Security Skills Discovery

When This Skill Activates

• Authentication and authorization systems
• Input validation and sanitization
• Security headers (CSP, HSTS, CORS)
• Vulnerability scanning and penetration testing
• OWASP Top 10 vulnerabilities
• Secrets management (Vault, AWS Secrets Manager)
• SQL injection, XSS, or other attack prevention
• Security hardening and compliance
• Password hashing and credential management
• API security and access control

Available Skills

Quick Reference

1. authentication - Authentication patterns (JWT, OAuth2, sessions, MFA, password security)
2. authorization - Access control (RBAC, ABAC, policy engines, permissions)
3. input-validation - Input validation and sanitization (SQL injection, XSS, command injection)
4. security-headers - HTTP security headers (CSP, HSTS, X-Frame-Options, CORS)
5. vulnerability-assessment - Security testing (OWASP Top 10, scanning tools, pentesting)
6. secrets-management - Secrets handling (Vault, AWS Secrets Manager, key rotation)

Load Full Category Details

• Detailed skill descriptions
• Usage triggers for each skill
• Common workflow combinations
• Cross-references to related skills

Load Specific Skills

Identity and access

Input security

Security operations

Common Workflows

Secure Web Application

Security Audit

API Security

DevSecOps Pipeline

Secure New Application

1. Identity and access

2. Input protection

3. Operations

Skill Selection Guide

• Implementing user login systems
• Working with JWT, OAuth2, or sessions
• Adding multi-factor authentication
• Managing passwords and credentials

• Implementing access control
• Building role-based permissions (RBAC)
• Working with policy engines (OPA, Casbin)
• Preventing privilege escalation

• Processing user input
• Preventing SQL injection
• Protecting against XSS attacks
• Validating file uploads
• Preventing command injection

• Configuring Content Security Policy (CSP)
• Implementing HTTPS enforcement (HSTS)
• Setting up CORS for APIs
• Preventing clickjacking
• Hardening web applications

• Testing for OWASP Top 10
• Running security scans (SAST/DAST)
• Performing penetration tests
• Auditing application security
• Setting up security CI/CD

• Storing API keys or credentials
• Integrating with HashiCorp Vault
• Using AWS Secrets Manager or GCP Secret Manager
• Rotating encryption keys
• Managing CI/CD secrets

Integration with Other Skills

discover-api

• API authentication and authorization
• API input validation
• API rate limiting (abuse prevention)
• Securing REST and GraphQL endpoints

discover-database

• SQL injection prevention
• Database connection security
• Credential management
• Row-level security

discover-frontend

• XSS prevention in React/Vue
• Content Security Policy
• Secure cookie handling
• Client-side validation

discover-infrastructure

discover-cloud

• Secrets management in deployments
• Network security
• Container security scanning
• TLS/SSL configuration

discover-testing

• Security integration tests
• Penetration testing
• Automated security scans
• Vulnerability regression tests

Usage Instructions

1. Auto-activation: This skill loads automatically when Claude Code detects security-related work
2. Browse skills: Run

   Read <cc-polymath-root>/skills/security/INDEX.md

   for full category overview
3. Load specific skills: Use bash commands above to load individual skills
4. Follow workflows: Use recommended sequences for common security patterns
5. Combine skills: Load multiple skills for comprehensive security coverage

Progressive Loading

• Level 1: Gateway loads automatically (you're here now)
• Level 2: Load category INDEX.md (~3K tokens) for full overview
• Level 3: Load specific skills (~2-4K tokens each) as needed

Quick Start Examples

Read <cc-polymath-root>/skills/security/INDEX.md