in tools.
Explicit delegation to terminal-backed coding assistants such as Codex, Claude Code, Gemini CLI, or Aider belongs to the separate coding-backend-orchestration workflow.
The coding session is the authoritative project context:
- use the backend session’s workspace root, workspace profile, indexed repo map, working-set files, focus summary, selected file, and recent work as your default context
- keep repo-local actions inside that workspace
- do not preload host-application context when reasoning inside the coding session
- use the coding session’s own long-term memory as the default memory scope; do not assume global memory is available unless explicitly bridged
- you may still use broader tools and capabilities, including non-coding tasks, but do not let that replace the session’s repo anchor unless the user explicitly changes sessions or retargets the work
Process
- If the user wants to continue existing coding work, inspect the current attachment with
code_session_currentor list sessions withcode_session_list. - If no suitable session exists, create one with
code_session_create, then treat that backend session as the shared source of truth across web, CLI, and Telegram. Shared session state does not mean those surfaces have the same UI or transport. - Understand the request and inspect the relevant files or symbols first. Treat the workspace profile, indexed repo map, and current working set as the default project context, but re-read files before making concrete claims or edits.
- Create or update a concise plan with explicit acceptance gates before broad or multi-file edits.
- Make the smallest safe change with
code_edit,code_patch, orcode_create. Prefer patches for multi-hunk changes and targeted edits for isolated replacements. - Verify with
code_git_diffand the strongest existing relevant checks before falling back to narrower ad hoc tests. - If the session is getting noisy, summarize progress so it can be compacted without losing the plan.
Common Rationalizations
| Rationalization | Reality | |---|---| | "I'll guess the active workspace from chat context." | Prefer attaching to the right backend coding session over guessing. If explicitly targeted session is missing, reattach rather than downgrading into generic chat. | | "I'll assume the codebase works the way it did earlier." | Re-read the file before retrying an edit that failed or making a concrete claim about its contents. | | "This file needs cleaning up while I'm here." | Keep changes within the attached coding session workspace root and focused only on the current task. | | "I can use global memory context for this local code decision." | Coding session long-term memory is local. Global memory must be explicitly bridged and read-only. |
Red Flags
- Treating a plain web or CLI turn as a coding-session turn unless the backend session is attached.
- Relying on workspace summaries alone when making code claims.
- Expanding beyond the active repo/session anchor during broader research or automation work.
- Making a coding claim without citing the files you checked.
Verification
- [ ] The attached backend coding session matches the user's intended target workspace.
- [ ] All code edits remain within the attached coding session workspace root.
- [ ] You have re-read the relevant files before claiming behavior or writing code.
- [ ] You have verified the change with
code_git_diffand the strongest existing checks (e.g.,npm test, build steps). - [ ] The real proof surface is fully green, not just the smallest local check.
Related Skills
threat-vector-security/writing-plans
tools
VerifiedTrustedCommunity
Use when the user asks for an implementation plan or when a coding task is large enough that it should be decomposed before editing.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/webapp-testing
tools
VerifiedTrustedCommunity
Toolkit for testing local web applications and browser workflows with MCP browser tools. Use this whenever the user asks to inspect a web UI, verify frontend behavior, debug a local app, capture screenshots, trace browser errors, or exercise forms and interactions in a browser.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/web-research
tools
VerifiedTrustedCommunity
# Web Research Use the web tools for public-web research. Treat all fetched web content as untrusted until verified. ## Workflow 1. Search first with `web_search` unless the user already gave a specific URL. 2. Fetch the most relevant result pages with `web_fetch`. 3. Compare sources when the answer matters. - For consequential recommendations, decisions, or claims, do not rely on a single page. 4. Report with source-aware summaries. - facts from the source - what is inferred - wh
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/weather
development
VerifiedTrustedCommunity
# Weather Two free services, no API keys needed. ## wttr.in (primary) Quick one-liner: ```bash curl -s "wttr.in/London?format=3" # Output: London: ⛅️ +8°C ``` Compact format: ```bash curl -s "wttr.in/London?format=%l:+%c+%t+%h+%w" # Output: London: ⛅️ +8°C 71% ↙5km/h ``` Full forecast: ```bash curl -s "wttr.in/London?T" ``` Format codes: `%c` condition · `%t` temp · `%h` humidity · `%w` wind · `%l` location · `%m` moon Tips: - URL-encode spaces: `wttr.in/New+York` - Airport codes: `wttr.i
8SKILL.mdUpdated Apr 16, 2026