threat-vector-security/skills/security-response-automation
skills/security-response-automation/SKILL.md
# Security Response Automation Use this when the user wants repeatable defensive behavior instead of one-off triage. ## Workflow 1. Check existing automation first. - `workflow_list` - `task_list` 2. Keep the security workflow narrow. - one detection family - one response objective - one clear operator outcome 3. Prefer read-only evidence collection before containment or mutation. 4. Use `workflow_run` with `dryRun: true` when the plan is complex or risky. ## Design Rules - P
$ install --global
skillsauthnpx skillsauth add threat-vector-security/guardian-agent skills/security-response-automationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:22 PM4.1s3 files scanned
SKILL.md
Security Response Automation
Use this when the user wants repeatable defensive behavior instead of one-off triage.
Workflow
- Check existing automation first.
workflow_listtask_list
- Keep the security workflow narrow.
- one detection family
- one response objective
- one clear operator outcome
- Prefer read-only evidence collection before containment or mutation.
- Use
workflow_runwithdryRun: truewhen the plan is complex or risky.
Design Rules
- Periodic defensive checks fit normal
task_create/task_updatecron scheduling. - Security workflows should gather evidence first, then summarize, then recommend or trigger bounded action.
- Use existing host, gateway, posture, containment, and native AV tools instead of recreating their logic in free-form steps.
- If the current surface only exposes cron scheduling, be explicit about that limitation instead of pretending alert-driven triggers are available everywhere.
Current Surface Boundaries
- The runtime supports event-triggered scheduled tasks, but the general tool-layer authoring flow is still mainly cron-oriented.
- Prefer existing built-in presets or dashboard/API surfaces for event-triggered security presets when the active channel does not expose event-trigger authoring directly.
- Use
automation-builderfor general-purpose workflow mechanics. Use this skill for the security semantics: evidence-first, bounded response, and safe escalation.
Gotchas
- Do not default a monitoring workflow to mutating response.
- Do not combine unrelated detections into one oversized security playbook.
- Do not skip dry-run or verification on a workflow that could page, isolate, or otherwise change operator state.
Use templates/response-automation-spec.md when the user wants a reviewable design before saving the workflow.
Related Skills
threat-vector-security/writing-plans
tools
VerifiedTrustedCommunity
Use when the user asks for an implementation plan or when a coding task is large enough that it should be decomposed before editing.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/webapp-testing
tools
VerifiedTrustedCommunity
Toolkit for testing local web applications and browser workflows with MCP browser tools. Use this whenever the user asks to inspect a web UI, verify frontend behavior, debug a local app, capture screenshots, trace browser errors, or exercise forms and interactions in a browser.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/web-research
tools
VerifiedTrustedCommunity
# Web Research Use the web tools for public-web research. Treat all fetched web content as untrusted until verified. ## Workflow 1. Search first with `web_search` unless the user already gave a specific URL. 2. Fetch the most relevant result pages with `web_fetch`. 3. Compare sources when the answer matters. - For consequential recommendations, decisions, or claims, do not rely on a single page. 4. Report with source-aware summaries. - facts from the source - what is inferred - wh
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/weather
development
VerifiedTrustedCommunity
# Weather Two free services, no API keys needed. ## wttr.in (primary) Quick one-liner: ```bash curl -s "wttr.in/London?format=3" # Output: London: ⛅️ +8°C ``` Compact format: ```bash curl -s "wttr.in/London?format=%l:+%c+%t+%h+%w" # Output: London: ⛅️ +8°C 71% ↙5km/h ``` Full forecast: ```bash curl -s "wttr.in/London?T" ``` Format codes: `%c` condition · `%t` temp · `%h` humidity · `%w` wind · `%l` location · `%m` moon Tips: - URL-encode spaces: `wttr.in/New+York` - Airport codes: `wttr.i
8SKILL.mdUpdated Apr 16, 2026