Security Skill
Comprehensive security domain for development environment validation, vulnerability scanning, and security compliance. Provides automated security workflows with intelligent routing based on user intent.
Auto-Activation Keywords
This skill activates automatically when you mention:
- •General: security, secure, vulnerability, vulnerabilities
- •Validation: validate security, security check, environment security
- •Scanning: scan, security scan, vulnerability scan, dependency scan
- •Encryption: encrypt, decrypt, GPG, PGP, secrets
- •Signing: sign commits, SSH key, GPG key, signed commits
- •Compliance: OWASP, audit, security audit, compliance
- •Tools: safety, bandit, semgrep, security tools
Routing Logic
Based on user intent, this skill routes to appropriate workflows:
Environment Validation
Keywords: "validate security", "check security environment", "security setup", "GPG key", "SSH key"
- •Simple validation → Use
/security/validate-envworkflow - •Comprehensive audit → Invoke
security-auditoragent
Vulnerability Scanning
Keywords: "scan dependencies", "security scan", "vulnerability check", "safety check", "bandit"
- •Dependency scanning → Use
/security/scanworkflow - •Full security audit → Invoke
security-auditoragent
File Encryption
Keywords: "encrypt", "decrypt", "GPG encrypt", "protect secrets", "encrypt .env"
- •File encryption/decryption → Use
/security/encryptworkflow - •Secrets management review → Invoke
security-auditoragent
Security Audit
Keywords: "security audit", "penetration test", "threat assessment", "vulnerability assessment"
- •Complex security audit → Invoke
security-auditoragent directly - •Compliance validation → Use workflows + agent for comprehensive review
Workflow Quick Reference
# Validate security environment /security/validate-env [--verbose] # Scan for vulnerabilities /security/scan [--type=dependencies|code|all] # Encrypt/decrypt files /security/encrypt [file-path] /security/decrypt [file-path]
Complex Task Delegation
For comprehensive security analysis, invoke the security-auditor agent via Task tool:
Use security-auditor agent when: - Conducting full security audits across multiple components - Threat modeling and risk assessment - Compliance validation against security standards - Penetration testing simulation - Security architecture review
Supporting Context
- •OWASP Top 10: See
context/owasp-top-10.mdfor common vulnerabilities - •Security commands: See
context/security-commands.mdfor comprehensive command reference - •Security standards: See
/standards/security.mdfor project requirements
Integration Points
Agents
- •security-auditor: Comprehensive security audits and vulnerability assessment
- •test-engineer: Security testing integration (via testing/workflows/security.md)
MCP Tools
- •mcp__zen-core__chat: Multi-model consensus for security decisions
Hooks
- •Pre-commit: Security validation on file changes
- •Post-tool-use: MCP usage tracking
Standards
- •Security standards:
/standards/security.md(GPG/SSH requirements, encrypted secrets) - •Git workflow:
/standards/git-workflow.md(signed commits requirement)
Security Requirements Summary
Required for all projects:
- •GPG key configured (for .env encryption)
- •SSH key configured and loaded (for signed commits)
- •Git signing enabled (commit.gpgsign = true)
- •No secrets in repository (use encrypted .env files)
- •Dependency scanning (safety check passes)
- •Static analysis (bandit passes)
Git signing configuration:
# SSH signing (recommended) git config --global gpg.format ssh git config --global user.signingkey ~/.ssh/id_ed25519.pub git config --global commit.gpgsign true # Or GPG signing git config --global user.signingkey <GPG_KEY_ID> git config --global commit.gpgsign true
Dependency scanning:
# Check Python dependencies poetry run safety check --full-report # Static security analysis poetry run bandit -r src
Secrets encryption:
# Encrypt .env file gpg --symmetric --cipher-algo AES256 .env # Decrypt .env file gpg --decrypt .env.gpg > .env
Examples
Example 1: Validate security environment
User: "Can you check if my security environment is properly configured?" → Security skill auto-activates → Routes to /security/validate-env workflow → Validates GPG keys, SSH keys, Git signing, environment setup
Example 2: Scan for vulnerabilities
User: "Scan my project for security vulnerabilities" → Security skill auto-activates → Routes to /security/scan workflow → Runs safety check and bandit analysis → Reports vulnerabilities with remediation steps
Example 3: Comprehensive security audit
User: "Perform a comprehensive security audit of the authentication system" → Security skill auto-activates → Invokes security-auditor agent → Agent performs: - Threat modeling - Vulnerability assessment - Code review for security issues - Compliance validation - Risk-prioritized recommendations
Example 4: Encrypt sensitive file
User: "Encrypt my .env file with GPG" → Security skill auto-activates → Routes to /security/encrypt workflow → Encrypts file with AES256 → Provides decryption instructions
This skill consolidates check-security-env skill and security commands into a unified security domain with intelligent routing.