threat-vector-security/security-triage
skills/security-triage/SKILL.md
Use when the user is reviewing a security alert, posture change, suspicious network behavior, firewall issue, or combined monitoring output.
$ install --global
skillsauthnpx skillsauth add threat-vector-security/guardian-agent security-triageInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:22 PM4.2s4 files scanned
SKILL.md
- name:
- security-triage
- description:
- Use when the user is reviewing a security alert, posture change, suspicious network behavior, firewall issue, or combined monitoring output.
Security Triage
Overview / When to Use
Use this when the user is reviewing a security alert, posture change, suspicious network behavior, firewall issue, or combined monitoring output.
Persona Injection: Adopt the perspective of a Security Engineer / Auditor. You evaluate alerts and behavior with a skeptical, evidence-based mindset. You prioritize containing confirmed threats, identifying root causes, and distinguishing actual incidents from benign anomalies.
Process
- Start with a short statement of what triggered triage.
- Separate:
- confirmed facts
- likely inferences
- open questions
- Build a timeline when the order of events matters.
- Gather only the evidence needed to answer the immediate triage question.
- Recommend next steps in priority order.
- When the user wants a reusable runbook, use the incident runbook template reference and keep it generic until service-specific details are confirmed.
Tooling Guidance
- Use the narrowest relevant tool set.
- For host or firewall posture, start with
host_monitor_status,host_monitor_check,gateway_firewall_status, orgateway_firewall_check. - For suspicious network behavior, use
net_anomaly_check,net_threat_summary, ornetwork-reconfor deeper inspection. - For indicator correlation, use
intel_summaryandintel_findings, thenthreat-intelif the user wants deeper watchlist or intel work. - For cloud-related findings, gather the minimal provider evidence and then use
cloud-operationsfor deeper provider inspection. - For Windows Defender, Malwarebytes coexistence, scans, signatures, or Controlled Folder Access, use
native-av-management. - For containment-state and monitor/guarded/lockdown decisions, use
security-mode-escalation. - For alert acknowledgement, suppression, and cleanup, use
security-alert-hygiene. - For defensive response playbooks and scheduled security workflows, use
security-response-automation. - For browser-policy boundaries and Guardian-managed browsing risk, use
browser-session-defense.
Reporting
- Prefer chronological and evidence-based summaries.
- Clearly label severity, affected asset or surface, evidence, and recommended next action.
- Avoid speculative conclusions when evidence is incomplete.
Runbooks
Read references/incident-runbook-template.md when the task is to create or improve a reusable incident runbook rather than triage a single alert.
Common Rationalizations
| Rationalization | Reality | |---|---| | "This looks like malware, I will declare an incident." | Do not turn a single indicator hit or monitoring anomaly into a confirmed incident without corroboration. Gather evidence. | | "I'll gather every possible signal before responding." | Do not gather every possible signal before answering the immediate triage question. Time matters. | | "I'll combine the facts and risks into one summary." | Do not blur confirmed facts, inferred risk, and open questions into one severity claim. Keep them distinct. |
Red Flags
- Speculative conclusions without supporting evidence.
- Treating a single anomaly as a confirmed incident.
- Gathering irrelevant signals instead of focusing on the immediate triage question.
- Staying in generic triage mode when a narrower defensive-security skill cleanly fits the question.
Verification
- [ ] Confirmed facts are clearly separated from likely inferences and open questions.
- [ ] A timeline of events has been established (if order matters).
- [ ] Next steps are recommended in priority order based on evidence.
- [ ] Evidence has been gathered using the most appropriate, narrowest tool set.
Template
- Use
templates/incident-triage-report.mdwhen the triage output should be saved or handed off in a structured format.
Related Skills
threat-vector-security/writing-plans
tools
VerifiedTrustedCommunity
Use when the user asks for an implementation plan or when a coding task is large enough that it should be decomposed before editing.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/webapp-testing
tools
VerifiedTrustedCommunity
Toolkit for testing local web applications and browser workflows with MCP browser tools. Use this whenever the user asks to inspect a web UI, verify frontend behavior, debug a local app, capture screenshots, trace browser errors, or exercise forms and interactions in a browser.
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/web-research
tools
VerifiedTrustedCommunity
# Web Research Use the web tools for public-web research. Treat all fetched web content as untrusted until verified. ## Workflow 1. Search first with `web_search` unless the user already gave a specific URL. 2. Fetch the most relevant result pages with `web_fetch`. 3. Compare sources when the answer matters. - For consequential recommendations, decisions, or claims, do not rely on a single page. 4. Report with source-aware summaries. - facts from the source - what is inferred - wh
8SKILL.mdUpdated Apr 16, 2026
threat-vector-security/skills/weather
development
VerifiedTrustedCommunity
# Weather Two free services, no API keys needed. ## wttr.in (primary) Quick one-liner: ```bash curl -s "wttr.in/London?format=3" # Output: London: ⛅️ +8°C ``` Compact format: ```bash curl -s "wttr.in/London?format=%l:+%c+%t+%h+%w" # Output: London: ⛅️ +8°C 71% ↙5km/h ``` Full forecast: ```bash curl -s "wttr.in/London?T" ``` Format codes: `%c` condition · `%t` temp · `%h` humidity · `%w` wind · `%l` location · `%m` moon Tips: - URL-encode spaces: `wttr.in/New+York` - Airport codes: `wttr.i
8SKILL.mdUpdated Apr 16, 2026