What this pack does
The security pack gives your AI agent the ability to audit your code for real vulnerabilities - not generic checklists, but analysis informed by your actual architecture and stack from the brain. It reads your engineering context to understand what you're running, then checks for the things that matter.
Start with /audit for a full OWASP scan, or /secrets if you just want to check for exposed credentials. Use /threat-model before launching a new feature to think through attack vectors. When something goes wrong, /incident creates a structured response doc. And when it's time for a real pentest, /pentest-prep generates the scope and checklist.
Skills
/audit Full security audit against OWASP top 10. Checks dependencies for CVEs, scans for exposed secrets, reviews code for injection, auth issues, and misconfigurations. Saves findings to engineering/security/.
/secrets Scan for exposed credentials - API keys, passwords, tokens, private keys, connection strings. Checks .gitignore coverage and git history for previously committed secrets. Offers to fix each one.
/threat-model Generate a STRIDE threat model from your architecture context. Identifies assets, trust boundaries, and data flows. Produces a risk matrix with prioritized mitigations.
/incident Create a structured incident report. Walks through triage, builds a timeline, assesses impact, and generates action items with owners. Saves to engineering/security/incidents/.
/pentest-prep Prepare for a penetration test engagement. Generates scope documents, pre-engagement checklists, and flags known areas of concern from existing audits and threat models.