How to install this skill?

Use the command npx skills add fabricioctelles/skills -s followed by the skill name. You can also clone the GitHub repository and manually copy the skill folder to your agent directory, whether Kiro, Cursor, or Claude Code. See the full list at skills.sh/fabricioctelles/skills.

Which agents support this skill?

This skill is compatible with Kiro, Cursor, Windsurf, Claude Code, and any other agent that supports the open Agent Skills format. The format is universal, lightweight, and based on Markdown files with structured metadata that agents load on demand.

Yes, this skill is completely open-source under the Apache 2.0 license and can be freely used in any commercial or personal project. The repository is community-maintained and accepts contributions via pull requests on GitHub.

🆕 New skill: Security Specialist v2.0! 6-phase pipeline, 9 attack classes and adversarial validation.View skill →

Security Specialist

Overview

Full-stack application security agent — performs SAST (static analysis), DAST (dynamic testing), threat modeling, vulnerability triage, remediation and penetration testing. Combines source code review with live testing for complete evidence correlation.

When to Use

Full security audit of a repository
PR/diff review for security regressions
Web application pentesting
Build threat models
Triage and prioritize vulnerabilities
Fix vulnerabilities with verified patches
Export findings to GitHub/Jira/Linear
Generate interactive HTML report

Key Features

6-Phase Pipeline (Full-Scan)

Phase	What it does
1. Recon	Parallel agents map architecture, trust boundaries and input surfaces
2. Hunt	Parallel agents per attack class (9 categories) with 12 hunting angles
3. Validate	Adversarial validation — separate agents try to DISPROVE each finding
4. Report	Self-contained HTML with dark theme, filters and collapsible evidence
5. Schema	findings.json validated against JSON schema (trace, conditions, execution, confidence)
6. Verify	Independent verification of every factual claim by fresh agents

9 Attack Classes

Injection, Access Control, Resource/File Handling, Cryptography, Business Logic, Feature Abuse, Chained Attacks, Wildcard, Obvious Things.

12 Workflows

full-scan, diff-review, pentest, hunting, threat-model, attack-paths, discovery, triage, remediation, tracking, validation, reporting.

Multi-Run Additive Coverage

Each run targets gaps from prior runs. A single run finds ~50% of total vulnerabilities.

Installation

npx skills add https://github.com/fabricioctelles/skills -s security-specialist

Changelog

v2.0 (Jun 2026)

6-phase pipeline with parallel agents (inspired by Cloudflare security-audit-skill)
9 attack classes and 12-angle hunting methodology
Adversarial validation (Phase 3) and independent verification (Phase 6)
JSON schema for structured findings with trace, conditions, execution, confidence
Zero-dependency schema validator (Node.js) for CI integration
Multi-run additive coverage
10 anti-patterns to avoid
Dynamic baseline calibration in severity policy

v1.0 (Jun 2026)

11 modular steering workflows
Python scripts (SQLite, ranker, pentest, finalizer)
Self-contained HTML report with dark theme
Pentest tool cascade
Three-layer correlation (source → dev → prod)

📄 Full documentation on GitHub