xD4O/security-reasoning
skills/security-reasoning/SKILL.md
MANDATORY threat analysis. You MUST invoke this skill before writing or approving ANY code involving authentication, authorization, cryptography, input handling, payment processing, PII, secrets management, API endpoints, or trust boundaries. Do NOT write security-sensitive code without running STRIDE analysis first. Do NOT say you will add security later. Auth is a design decision, not a feature to bolt on.
$ install --global
skillsauthnpx skillsauth add xD4O/praxis security-reasoningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 5:22 PM14.4s1 file scanned
SKILL.md
- name:
- security-reasoning
- description:
- >
Security Reasoning Protocol
EXTREMELY_IMPORTANT: This is a MANDATORY protocol, not a suggestion. Follow every step. Do not skip steps. Do not combine steps. Do not summarize. Work through each gate in order.
This task involves a trust boundary. You MUST complete threat analysis before writing or approving security-sensitive code.
STEP 1 — Identify trust boundaries
List every point where data crosses a trust boundary:
- User input entering the system
- Data crossing network boundaries
- Calls between services with different privilege levels
- Data entering or leaving storage
- Interactions with third-party services
For each boundary, name what's on each side and what data crosses.
STEP 2 — STRIDE analysis
For each trust boundary, answer ALL six questions. Do not skip any. Mark each as MITIGATED, NEEDS-MITIGATION, or NOT-APPLICABLE.
S — Spoofing: Can an attacker pretend to be someone else at this boundary? How is identity verified? What happens if verification is bypassed?
T — Tampering: Can data be modified in transit or at rest? Is integrity checked? What happens if data is silently corrupted?
R — Repudiation: Can a user deny they performed an action? Are significant actions audit-logged with tamper-proof timestamps?
I — Information Disclosure: Can sensitive data leak? Is data encrypted in transit (TLS) and at rest? Are error messages sanitized? Do logs accidentally include tokens, passwords, or PII?
D — Denial of Service: Can this boundary be overwhelmed? Is there rate limiting? Resource quotas? Timeout enforcement?
E — Elevation of Privilege: Can a user gain unauthorized access? Is authorization checked at every operation, not just at the entry point? Are permissions enforced server-side, not just client-side?
STEP 3 — Attack surface summary
Produce a table:
| Boundary | Threat | Severity | Mitigation | Status | |---|---|---|---|---| | [boundary] | [S/T/R/I/D/E] | [Critical/High/Med/Low] | [what prevents it] | [done/needed] |
STEP 4 — Top 3 risks
From the table, identify the 3 highest-severity unmitigated threats. For each, state the specific mitigation required before this code ships.
<HARD-GATE> Do NOT approve, merge, or present security-sensitive code as complete until: - All trust boundaries are identified - STRIDE is answered for each boundary (no blanks) - Top 3 risks have specific mitigationsRed flags that this skill catches:
- "We'll add auth later" — NO. Auth is a design decision, not a feature.
- "It's internal only" — Internal networks get compromised. Defense in depth.
- "The framework handles it" — WHICH framework feature? Is it enabled? Configured?
- "We validate on the client" — Client validation is UX. Server validation is security. </HARD-GATE>
Superpowers handoff
After STRIDE analysis is complete and mitigations are identified:
If Superpowers is installed → pass the threat model and required mitigations to whichever Superpowers skill is active (brainstorming, writing-plans, or code-review). The mitigations MUST appear in the plan and be verified during code review. Do NOT implement security mitigations inside this skill — hand the requirements to Superpowers for execution.
If Superpowers is NOT installed → proceed to implementation with the mitigations as requirements in your own plan.
Related Skills
xD4O/using-praxis
development
VerifiedTrustedCommunity
MANDATORY — HIGHEST PRIORITY SKILL. You MUST invoke this skill (praxis) BEFORE invoking superpowers:brainstorming or ANY other skill when the task is non-trivial. This skill classifies the problem, selects reasoning frameworks, and runs threat analysis BEFORE brainstorming begins. Do NOT invoke superpowers:brainstorming first. Do NOT respond directly. Do NOT ask clarifying questions on your own. Invoke praxis FIRST, complete its gates, THEN hand off to superpowers:brainstorming. Non-trivial means: system design, feature planning, architecture decisions, debugging, security-sensitive code, trade-off evaluation, code review, or refactoring. Trivial means: fix a typo, rename a variable, answer a factual question, run a command.
9SKILL.mdUpdated Apr 23, 2026
xD4O/strategic-reasoning
development
VerifiedTrustedCommunity
MANDATORY strategic analysis. You MUST invoke this skill for business decisions, product strategy, competitive analysis, roadmap prioritization, or any decision about WHAT to build rather than HOW to build it. Do NOT skip SWOT analysis. Do NOT present strategy without measurable OKRs. Invoke when the problem is about direction, positioning, or priorities rather than implementation.
9SKILL.mdUpdated Apr 23, 2026
xD4O/problem-classification
development
VerifiedTrustedCommunity
MANDATORY first step. You MUST invoke this skill before brainstorming, designing, or planning any non-trivial work. Do NOT start asking clarifying questions on your own — this skill's gates ARE the clarifying questions. Invoke when the user asks to build, design, plan, create, architect, or implement anything substantial. Do NOT skip this because the task seems straightforward. Straightforward-seeming tasks with wrong framing produce the most expensive failures.
9SKILL.mdUpdated Apr 23, 2026
xD4O/gap-analysis
testing
VerifiedTrustedCommunity
MANDATORY validation. You MUST invoke this skill before presenting any design, plan, architecture decision, or significant recommendation as final. Runs 7 cognitive debiasing checks: inversion, second-order effects, MECE coverage, map vs territory, adversarial, simplicity, and reversibility. Do NOT present conclusions without running all 7 checks. Invoke after brainstorming produces a design, after a plan is drafted, before any irreversible action, or when asked to validate or review an approach.
9SKILL.mdUpdated Apr 23, 2026