Loading...
Loading...
Found 66 Skills
This skill provides expert-level guidance for implementing VS Code WebView features. Use when creating WebView panels, implementing secure CSP policies, handling Extension-WebView communication, managing WebView state persistence, optimizing WebView performance, or debugging WebView rendering issues. Covers security best practices, message protocols, and VS Code-specific WebView patterns.
MUST activate when the project contains a uiBundles/*/src/ directory and scaffolding a new UI bundle or app, or when editing ui-bundle.json, .uibundle-meta.xml, or CSP trusted site files. Use this skill when scaffolding with sf template generate ui-bundle, configuring ui-bundle.json (routing, headers, outputDir), or registering CSP Trusted Sites. Activate when the task involves files matching *.uibundle-meta.xml, ui-bundle.json, or cspTrustedSites/*.cspTrustedSite-meta.xml.
Configure security headers to defend against clickjacking, XSS, MIME confusion, and SSL stripping attacks. Use this skill when you need to set up Content-Security-Policy, X-Frame-Options, HSTS, configure middleware headers, or understand browser security features. Triggers include "security headers", "CSP", "content security policy", "X-Frame-Options", "HSTS", "clickjacking", "MIME confusion", "middleware headers".
MUST activate when the project contains a uiBundles/*/src/ directory and scaffolding a new UI bundle or app, or when editing ui-bundle.json, .uibundle-meta.xml, or CSP trusted site files. Use this skill when scaffolding with sf template generate ui-bundle, configuring ui-bundle.json (routing, headers, outputDir), or registering CSP Trusted Sites. Activate when the task involves files matching *.uibundle-meta.xml, ui-bundle.json, or cspTrustedSites/*.cspTrustedSite-meta.xml.
Guides cloud compliance—mapping SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, and data-residency requirements to cloud controls; collecting audit evidence from AWS, GCP, and Azure APIs; shared-responsibility narratives; CSPM/Config continuous monitoring; customer assurance questionnaires (CAIQ/SIG); and cloud-specific gap remediation before attestations. Use when scoping regulated workloads in cloud, preparing cloud control evidence for auditors, interpreting provider compliance artifacts (BAA, PCI AOC, FedRAMP packages), or proving residency and logging in multi-account estates—not for org-wide GRC programs and audit coordination without cloud evidence (compliance-specialist), non-cloud systems evidence automation (compliance-engineer), implementing security guardrails (cloud-security-engineer), legal DPAs or contract redlines (commercial-counsel), security strategy (cybersecurity), or CI pipeline gates only (devsecops).
This skill should be used when the user asks to "harden code", "security hardening", "improve security posture", "add security headers", "tighten security", "defensive coding suggestions", or "proactive security improvements". Also triggers when the user asks about CSP, CORS hardening, rate limiting, input validation improvements, security logging, or defense-in-depth measures.
Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations. Use when you need to audit website security headers, assess header compliance, or get security recommendations for web applications. Trigger with phrases like "analyze security headers", "check HTTP headers", "audit website security headers", or "evaluate CSP and HSTS configuration".
Builds .NET 10 file-based C# apps. Directives, CLI commands, csproj migration.
OWASP Top 10, CSP, CORS, XSS/CSRF prevention, auth patterns, dependency scanning
Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.
Dangling markup injection playbook. Use when HTML injection is possible but JavaScript execution is blocked (CSP, sanitizer strips event handlers, WAF blocks script tags) — exfiltrate CSRF tokens, session data, and page content by injecting unclosed HTML tags that capture subsequent page content.
Write CSP-compatible Alpine.js components for Hyvä themes in Magento 2. This skill should be used when the user wants to create Alpine components, add interactivity to Hyvä templates, write JavaScript for Hyvä themes, or needs help with Alpine.js patterns that work with Content Security Policy. Trigger phrases include "create alpine component", "add interactivity", "alpine for hyva", "x-data component", "csp compatibility", "csp compliant javascript".