Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

wshobson/security-requirement-extraction

Name: security-requirement-extraction
Author: wshobson

plugins/security-scanning/skills/security-requirement-extraction/SKILL.md

npx skillsauth add wshobson/agents security-requirement-extraction

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Requirement Extraction

Transform threat analysis into actionable security requirements.

When to Use This Skill

Converting threat models to requirements
Writing security user stories
Creating security test cases
Building security acceptance criteria
Compliance requirement mapping
Security architecture documentation

Core Concepts

1. Requirement Categories

Business Requirements → Security Requirements → Technical Controls
         ↓                       ↓                      ↓
  "Protect customer    "Encrypt PII at rest"   "AES-256 encryption
   data"                                        with KMS key rotation"

2. Security Requirement Types

| Type | Focus | Example | | ------------------ | ----------------------- | ------------------------------------- | | Functional | What system must do | "System must authenticate users" | | Non-functional | How system must perform | "Authentication must complete in <2s" | | Constraint | Limitations imposed | "Must use approved crypto libraries" |

3. Requirement Attributes

| Attribute | Description | | ---------------- | --------------------------- | | Traceability | Links to threats/compliance | | Testability | Can be verified | | Priority | Business importance | | Risk Level | Impact if not met |

Templates and detailed worked examples

Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.

Best Practices

Do's

Trace to threats - Every requirement should map to threats
Be specific - Vague requirements can't be tested
Include acceptance criteria - Define "done"
Consider compliance - Map to frameworks early
Review regularly - Requirements evolve with threats

Don'ts

Don't be generic - "Be secure" is not a requirement
Don't skip rationale - Explain why it matters
Don't ignore priorities - Not all requirements are equal
Don't forget testability - If you can't test it, you can't verify it
Don't work in isolation - Involve stakeholders

wshobson/security-requirement-extraction

plugins/security-scanning/skills/security-requirement-extraction/SKILL.md

Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.

35,806 stars

development

Updated May 23, 2026

$ install --global

skillsauth

npx skillsauth add wshobson/agents security-requirement-extraction

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 23, 2026, 2:25 AM140.5s2 files scanned

SKILL.md

name:: security-requirement-extraction
description:: Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.

Security Requirement Extraction

Transform threat analysis into actionable security requirements.

When to Use This Skill

Converting threat models to requirements
Writing security user stories
Creating security test cases
Building security acceptance criteria
Compliance requirement mapping
Security architecture documentation

Core Concepts

1. Requirement Categories

Business Requirements → Security Requirements → Technical Controls
         ↓                       ↓                      ↓
  "Protect customer    "Encrypt PII at rest"   "AES-256 encryption
   data"                                        with KMS key rotation"

2. Security Requirement Types

3. Requirement Attributes

Templates and detailed worked examples

Full template library lives in references/details.md. Read that file when you need concrete templates for this skill.

Best Practices

Do's

Trace to threats - Every requirement should map to threats
Be specific - Vague requirements can't be tested
Include acceptance criteria - Define "done"
Consider compliance - Map to frameworks early
Review regularly - Requirements evolve with threats

Don'ts

Don't be generic - "Be secure" is not a requirement
Don't skip rationale - Explain why it matters
Don't ignore priorities - Not all requirements are equal
Don't forget testability - If you can't test it, you can't verify it
Don't work in isolation - Involve stakeholders

Related Skills

wshobson/prompt-engineering-patterns

development

VerifiedTrustedCommunity

This skill should be used when the user asks to "optimize a prompt", "improve prompt performance", "design a prompt template", "write better prompts", "debug prompt issues", "use chain-of-thought", "structured prompting", "few-shot prompting", or wants to apply advanced prompt engineering patterns for production LLM applications.

36,640SKILL.mdUpdated Apr 25, 2026

wshobson/prompt-engineering-patterns

wshobson/social-publishing

development

VerifiedTrustedCommunity

Schedule and publish social media posts across 13 platforms (X, LinkedIn, Instagram, Facebook Pages, TikTok, Discord, Telegram, YouTube, Reddit, WordPress, Pinterest) via the SocialClaw API. Use when the user wants to publish, schedule, or manage social media content programmatically. Requires SOCIALCLAW_API_KEY.

36,323SKILL.mdUpdated Jun 4, 2026

wshobson/social-publishing

wshobson/responsive-design

development

VerifiedTrustedCommunity

Implement modern responsive layouts using container queries, fluid typography, CSS Grid, and mobile-first breakpoint strategies. Use when building adaptive interfaces, implementing fluid layouts, or creating component-level responsive behavior.

35,887SKILL.mdUpdated Apr 25, 2026

wshobson/responsive-design

wshobson/react-native-design

development

VerifiedTrustedCommunity

Master React Native styling, navigation, and Reanimated animations for cross-platform mobile development. Use when building React Native apps, implementing navigation patterns, or creating performant animations.

35,887SKILL.mdUpdated Apr 25, 2026

wshobson/react-native-design

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/wshobson/agents.git

# Copy into Claude Code skills folder (global)
cp -r agents/plugins/security-scanning/skills/security-requirement-extraction ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

wshobson/agents

35,806 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT