agent-skill-manager 2.9.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/README.md +6 -5
  2. package/data/skill-index/Affitor_affiliate-skills.json +32 -8759
  3. package/data/skill-index/Eronred_aso-skills.json +129 -129
  4. package/data/skill-index/GPTomics_bioSkills.json +15445 -10094
  5. package/data/skill-index/Galaxy-Dawn_claude-scholar.json +144 -144
  6. package/data/skill-index/Imbad0202_academic-research-skills.json +52 -52
  7. package/data/skill-index/K-Dense-AI_claude-scientific-skills.json +4568 -3985
  8. package/data/skill-index/Leonxlnx_taste-skill.json +234 -61
  9. package/data/skill-index/Master-cai_Research-Paper-Writing-Skills.json +4 -4
  10. package/data/skill-index/MiniMax-AI_skills.json +78 -78
  11. package/data/skill-index/Paramchoudhary_ResumeSkills.json +306 -306
  12. package/data/skill-index/affaan-m_everything-claude-code.json +7535 -3337
  13. package/data/skill-index/alirezarezvani_claude-skills.json +6010 -2859
  14. package/data/skill-index/anthropics_skills.json +81 -81
  15. package/data/skill-index/antonbabenko_terraform-skill.json +9 -9
  16. package/data/skill-index/badlogic_pi-skills.json +1287 -0
  17. package/data/skill-index/briiirussell_cybersecurity-skills.json +4752 -0
  18. package/data/skill-index/bytedance_deer-flow.json +246 -91
  19. package/data/skill-index/coreyhaines31_marketingskills.json +683 -152
  20. package/data/skill-index/entireio_skills.json +986 -68
  21. package/data/skill-index/github_awesome-copilot.json +4130 -2466
  22. package/data/skill-index/google_skills.json +2608 -384
  23. package/data/skill-index/heygen-com_hyperframes.json +64 -64
  24. package/data/skill-index/himself65_finance-skills.json +249 -82
  25. package/data/skill-index/kemiljk_fluid-design.json +4 -4
  26. package/data/skill-index/kepano_obsidian-skills.json +20 -20
  27. package/data/skill-index/luongnv89_skills.json +289 -307
  28. package/data/skill-index/mattpocock_skills.json +237 -94
  29. package/data/skill-index/nextlevelbuilder_ui-ux-pro-max-skill.json +29 -29
  30. package/data/skill-index/obra_superpowers.json +49 -49
  31. package/data/skill-index/romainsimon_paperasse.json +26 -26
  32. package/data/skill-index/sickn33_antigravity-awesome-skills.json +40353 -31808
  33. package/data/skill-index/slavingia_skills.json +38 -38
  34. package/data/skill-index/warpdotdev_oz-skills.json +52 -52
  35. package/data/skill-index/zarazhangrui_follow-builders.json +147 -0
  36. package/data/skill-index-resources.json +28 -1
  37. package/dist/agent-skill-manager.js +178 -178
  38. package/dist/{chunk-7DMA7RUC.js → chunk-E2P2XYIZ.js} +1 -1
  39. package/dist/{src-H2QOCGTV.js → src-TIH4UJL5.js} +1 -1
  40. package/package.json +1 -1
package/data/skill-index/briiirussell_cybersecurity-skills.json ADDED
@@ -0,0 +1,4752 @@
1
+ {
2
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git",
3
+ "owner": "briiirussell",
4
+ "repo": "cybersecurity-skills",
5
+ "updatedAt": "2026-06-08T23:20:57.686Z",
6
+ "skillCount": 29,
7
+ "skills": [
8
+ {
9
+ "name": "ai-risk-management",
10
+ "description": "Apply the NIST AI Risk Management Framework (AI RMF 1.0) and adjacent guidance to AI / ML systems — model lifecycle governance, fairness and bias evaluation, robustness, transparency, accountability, third-party model risk, monitoring for drift, and AI incident response. Broader than prompt-injection (which is the security slice). Use when the user mentions 'AI risk,' 'AI governance,' 'NIST AI RMF,' 'AI compliance,' 'ML governance,' 'model risk management,' 'AI fairness,' 'AI bias,' 'algorithmic accountability,' 'AI Bill of Rights,' 'EU AI Act,' 'AI transparency,' 'model card,' 'AI red team,' 'AI safety,' 'responsible AI,' 'model drift,' 'concept drift,' 'AI monitoring,' 'AI incident,' or needs to assess or govern an AI / ML system.",
11
+ "version": "0.0.0",
12
+ "license": "",
13
+ "creator": "",
14
+ "compatibility": "",
15
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write", "WebSearch"],
16
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/ai-risk-management",
17
+ "relPath": "skills/ai-risk-management",
18
+ "verified": true,
19
+ "tokenCount": 4141,
20
+ "evalSummary": {
21
+ "overallScore": 66,
22
+ "grade": "C",
23
+ "categories": [
24
+ {
25
+ "id": "structure",
26
+ "name": "Structure & completeness",
27
+ "score": 7,
28
+ "max": 10
29
+ },
30
+ {
31
+ "id": "description",
32
+ "name": "Description quality",
33
+ "score": 3,
34
+ "max": 10
35
+ },
36
+ {
37
+ "id": "prompt-engineering",
38
+ "name": "Prompt engineering",
39
+ "score": 7,
40
+ "max": 10
41
+ },
42
+ {
43
+ "id": "context-efficiency",
44
+ "name": "Context efficiency",
45
+ "score": 7,
46
+ "max": 10
47
+ },
48
+ {
49
+ "id": "safety",
50
+ "name": "Safety & guardrails",
51
+ "score": 7,
52
+ "max": 10
53
+ },
54
+ {
55
+ "id": "testability",
56
+ "name": "Testability",
57
+ "score": 5,
58
+ "max": 10
59
+ },
60
+ {
61
+ "id": "naming",
62
+ "name": "Naming & conventions",
63
+ "score": 10,
64
+ "max": 10
65
+ }
66
+ ],
67
+ "evaluatedAt": "2026-06-08T23:20:57.626Z",
68
+ "evaluatedVersion": "0.0.0"
69
+ },
70
+ "evalSummaries": {
71
+ "quality": {
72
+ "providerId": "quality",
73
+ "providerVersion": "1.0.0",
74
+ "schemaVersion": 1,
75
+ "passed": true,
76
+ "overallScore": 66,
77
+ "grade": "C",
78
+ "categories": [
79
+ {
80
+ "id": "structure",
81
+ "name": "Structure & completeness",
82
+ "score": 7,
83
+ "max": 10
84
+ },
85
+ {
86
+ "id": "description",
87
+ "name": "Description quality",
88
+ "score": 3,
89
+ "max": 10
90
+ },
91
+ {
92
+ "id": "prompt-engineering",
93
+ "name": "Prompt engineering",
94
+ "score": 7,
95
+ "max": 10
96
+ },
97
+ {
98
+ "id": "context-efficiency",
99
+ "name": "Context efficiency",
100
+ "score": 7,
101
+ "max": 10
102
+ },
103
+ {
104
+ "id": "safety",
105
+ "name": "Safety & guardrails",
106
+ "score": 7,
107
+ "max": 10
108
+ },
109
+ {
110
+ "id": "testability",
111
+ "name": "Testability",
112
+ "score": 5,
113
+ "max": 10
114
+ },
115
+ {
116
+ "id": "naming",
117
+ "name": "Naming & conventions",
118
+ "score": 10,
119
+ "max": 10
120
+ }
121
+ ],
122
+ "evaluatedAt": "2026-06-08T23:20:57.626Z",
123
+ "evaluatedVersion": "0.0.0"
124
+ },
125
+ "skill-best-practice": {
126
+ "providerId": "skill-best-practice",
127
+ "providerVersion": "1.1.0",
128
+ "schemaVersion": 1,
129
+ "passed": false,
130
+ "overallScore": 69,
131
+ "grade": "C",
132
+ "categories": [
133
+ {
134
+ "id": "validation",
135
+ "name": "Deterministic validation",
136
+ "score": 9,
137
+ "max": 13
138
+ }
139
+ ],
140
+ "evaluatedAt": "2026-06-08T23:20:57.626Z",
141
+ "evaluatedVersion": "0.0.0"
142
+ }
143
+ }
144
+ },
145
+ {
146
+ "name": "api-audit",
147
+ "description": "Audit REST, GraphQL, and RPC APIs against the OWASP API Security Top 10 (2023). Use when the user mentions 'API security,' 'API audit,' 'BOLA,' 'broken object level authorization,' 'BFLA,' 'function-level authorization,' 'mass assignment,' 'API rate limiting,' 'GraphQL security,' 'REST security,' 'API authentication,' 'API authorization,' 'excessive data exposure,' or needs to review API endpoints for security weaknesses.",
148
+ "version": "0.0.0",
149
+ "license": "",
150
+ "creator": "",
151
+ "compatibility": "",
152
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write"],
153
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/api-audit",
154
+ "relPath": "skills/api-audit",
155
+ "verified": true,
156
+ "tokenCount": 3032,
157
+ "evalSummary": {
158
+ "overallScore": 64,
159
+ "grade": "D",
160
+ "categories": [
161
+ {
162
+ "id": "structure",
163
+ "name": "Structure & completeness",
164
+ "score": 7,
165
+ "max": 10
166
+ },
167
+ {
168
+ "id": "description",
169
+ "name": "Description quality",
170
+ "score": 8,
171
+ "max": 10
172
+ },
173
+ {
174
+ "id": "prompt-engineering",
175
+ "name": "Prompt engineering",
176
+ "score": 5,
177
+ "max": 10
178
+ },
179
+ {
180
+ "id": "context-efficiency",
181
+ "name": "Context efficiency",
182
+ "score": 8,
183
+ "max": 10
184
+ },
185
+ {
186
+ "id": "safety",
187
+ "name": "Safety & guardrails",
188
+ "score": 4,
189
+ "max": 10
190
+ },
191
+ {
192
+ "id": "testability",
193
+ "name": "Testability",
194
+ "score": 5,
195
+ "max": 10
196
+ },
197
+ {
198
+ "id": "naming",
199
+ "name": "Naming & conventions",
200
+ "score": 8,
201
+ "max": 10
202
+ }
203
+ ],
204
+ "evaluatedAt": "2026-06-08T23:20:57.629Z",
205
+ "evaluatedVersion": "0.0.0"
206
+ },
207
+ "evalSummaries": {
208
+ "quality": {
209
+ "providerId": "quality",
210
+ "providerVersion": "1.0.0",
211
+ "schemaVersion": 1,
212
+ "passed": true,
213
+ "overallScore": 64,
214
+ "grade": "D",
215
+ "categories": [
216
+ {
217
+ "id": "structure",
218
+ "name": "Structure & completeness",
219
+ "score": 7,
220
+ "max": 10
221
+ },
222
+ {
223
+ "id": "description",
224
+ "name": "Description quality",
225
+ "score": 8,
226
+ "max": 10
227
+ },
228
+ {
229
+ "id": "prompt-engineering",
230
+ "name": "Prompt engineering",
231
+ "score": 5,
232
+ "max": 10
233
+ },
234
+ {
235
+ "id": "context-efficiency",
236
+ "name": "Context efficiency",
237
+ "score": 8,
238
+ "max": 10
239
+ },
240
+ {
241
+ "id": "safety",
242
+ "name": "Safety & guardrails",
243
+ "score": 4,
244
+ "max": 10
245
+ },
246
+ {
247
+ "id": "testability",
248
+ "name": "Testability",
249
+ "score": 5,
250
+ "max": 10
251
+ },
252
+ {
253
+ "id": "naming",
254
+ "name": "Naming & conventions",
255
+ "score": 8,
256
+ "max": 10
257
+ }
258
+ ],
259
+ "evaluatedAt": "2026-06-08T23:20:57.630Z",
260
+ "evaluatedVersion": "0.0.0"
261
+ },
262
+ "skill-best-practice": {
263
+ "providerId": "skill-best-practice",
264
+ "providerVersion": "1.1.0",
265
+ "schemaVersion": 1,
266
+ "passed": false,
267
+ "overallScore": 69,
268
+ "grade": "C",
269
+ "categories": [
270
+ {
271
+ "id": "validation",
272
+ "name": "Deterministic validation",
273
+ "score": 9,
274
+ "max": 13
275
+ }
276
+ ],
277
+ "evaluatedAt": "2026-06-08T23:20:57.630Z",
278
+ "evaluatedVersion": "0.0.0"
279
+ }
280
+ }
281
+ },
282
+ {
283
+ "name": "breach-patterns",
284
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
285
+ "version": "0.0.0",
286
+ "license": "",
287
+ "creator": "",
288
+ "compatibility": "",
289
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "WebSearch", "WebFetch"],
290
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
291
+ "relPath": "skills/breach-patterns",
292
+ "verified": true,
293
+ "tokenCount": 4017,
294
+ "evalSummary": {
295
+ "overallScore": 61,
296
+ "grade": "D",
297
+ "categories": [
298
+ {
299
+ "id": "structure",
300
+ "name": "Structure & completeness",
301
+ "score": 7,
302
+ "max": 10
303
+ },
304
+ {
305
+ "id": "description",
306
+ "name": "Description quality",
307
+ "score": 3,
308
+ "max": 10
309
+ },
310
+ {
311
+ "id": "prompt-engineering",
312
+ "name": "Prompt engineering",
313
+ "score": 7,
314
+ "max": 10
315
+ },
316
+ {
317
+ "id": "context-efficiency",
318
+ "name": "Context efficiency",
319
+ "score": 8,
320
+ "max": 10
321
+ },
322
+ {
323
+ "id": "safety",
324
+ "name": "Safety & guardrails",
325
+ "score": 7,
326
+ "max": 10
327
+ },
328
+ {
329
+ "id": "testability",
330
+ "name": "Testability",
331
+ "score": 1,
332
+ "max": 10
333
+ },
334
+ {
335
+ "id": "naming",
336
+ "name": "Naming & conventions",
337
+ "score": 10,
338
+ "max": 10
339
+ }
340
+ ],
341
+ "evaluatedAt": "2026-06-08T23:20:57.632Z",
342
+ "evaluatedVersion": "0.0.0"
343
+ },
344
+ "evalSummaries": {
345
+ "quality": {
346
+ "providerId": "quality",
347
+ "providerVersion": "1.0.0",
348
+ "schemaVersion": 1,
349
+ "passed": true,
350
+ "overallScore": 61,
351
+ "grade": "D",
352
+ "categories": [
353
+ {
354
+ "id": "structure",
355
+ "name": "Structure & completeness",
356
+ "score": 7,
357
+ "max": 10
358
+ },
359
+ {
360
+ "id": "description",
361
+ "name": "Description quality",
362
+ "score": 3,
363
+ "max": 10
364
+ },
365
+ {
366
+ "id": "prompt-engineering",
367
+ "name": "Prompt engineering",
368
+ "score": 7,
369
+ "max": 10
370
+ },
371
+ {
372
+ "id": "context-efficiency",
373
+ "name": "Context efficiency",
374
+ "score": 8,
375
+ "max": 10
376
+ },
377
+ {
378
+ "id": "safety",
379
+ "name": "Safety & guardrails",
380
+ "score": 7,
381
+ "max": 10
382
+ },
383
+ {
384
+ "id": "testability",
385
+ "name": "Testability",
386
+ "score": 1,
387
+ "max": 10
388
+ },
389
+ {
390
+ "id": "naming",
391
+ "name": "Naming & conventions",
392
+ "score": 10,
393
+ "max": 10
394
+ }
395
+ ],
396
+ "evaluatedAt": "2026-06-08T23:20:57.632Z",
397
+ "evaluatedVersion": "0.0.0"
398
+ },
399
+ "skill-best-practice": {
400
+ "providerId": "skill-best-practice",
401
+ "providerVersion": "1.1.0",
402
+ "schemaVersion": 1,
403
+ "passed": false,
404
+ "overallScore": 69,
405
+ "grade": "C",
406
+ "categories": [
407
+ {
408
+ "id": "validation",
409
+ "name": "Deterministic validation",
410
+ "score": 9,
411
+ "max": 13
412
+ }
413
+ ],
414
+ "evaluatedAt": "2026-06-08T23:20:57.632Z",
415
+ "evaluatedVersion": "0.0.0"
416
+ }
417
+ }
418
+ },
419
+ {
420
+ "name": "cloud-audit",
421
+ "description": "Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.",
422
+ "version": "0.0.0",
423
+ "license": "",
424
+ "creator": "",
425
+ "compatibility": "",
426
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
427
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/cloud-audit",
428
+ "relPath": "skills/cloud-audit",
429
+ "verified": true,
430
+ "tokenCount": 1329,
431
+ "evalSummary": {
432
+ "overallScore": 67,
433
+ "grade": "C",
434
+ "categories": [
435
+ {
436
+ "id": "structure",
437
+ "name": "Structure & completeness",
438
+ "score": 7,
439
+ "max": 10
440
+ },
441
+ {
442
+ "id": "description",
443
+ "name": "Description quality",
444
+ "score": 8,
445
+ "max": 10
446
+ },
447
+ {
448
+ "id": "prompt-engineering",
449
+ "name": "Prompt engineering",
450
+ "score": 6,
451
+ "max": 10
452
+ },
453
+ {
454
+ "id": "context-efficiency",
455
+ "name": "Context efficiency",
456
+ "score": 9,
457
+ "max": 10
458
+ },
459
+ {
460
+ "id": "safety",
461
+ "name": "Safety & guardrails",
462
+ "score": 6,
463
+ "max": 10
464
+ },
465
+ {
466
+ "id": "testability",
467
+ "name": "Testability",
468
+ "score": 1,
469
+ "max": 10
470
+ },
471
+ {
472
+ "id": "naming",
473
+ "name": "Naming & conventions",
474
+ "score": 10,
475
+ "max": 10
476
+ }
477
+ ],
478
+ "evaluatedAt": "2026-06-08T23:20:57.634Z",
479
+ "evaluatedVersion": "0.0.0"
480
+ },
481
+ "evalSummaries": {
482
+ "quality": {
483
+ "providerId": "quality",
484
+ "providerVersion": "1.0.0",
485
+ "schemaVersion": 1,
486
+ "passed": true,
487
+ "overallScore": 67,
488
+ "grade": "C",
489
+ "categories": [
490
+ {
491
+ "id": "structure",
492
+ "name": "Structure & completeness",
493
+ "score": 7,
494
+ "max": 10
495
+ },
496
+ {
497
+ "id": "description",
498
+ "name": "Description quality",
499
+ "score": 8,
500
+ "max": 10
501
+ },
502
+ {
503
+ "id": "prompt-engineering",
504
+ "name": "Prompt engineering",
505
+ "score": 6,
506
+ "max": 10
507
+ },
508
+ {
509
+ "id": "context-efficiency",
510
+ "name": "Context efficiency",
511
+ "score": 9,
512
+ "max": 10
513
+ },
514
+ {
515
+ "id": "safety",
516
+ "name": "Safety & guardrails",
517
+ "score": 6,
518
+ "max": 10
519
+ },
520
+ {
521
+ "id": "testability",
522
+ "name": "Testability",
523
+ "score": 1,
524
+ "max": 10
525
+ },
526
+ {
527
+ "id": "naming",
528
+ "name": "Naming & conventions",
529
+ "score": 10,
530
+ "max": 10
531
+ }
532
+ ],
533
+ "evaluatedAt": "2026-06-08T23:20:57.634Z",
534
+ "evaluatedVersion": "0.0.0"
535
+ },
536
+ "skill-best-practice": {
537
+ "providerId": "skill-best-practice",
538
+ "providerVersion": "1.1.0",
539
+ "schemaVersion": 1,
540
+ "passed": false,
541
+ "overallScore": 69,
542
+ "grade": "C",
543
+ "categories": [
544
+ {
545
+ "id": "validation",
546
+ "name": "Deterministic validation",
547
+ "score": 9,
548
+ "max": 13
549
+ }
550
+ ],
551
+ "evaluatedAt": "2026-06-08T23:20:57.634Z",
552
+ "evaluatedVersion": "0.0.0"
553
+ }
554
+ }
555
+ },
556
+ {
557
+ "name": "container-audit",
558
+ "description": "Audit container images, Dockerfiles, and Kubernetes manifests for misconfigurations, excessive privileges, exposed secrets, and runtime risks. Use when the user mentions 'container security,' 'Docker security,' 'Dockerfile audit,' 'Kubernetes security,' 'K8s security,' 'pod security,' 'container hardening,' 'kubectl audit,' 'image scanning,' 'distroless,' 'rootless containers,' 'pod security policy,' 'pod security standards,' 'PSS,' 'network policy,' 'OPA Gatekeeper,' 'Kyverno,' 'runtime security,' or needs to review container or orchestration security.",
559
+ "version": "0.0.0",
560
+ "license": "",
561
+ "creator": "",
562
+ "compatibility": "",
563
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
564
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/container-audit",
565
+ "relPath": "skills/container-audit",
566
+ "verified": true,
567
+ "tokenCount": 2715,
568
+ "evalSummary": {
569
+ "overallScore": 76,
570
+ "grade": "C",
571
+ "categories": [
572
+ {
573
+ "id": "structure",
574
+ "name": "Structure & completeness",
575
+ "score": 7,
576
+ "max": 10
577
+ },
578
+ {
579
+ "id": "description",
580
+ "name": "Description quality",
581
+ "score": 6,
582
+ "max": 10
583
+ },
584
+ {
585
+ "id": "prompt-engineering",
586
+ "name": "Prompt engineering",
587
+ "score": 5,
588
+ "max": 10
589
+ },
590
+ {
591
+ "id": "context-efficiency",
592
+ "name": "Context efficiency",
593
+ "score": 10,
594
+ "max": 10
595
+ },
596
+ {
597
+ "id": "safety",
598
+ "name": "Safety & guardrails",
599
+ "score": 10,
600
+ "max": 10
601
+ },
602
+ {
603
+ "id": "testability",
604
+ "name": "Testability",
605
+ "score": 5,
606
+ "max": 10
607
+ },
608
+ {
609
+ "id": "naming",
610
+ "name": "Naming & conventions",
611
+ "score": 10,
612
+ "max": 10
613
+ }
614
+ ],
615
+ "evaluatedAt": "2026-06-08T23:20:57.636Z",
616
+ "evaluatedVersion": "0.0.0"
617
+ },
618
+ "evalSummaries": {
619
+ "quality": {
620
+ "providerId": "quality",
621
+ "providerVersion": "1.0.0",
622
+ "schemaVersion": 1,
623
+ "passed": true,
624
+ "overallScore": 76,
625
+ "grade": "C",
626
+ "categories": [
627
+ {
628
+ "id": "structure",
629
+ "name": "Structure & completeness",
630
+ "score": 7,
631
+ "max": 10
632
+ },
633
+ {
634
+ "id": "description",
635
+ "name": "Description quality",
636
+ "score": 6,
637
+ "max": 10
638
+ },
639
+ {
640
+ "id": "prompt-engineering",
641
+ "name": "Prompt engineering",
642
+ "score": 5,
643
+ "max": 10
644
+ },
645
+ {
646
+ "id": "context-efficiency",
647
+ "name": "Context efficiency",
648
+ "score": 10,
649
+ "max": 10
650
+ },
651
+ {
652
+ "id": "safety",
653
+ "name": "Safety & guardrails",
654
+ "score": 10,
655
+ "max": 10
656
+ },
657
+ {
658
+ "id": "testability",
659
+ "name": "Testability",
660
+ "score": 5,
661
+ "max": 10
662
+ },
663
+ {
664
+ "id": "naming",
665
+ "name": "Naming & conventions",
666
+ "score": 10,
667
+ "max": 10
668
+ }
669
+ ],
670
+ "evaluatedAt": "2026-06-08T23:20:57.636Z",
671
+ "evaluatedVersion": "0.0.0"
672
+ },
673
+ "skill-best-practice": {
674
+ "providerId": "skill-best-practice",
675
+ "providerVersion": "1.1.0",
676
+ "schemaVersion": 1,
677
+ "passed": false,
678
+ "overallScore": 69,
679
+ "grade": "C",
680
+ "categories": [
681
+ {
682
+ "id": "validation",
683
+ "name": "Deterministic validation",
684
+ "score": 9,
685
+ "max": 13
686
+ }
687
+ ],
688
+ "evaluatedAt": "2026-06-08T23:20:57.636Z",
689
+ "evaluatedVersion": "0.0.0"
690
+ }
691
+ }
692
+ },
693
+ {
694
+ "name": "crypto-audit",
695
+ "description": "Audit cryptography implementation — algorithm choice, key sizes, KDF parameters, IV/nonce handling, signature verification, randomness, TLS configuration, and key rotation. Deeper than owasp-audit A02. Use when the user mentions 'crypto review,' 'cryptography audit,' 'encryption review,' 'KDF,' 'PBKDF2,' 'Argon2,' 'bcrypt cost,' 'IV reuse,' 'nonce reuse,' 'AES mode,' 'AES-GCM,' 'AES-ECB,' 'signature verification,' 'TLS configuration,' 'cipher suites,' 'key rotation,' 'libsodium,' 'BoringSSL,' or 'is this crypto right.'",
696
+ "version": "0.0.0",
697
+ "license": "",
698
+ "creator": "",
699
+ "compatibility": "",
700
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "WebSearch"],
701
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/crypto-audit",
702
+ "relPath": "skills/crypto-audit",
703
+ "verified": true,
704
+ "tokenCount": 3028,
705
+ "evalSummary": {
706
+ "overallScore": 71,
707
+ "grade": "C",
708
+ "categories": [
709
+ {
710
+ "id": "structure",
711
+ "name": "Structure & completeness",
712
+ "score": 7,
713
+ "max": 10
714
+ },
715
+ {
716
+ "id": "description",
717
+ "name": "Description quality",
718
+ "score": 6,
719
+ "max": 10
720
+ },
721
+ {
722
+ "id": "prompt-engineering",
723
+ "name": "Prompt engineering",
724
+ "score": 5,
725
+ "max": 10
726
+ },
727
+ {
728
+ "id": "context-efficiency",
729
+ "name": "Context efficiency",
730
+ "score": 10,
731
+ "max": 10
732
+ },
733
+ {
734
+ "id": "safety",
735
+ "name": "Safety & guardrails",
736
+ "score": 7,
737
+ "max": 10
738
+ },
739
+ {
740
+ "id": "testability",
741
+ "name": "Testability",
742
+ "score": 5,
743
+ "max": 10
744
+ },
745
+ {
746
+ "id": "naming",
747
+ "name": "Naming & conventions",
748
+ "score": 10,
749
+ "max": 10
750
+ }
751
+ ],
752
+ "evaluatedAt": "2026-06-08T23:20:57.638Z",
753
+ "evaluatedVersion": "0.0.0"
754
+ },
755
+ "evalSummaries": {
756
+ "quality": {
757
+ "providerId": "quality",
758
+ "providerVersion": "1.0.0",
759
+ "schemaVersion": 1,
760
+ "passed": true,
761
+ "overallScore": 71,
762
+ "grade": "C",
763
+ "categories": [
764
+ {
765
+ "id": "structure",
766
+ "name": "Structure & completeness",
767
+ "score": 7,
768
+ "max": 10
769
+ },
770
+ {
771
+ "id": "description",
772
+ "name": "Description quality",
773
+ "score": 6,
774
+ "max": 10
775
+ },
776
+ {
777
+ "id": "prompt-engineering",
778
+ "name": "Prompt engineering",
779
+ "score": 5,
780
+ "max": 10
781
+ },
782
+ {
783
+ "id": "context-efficiency",
784
+ "name": "Context efficiency",
785
+ "score": 10,
786
+ "max": 10
787
+ },
788
+ {
789
+ "id": "safety",
790
+ "name": "Safety & guardrails",
791
+ "score": 7,
792
+ "max": 10
793
+ },
794
+ {
795
+ "id": "testability",
796
+ "name": "Testability",
797
+ "score": 5,
798
+ "max": 10
799
+ },
800
+ {
801
+ "id": "naming",
802
+ "name": "Naming & conventions",
803
+ "score": 10,
804
+ "max": 10
805
+ }
806
+ ],
807
+ "evaluatedAt": "2026-06-08T23:20:57.638Z",
808
+ "evaluatedVersion": "0.0.0"
809
+ },
810
+ "skill-best-practice": {
811
+ "providerId": "skill-best-practice",
812
+ "providerVersion": "1.1.0",
813
+ "schemaVersion": 1,
814
+ "passed": false,
815
+ "overallScore": 69,
816
+ "grade": "C",
817
+ "categories": [
818
+ {
819
+ "id": "validation",
820
+ "name": "Deterministic validation",
821
+ "score": 9,
822
+ "max": 13
823
+ }
824
+ ],
825
+ "evaluatedAt": "2026-06-08T23:20:57.638Z",
826
+ "evaluatedVersion": "0.0.0"
827
+ }
828
+ }
829
+ },
830
+ {
831
+ "name": "csf-mapping",
832
+ "description": "Map your security posture against the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Produce a gap analysis, current/target tier assessment, and roadmap in the governance language that boards, auditors, and CISOs actually use. Use when the user mentions 'NIST CSF,' 'CSF 2.0,' 'cybersecurity framework,' 'security posture,' 'governance mapping,' 'CSF gap analysis,' 'CSF tiers,' 'cybersecurity maturity,' 'security roadmap,' 'CISO report,' 'board reporting,' 'security program,' or needs to translate technical findings into governance language.",
833
+ "version": "0.0.0",
834
+ "license": "",
835
+ "creator": "",
836
+ "compatibility": "",
837
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "WebSearch"],
838
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/csf-mapping",
839
+ "relPath": "skills/csf-mapping",
840
+ "verified": true,
841
+ "tokenCount": 3451,
842
+ "evalSummary": {
843
+ "overallScore": 63,
844
+ "grade": "D",
845
+ "categories": [
846
+ {
847
+ "id": "structure",
848
+ "name": "Structure & completeness",
849
+ "score": 7,
850
+ "max": 10
851
+ },
852
+ {
853
+ "id": "description",
854
+ "name": "Description quality",
855
+ "score": 3,
856
+ "max": 10
857
+ },
858
+ {
859
+ "id": "prompt-engineering",
860
+ "name": "Prompt engineering",
861
+ "score": 6,
862
+ "max": 10
863
+ },
864
+ {
865
+ "id": "context-efficiency",
866
+ "name": "Context efficiency",
867
+ "score": 8,
868
+ "max": 10
869
+ },
870
+ {
871
+ "id": "safety",
872
+ "name": "Safety & guardrails",
873
+ "score": 7,
874
+ "max": 10
875
+ },
876
+ {
877
+ "id": "testability",
878
+ "name": "Testability",
879
+ "score": 3,
880
+ "max": 10
881
+ },
882
+ {
883
+ "id": "naming",
884
+ "name": "Naming & conventions",
885
+ "score": 10,
886
+ "max": 10
887
+ }
888
+ ],
889
+ "evaluatedAt": "2026-06-08T23:20:57.640Z",
890
+ "evaluatedVersion": "0.0.0"
891
+ },
892
+ "evalSummaries": {
893
+ "quality": {
894
+ "providerId": "quality",
895
+ "providerVersion": "1.0.0",
896
+ "schemaVersion": 1,
897
+ "passed": true,
898
+ "overallScore": 63,
899
+ "grade": "D",
900
+ "categories": [
901
+ {
902
+ "id": "structure",
903
+ "name": "Structure & completeness",
904
+ "score": 7,
905
+ "max": 10
906
+ },
907
+ {
908
+ "id": "description",
909
+ "name": "Description quality",
910
+ "score": 3,
911
+ "max": 10
912
+ },
913
+ {
914
+ "id": "prompt-engineering",
915
+ "name": "Prompt engineering",
916
+ "score": 6,
917
+ "max": 10
918
+ },
919
+ {
920
+ "id": "context-efficiency",
921
+ "name": "Context efficiency",
922
+ "score": 8,
923
+ "max": 10
924
+ },
925
+ {
926
+ "id": "safety",
927
+ "name": "Safety & guardrails",
928
+ "score": 7,
929
+ "max": 10
930
+ },
931
+ {
932
+ "id": "testability",
933
+ "name": "Testability",
934
+ "score": 3,
935
+ "max": 10
936
+ },
937
+ {
938
+ "id": "naming",
939
+ "name": "Naming & conventions",
940
+ "score": 10,
941
+ "max": 10
942
+ }
943
+ ],
944
+ "evaluatedAt": "2026-06-08T23:20:57.640Z",
945
+ "evaluatedVersion": "0.0.0"
946
+ },
947
+ "skill-best-practice": {
948
+ "providerId": "skill-best-practice",
949
+ "providerVersion": "1.1.0",
950
+ "schemaVersion": 1,
951
+ "passed": false,
952
+ "overallScore": 69,
953
+ "grade": "C",
954
+ "categories": [
955
+ {
956
+ "id": "validation",
957
+ "name": "Deterministic validation",
958
+ "score": 9,
959
+ "max": 13
960
+ }
961
+ ],
962
+ "evaluatedAt": "2026-06-08T23:20:57.640Z",
963
+ "evaluatedVersion": "0.0.0"
964
+ }
965
+ }
966
+ },
967
+ {
968
+ "name": "dependency-audit",
969
+ "description": "Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.",
970
+ "version": "0.0.0",
971
+ "license": "",
972
+ "creator": "",
973
+ "compatibility": "",
974
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
975
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/dependency-audit",
976
+ "relPath": "skills/dependency-audit",
977
+ "verified": true,
978
+ "tokenCount": 3386,
979
+ "evalSummary": {
980
+ "overallScore": 84,
981
+ "grade": "B",
982
+ "categories": [
983
+ {
984
+ "id": "structure",
985
+ "name": "Structure & completeness",
986
+ "score": 7,
987
+ "max": 10
988
+ },
989
+ {
990
+ "id": "description",
991
+ "name": "Description quality",
992
+ "score": 8,
993
+ "max": 10
994
+ },
995
+ {
996
+ "id": "prompt-engineering",
997
+ "name": "Prompt engineering",
998
+ "score": 9,
999
+ "max": 10
1000
+ },
1001
+ {
1002
+ "id": "context-efficiency",
1003
+ "name": "Context efficiency",
1004
+ "score": 8,
1005
+ "max": 10
1006
+ },
1007
+ {
1008
+ "id": "safety",
1009
+ "name": "Safety & guardrails",
1010
+ "score": 10,
1011
+ "max": 10
1012
+ },
1013
+ {
1014
+ "id": "testability",
1015
+ "name": "Testability",
1016
+ "score": 7,
1017
+ "max": 10
1018
+ },
1019
+ {
1020
+ "id": "naming",
1021
+ "name": "Naming & conventions",
1022
+ "score": 10,
1023
+ "max": 10
1024
+ }
1025
+ ],
1026
+ "evaluatedAt": "2026-06-08T23:20:57.642Z",
1027
+ "evaluatedVersion": "0.0.0"
1028
+ },
1029
+ "evalSummaries": {
1030
+ "quality": {
1031
+ "providerId": "quality",
1032
+ "providerVersion": "1.0.0",
1033
+ "schemaVersion": 1,
1034
+ "passed": true,
1035
+ "overallScore": 84,
1036
+ "grade": "B",
1037
+ "categories": [
1038
+ {
1039
+ "id": "structure",
1040
+ "name": "Structure & completeness",
1041
+ "score": 7,
1042
+ "max": 10
1043
+ },
1044
+ {
1045
+ "id": "description",
1046
+ "name": "Description quality",
1047
+ "score": 8,
1048
+ "max": 10
1049
+ },
1050
+ {
1051
+ "id": "prompt-engineering",
1052
+ "name": "Prompt engineering",
1053
+ "score": 9,
1054
+ "max": 10
1055
+ },
1056
+ {
1057
+ "id": "context-efficiency",
1058
+ "name": "Context efficiency",
1059
+ "score": 8,
1060
+ "max": 10
1061
+ },
1062
+ {
1063
+ "id": "safety",
1064
+ "name": "Safety & guardrails",
1065
+ "score": 10,
1066
+ "max": 10
1067
+ },
1068
+ {
1069
+ "id": "testability",
1070
+ "name": "Testability",
1071
+ "score": 7,
1072
+ "max": 10
1073
+ },
1074
+ {
1075
+ "id": "naming",
1076
+ "name": "Naming & conventions",
1077
+ "score": 10,
1078
+ "max": 10
1079
+ }
1080
+ ],
1081
+ "evaluatedAt": "2026-06-08T23:20:57.642Z",
1082
+ "evaluatedVersion": "0.0.0"
1083
+ },
1084
+ "skill-best-practice": {
1085
+ "providerId": "skill-best-practice",
1086
+ "providerVersion": "1.1.0",
1087
+ "schemaVersion": 1,
1088
+ "passed": false,
1089
+ "overallScore": 69,
1090
+ "grade": "C",
1091
+ "categories": [
1092
+ {
1093
+ "id": "validation",
1094
+ "name": "Deterministic validation",
1095
+ "score": 9,
1096
+ "max": 13
1097
+ }
1098
+ ],
1099
+ "evaluatedAt": "2026-06-08T23:20:57.642Z",
1100
+ "evaluatedVersion": "0.0.0"
1101
+ }
1102
+ }
1103
+ },
1104
+ {
1105
+ "name": "disk-forensics",
1106
+ "description": "Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.",
1107
+ "version": "0.0.0",
1108
+ "license": "",
1109
+ "creator": "",
1110
+ "compatibility": "",
1111
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob"],
1112
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/disk-forensics",
1113
+ "relPath": "skills/disk-forensics",
1114
+ "verified": true,
1115
+ "tokenCount": 1669,
1116
+ "evalSummary": {
1117
+ "overallScore": 64,
1118
+ "grade": "D",
1119
+ "categories": [
1120
+ {
1121
+ "id": "structure",
1122
+ "name": "Structure & completeness",
1123
+ "score": 7,
1124
+ "max": 10
1125
+ },
1126
+ {
1127
+ "id": "description",
1128
+ "name": "Description quality",
1129
+ "score": 8,
1130
+ "max": 10
1131
+ },
1132
+ {
1133
+ "id": "prompt-engineering",
1134
+ "name": "Prompt engineering",
1135
+ "score": 6,
1136
+ "max": 10
1137
+ },
1138
+ {
1139
+ "id": "context-efficiency",
1140
+ "name": "Context efficiency",
1141
+ "score": 9,
1142
+ "max": 10
1143
+ },
1144
+ {
1145
+ "id": "safety",
1146
+ "name": "Safety & guardrails",
1147
+ "score": 4,
1148
+ "max": 10
1149
+ },
1150
+ {
1151
+ "id": "testability",
1152
+ "name": "Testability",
1153
+ "score": 1,
1154
+ "max": 10
1155
+ },
1156
+ {
1157
+ "id": "naming",
1158
+ "name": "Naming & conventions",
1159
+ "score": 10,
1160
+ "max": 10
1161
+ }
1162
+ ],
1163
+ "evaluatedAt": "2026-06-08T23:20:57.643Z",
1164
+ "evaluatedVersion": "0.0.0"
1165
+ },
1166
+ "evalSummaries": {
1167
+ "quality": {
1168
+ "providerId": "quality",
1169
+ "providerVersion": "1.0.0",
1170
+ "schemaVersion": 1,
1171
+ "passed": true,
1172
+ "overallScore": 64,
1173
+ "grade": "D",
1174
+ "categories": [
1175
+ {
1176
+ "id": "structure",
1177
+ "name": "Structure & completeness",
1178
+ "score": 7,
1179
+ "max": 10
1180
+ },
1181
+ {
1182
+ "id": "description",
1183
+ "name": "Description quality",
1184
+ "score": 8,
1185
+ "max": 10
1186
+ },
1187
+ {
1188
+ "id": "prompt-engineering",
1189
+ "name": "Prompt engineering",
1190
+ "score": 6,
1191
+ "max": 10
1192
+ },
1193
+ {
1194
+ "id": "context-efficiency",
1195
+ "name": "Context efficiency",
1196
+ "score": 9,
1197
+ "max": 10
1198
+ },
1199
+ {
1200
+ "id": "safety",
1201
+ "name": "Safety & guardrails",
1202
+ "score": 4,
1203
+ "max": 10
1204
+ },
1205
+ {
1206
+ "id": "testability",
1207
+ "name": "Testability",
1208
+ "score": 1,
1209
+ "max": 10
1210
+ },
1211
+ {
1212
+ "id": "naming",
1213
+ "name": "Naming & conventions",
1214
+ "score": 10,
1215
+ "max": 10
1216
+ }
1217
+ ],
1218
+ "evaluatedAt": "2026-06-08T23:20:57.643Z",
1219
+ "evaluatedVersion": "0.0.0"
1220
+ },
1221
+ "skill-best-practice": {
1222
+ "providerId": "skill-best-practice",
1223
+ "providerVersion": "1.1.0",
1224
+ "schemaVersion": 1,
1225
+ "passed": false,
1226
+ "overallScore": 69,
1227
+ "grade": "C",
1228
+ "categories": [
1229
+ {
1230
+ "id": "validation",
1231
+ "name": "Deterministic validation",
1232
+ "score": 9,
1233
+ "max": 13
1234
+ }
1235
+ ],
1236
+ "evaluatedAt": "2026-06-08T23:20:57.643Z",
1237
+ "evaluatedVersion": "0.0.0"
1238
+ }
1239
+ }
1240
+ },
1241
+ {
1242
+ "name": "finding-triage",
1243
+ "description": "Triage a single security finding — from a scanner, audit, advisory, or report — to a defensible disposition with a mitigation plan, false-positive justification, or accepted-risk writeup. Use when the user mentions 'triage this finding,' 'is this a real vulnerability,' 'mitigation plan,' 'false positive,' 'accept this risk,' 'compensating controls,' 'risk justification,' 'security ticket,' 'CVSS this,' 'should we fix this,' 'disposition,' 'sign off on,' or has a single security finding and needs to decide what to do.",
1244
+ "version": "0.0.0",
1245
+ "license": "",
1246
+ "creator": "",
1247
+ "compatibility": "",
1248
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "WebSearch"],
1249
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/finding-triage",
1250
+ "relPath": "skills/finding-triage",
1251
+ "verified": true,
1252
+ "tokenCount": 3557,
1253
+ "evalSummary": {
1254
+ "overallScore": 64,
1255
+ "grade": "D",
1256
+ "categories": [
1257
+ {
1258
+ "id": "structure",
1259
+ "name": "Structure & completeness",
1260
+ "score": 7,
1261
+ "max": 10
1262
+ },
1263
+ {
1264
+ "id": "description",
1265
+ "name": "Description quality",
1266
+ "score": 3,
1267
+ "max": 10
1268
+ },
1269
+ {
1270
+ "id": "prompt-engineering",
1271
+ "name": "Prompt engineering",
1272
+ "score": 8,
1273
+ "max": 10
1274
+ },
1275
+ {
1276
+ "id": "context-efficiency",
1277
+ "name": "Context efficiency",
1278
+ "score": 7,
1279
+ "max": 10
1280
+ },
1281
+ {
1282
+ "id": "safety",
1283
+ "name": "Safety & guardrails",
1284
+ "score": 5,
1285
+ "max": 10
1286
+ },
1287
+ {
1288
+ "id": "testability",
1289
+ "name": "Testability",
1290
+ "score": 5,
1291
+ "max": 10
1292
+ },
1293
+ {
1294
+ "id": "naming",
1295
+ "name": "Naming & conventions",
1296
+ "score": 10,
1297
+ "max": 10
1298
+ }
1299
+ ],
1300
+ "evaluatedAt": "2026-06-08T23:20:57.645Z",
1301
+ "evaluatedVersion": "0.0.0"
1302
+ },
1303
+ "evalSummaries": {
1304
+ "quality": {
1305
+ "providerId": "quality",
1306
+ "providerVersion": "1.0.0",
1307
+ "schemaVersion": 1,
1308
+ "passed": true,
1309
+ "overallScore": 64,
1310
+ "grade": "D",
1311
+ "categories": [
1312
+ {
1313
+ "id": "structure",
1314
+ "name": "Structure & completeness",
1315
+ "score": 7,
1316
+ "max": 10
1317
+ },
1318
+ {
1319
+ "id": "description",
1320
+ "name": "Description quality",
1321
+ "score": 3,
1322
+ "max": 10
1323
+ },
1324
+ {
1325
+ "id": "prompt-engineering",
1326
+ "name": "Prompt engineering",
1327
+ "score": 8,
1328
+ "max": 10
1329
+ },
1330
+ {
1331
+ "id": "context-efficiency",
1332
+ "name": "Context efficiency",
1333
+ "score": 7,
1334
+ "max": 10
1335
+ },
1336
+ {
1337
+ "id": "safety",
1338
+ "name": "Safety & guardrails",
1339
+ "score": 5,
1340
+ "max": 10
1341
+ },
1342
+ {
1343
+ "id": "testability",
1344
+ "name": "Testability",
1345
+ "score": 5,
1346
+ "max": 10
1347
+ },
1348
+ {
1349
+ "id": "naming",
1350
+ "name": "Naming & conventions",
1351
+ "score": 10,
1352
+ "max": 10
1353
+ }
1354
+ ],
1355
+ "evaluatedAt": "2026-06-08T23:20:57.645Z",
1356
+ "evaluatedVersion": "0.0.0"
1357
+ },
1358
+ "skill-best-practice": {
1359
+ "providerId": "skill-best-practice",
1360
+ "providerVersion": "1.1.0",
1361
+ "schemaVersion": 1,
1362
+ "passed": false,
1363
+ "overallScore": 69,
1364
+ "grade": "C",
1365
+ "categories": [
1366
+ {
1367
+ "id": "validation",
1368
+ "name": "Deterministic validation",
1369
+ "score": 9,
1370
+ "max": 13
1371
+ }
1372
+ ],
1373
+ "evaluatedAt": "2026-06-08T23:20:57.645Z",
1374
+ "evaluatedVersion": "0.0.0"
1375
+ }
1376
+ }
1377
+ },
1378
+ {
1379
+ "name": "hipaa-audit",
1380
+ "description": "Audit applications and infrastructure handling Protected Health Information against HIPAA — Security Rule (administrative, physical, technical safeguards), Privacy Rule, Breach Notification Rule, plus HITECH. Covers ePHI scoping, the 18 HIPAA identifiers, Business Associate Agreement (BAA) chain-of-liability, minimum-necessary standard, and breach notification timing. Use when the user mentions 'HIPAA,' 'HIPAA Security Rule,' 'HIPAA Privacy Rule,' 'PHI,' 'ePHI,' 'protected health information,' 'BAA,' 'business associate agreement,' 'covered entity,' 'business associate,' 'minimum necessary,' 'HIPAA breach,' 'HITECH,' 'healthcare compliance,' 'medical data,' 'patient data,' or audits any system that creates, receives, maintains, or transmits PHI.",
1381
+ "version": "0.0.0",
1382
+ "license": "",
1383
+ "creator": "",
1384
+ "compatibility": "",
1385
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write", "WebSearch"],
1386
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/hipaa-audit",
1387
+ "relPath": "skills/hipaa-audit",
1388
+ "verified": true,
1389
+ "tokenCount": 4999,
1390
+ "evalSummary": {
1391
+ "overallScore": 69,
1392
+ "grade": "C",
1393
+ "categories": [
1394
+ {
1395
+ "id": "structure",
1396
+ "name": "Structure & completeness",
1397
+ "score": 7,
1398
+ "max": 10
1399
+ },
1400
+ {
1401
+ "id": "description",
1402
+ "name": "Description quality",
1403
+ "score": 6,
1404
+ "max": 10
1405
+ },
1406
+ {
1407
+ "id": "prompt-engineering",
1408
+ "name": "Prompt engineering",
1409
+ "score": 4,
1410
+ "max": 10
1411
+ },
1412
+ {
1413
+ "id": "context-efficiency",
1414
+ "name": "Context efficiency",
1415
+ "score": 7,
1416
+ "max": 10
1417
+ },
1418
+ {
1419
+ "id": "safety",
1420
+ "name": "Safety & guardrails",
1421
+ "score": 9,
1422
+ "max": 10
1423
+ },
1424
+ {
1425
+ "id": "testability",
1426
+ "name": "Testability",
1427
+ "score": 5,
1428
+ "max": 10
1429
+ },
1430
+ {
1431
+ "id": "naming",
1432
+ "name": "Naming & conventions",
1433
+ "score": 10,
1434
+ "max": 10
1435
+ }
1436
+ ],
1437
+ "evaluatedAt": "2026-06-08T23:20:57.647Z",
1438
+ "evaluatedVersion": "0.0.0"
1439
+ },
1440
+ "evalSummaries": {
1441
+ "quality": {
1442
+ "providerId": "quality",
1443
+ "providerVersion": "1.0.0",
1444
+ "schemaVersion": 1,
1445
+ "passed": true,
1446
+ "overallScore": 69,
1447
+ "grade": "C",
1448
+ "categories": [
1449
+ {
1450
+ "id": "structure",
1451
+ "name": "Structure & completeness",
1452
+ "score": 7,
1453
+ "max": 10
1454
+ },
1455
+ {
1456
+ "id": "description",
1457
+ "name": "Description quality",
1458
+ "score": 6,
1459
+ "max": 10
1460
+ },
1461
+ {
1462
+ "id": "prompt-engineering",
1463
+ "name": "Prompt engineering",
1464
+ "score": 4,
1465
+ "max": 10
1466
+ },
1467
+ {
1468
+ "id": "context-efficiency",
1469
+ "name": "Context efficiency",
1470
+ "score": 7,
1471
+ "max": 10
1472
+ },
1473
+ {
1474
+ "id": "safety",
1475
+ "name": "Safety & guardrails",
1476
+ "score": 9,
1477
+ "max": 10
1478
+ },
1479
+ {
1480
+ "id": "testability",
1481
+ "name": "Testability",
1482
+ "score": 5,
1483
+ "max": 10
1484
+ },
1485
+ {
1486
+ "id": "naming",
1487
+ "name": "Naming & conventions",
1488
+ "score": 10,
1489
+ "max": 10
1490
+ }
1491
+ ],
1492
+ "evaluatedAt": "2026-06-08T23:20:57.647Z",
1493
+ "evaluatedVersion": "0.0.0"
1494
+ },
1495
+ "skill-best-practice": {
1496
+ "providerId": "skill-best-practice",
1497
+ "providerVersion": "1.1.0",
1498
+ "schemaVersion": 1,
1499
+ "passed": false,
1500
+ "overallScore": 69,
1501
+ "grade": "C",
1502
+ "categories": [
1503
+ {
1504
+ "id": "validation",
1505
+ "name": "Deterministic validation",
1506
+ "score": 9,
1507
+ "max": 13
1508
+ }
1509
+ ],
1510
+ "evaluatedAt": "2026-06-08T23:20:57.647Z",
1511
+ "evaluatedVersion": "0.0.0"
1512
+ }
1513
+ }
1514
+ },
1515
+ {
1516
+ "name": "iam-audit",
1517
+ "description": "Audit, design, and migrate Identity and Access Management — cloud provider IAM (AWS, GCP, Azure), identity providers (Okta, Entra ID / Azure AD, Auth0, Google Workspace), application authorization (RBAC, ABAC, ReBAC), and federated identity. Use when the user mentions 'IAM,' 'identity,' 'access management,' 'least privilege,' 'role design,' 'SSO,' 'SAML,' 'OIDC,' 'OAuth,' 'JIT access,' 'just-in-time access,' 'break-glass,' 'service accounts,' 'RBAC,' 'ABAC,' 'privilege creep,' 'role explosion,' 'identity governance,' 'IAM strategy,' 'identity migration,' 'Okta,' 'Entra ID,' 'Azure AD,' 'Auth0,' 'Cognito,' or needs identity consultant-level guidance.",
1518
+ "version": "0.0.0",
1519
+ "license": "",
1520
+ "creator": "",
1521
+ "compatibility": "",
1522
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
1523
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/iam-audit",
1524
+ "relPath": "skills/iam-audit",
1525
+ "verified": true,
1526
+ "tokenCount": 3631,
1527
+ "evalSummary": {
1528
+ "overallScore": 69,
1529
+ "grade": "C",
1530
+ "categories": [
1531
+ {
1532
+ "id": "structure",
1533
+ "name": "Structure & completeness",
1534
+ "score": 7,
1535
+ "max": 10
1536
+ },
1537
+ {
1538
+ "id": "description",
1539
+ "name": "Description quality",
1540
+ "score": 6,
1541
+ "max": 10
1542
+ },
1543
+ {
1544
+ "id": "prompt-engineering",
1545
+ "name": "Prompt engineering",
1546
+ "score": 7,
1547
+ "max": 10
1548
+ },
1549
+ {
1550
+ "id": "context-efficiency",
1551
+ "name": "Context efficiency",
1552
+ "score": 8,
1553
+ "max": 10
1554
+ },
1555
+ {
1556
+ "id": "safety",
1557
+ "name": "Safety & guardrails",
1558
+ "score": 7,
1559
+ "max": 10
1560
+ },
1561
+ {
1562
+ "id": "testability",
1563
+ "name": "Testability",
1564
+ "score": 3,
1565
+ "max": 10
1566
+ },
1567
+ {
1568
+ "id": "naming",
1569
+ "name": "Naming & conventions",
1570
+ "score": 10,
1571
+ "max": 10
1572
+ }
1573
+ ],
1574
+ "evaluatedAt": "2026-06-08T23:20:57.650Z",
1575
+ "evaluatedVersion": "0.0.0"
1576
+ },
1577
+ "evalSummaries": {
1578
+ "quality": {
1579
+ "providerId": "quality",
1580
+ "providerVersion": "1.0.0",
1581
+ "schemaVersion": 1,
1582
+ "passed": true,
1583
+ "overallScore": 69,
1584
+ "grade": "C",
1585
+ "categories": [
1586
+ {
1587
+ "id": "structure",
1588
+ "name": "Structure & completeness",
1589
+ "score": 7,
1590
+ "max": 10
1591
+ },
1592
+ {
1593
+ "id": "description",
1594
+ "name": "Description quality",
1595
+ "score": 6,
1596
+ "max": 10
1597
+ },
1598
+ {
1599
+ "id": "prompt-engineering",
1600
+ "name": "Prompt engineering",
1601
+ "score": 7,
1602
+ "max": 10
1603
+ },
1604
+ {
1605
+ "id": "context-efficiency",
1606
+ "name": "Context efficiency",
1607
+ "score": 8,
1608
+ "max": 10
1609
+ },
1610
+ {
1611
+ "id": "safety",
1612
+ "name": "Safety & guardrails",
1613
+ "score": 7,
1614
+ "max": 10
1615
+ },
1616
+ {
1617
+ "id": "testability",
1618
+ "name": "Testability",
1619
+ "score": 3,
1620
+ "max": 10
1621
+ },
1622
+ {
1623
+ "id": "naming",
1624
+ "name": "Naming & conventions",
1625
+ "score": 10,
1626
+ "max": 10
1627
+ }
1628
+ ],
1629
+ "evaluatedAt": "2026-06-08T23:20:57.650Z",
1630
+ "evaluatedVersion": "0.0.0"
1631
+ },
1632
+ "skill-best-practice": {
1633
+ "providerId": "skill-best-practice",
1634
+ "providerVersion": "1.1.0",
1635
+ "schemaVersion": 1,
1636
+ "passed": false,
1637
+ "overallScore": 69,
1638
+ "grade": "C",
1639
+ "categories": [
1640
+ {
1641
+ "id": "validation",
1642
+ "name": "Deterministic validation",
1643
+ "score": 9,
1644
+ "max": 13
1645
+ }
1646
+ ],
1647
+ "evaluatedAt": "2026-06-08T23:20:57.650Z",
1648
+ "evaluatedVersion": "0.0.0"
1649
+ }
1650
+ }
1651
+ },
1652
+ {
1653
+ "name": "incident-triage",
1654
+ "description": "Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.",
1655
+ "version": "0.0.0",
1656
+ "license": "",
1657
+ "creator": "",
1658
+ "compatibility": "",
1659
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
1660
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/incident-triage",
1661
+ "relPath": "skills/incident-triage",
1662
+ "verified": true,
1663
+ "tokenCount": 1654,
1664
+ "evalSummary": {
1665
+ "overallScore": 63,
1666
+ "grade": "D",
1667
+ "categories": [
1668
+ {
1669
+ "id": "structure",
1670
+ "name": "Structure & completeness",
1671
+ "score": 7,
1672
+ "max": 10
1673
+ },
1674
+ {
1675
+ "id": "description",
1676
+ "name": "Description quality",
1677
+ "score": 5,
1678
+ "max": 10
1679
+ },
1680
+ {
1681
+ "id": "prompt-engineering",
1682
+ "name": "Prompt engineering",
1683
+ "score": 8,
1684
+ "max": 10
1685
+ },
1686
+ {
1687
+ "id": "context-efficiency",
1688
+ "name": "Context efficiency",
1689
+ "score": 9,
1690
+ "max": 10
1691
+ },
1692
+ {
1693
+ "id": "safety",
1694
+ "name": "Safety & guardrails",
1695
+ "score": 4,
1696
+ "max": 10
1697
+ },
1698
+ {
1699
+ "id": "testability",
1700
+ "name": "Testability",
1701
+ "score": 1,
1702
+ "max": 10
1703
+ },
1704
+ {
1705
+ "id": "naming",
1706
+ "name": "Naming & conventions",
1707
+ "score": 10,
1708
+ "max": 10
1709
+ }
1710
+ ],
1711
+ "evaluatedAt": "2026-06-08T23:20:57.651Z",
1712
+ "evaluatedVersion": "0.0.0"
1713
+ },
1714
+ "evalSummaries": {
1715
+ "quality": {
1716
+ "providerId": "quality",
1717
+ "providerVersion": "1.0.0",
1718
+ "schemaVersion": 1,
1719
+ "passed": true,
1720
+ "overallScore": 63,
1721
+ "grade": "D",
1722
+ "categories": [
1723
+ {
1724
+ "id": "structure",
1725
+ "name": "Structure & completeness",
1726
+ "score": 7,
1727
+ "max": 10
1728
+ },
1729
+ {
1730
+ "id": "description",
1731
+ "name": "Description quality",
1732
+ "score": 5,
1733
+ "max": 10
1734
+ },
1735
+ {
1736
+ "id": "prompt-engineering",
1737
+ "name": "Prompt engineering",
1738
+ "score": 8,
1739
+ "max": 10
1740
+ },
1741
+ {
1742
+ "id": "context-efficiency",
1743
+ "name": "Context efficiency",
1744
+ "score": 9,
1745
+ "max": 10
1746
+ },
1747
+ {
1748
+ "id": "safety",
1749
+ "name": "Safety & guardrails",
1750
+ "score": 4,
1751
+ "max": 10
1752
+ },
1753
+ {
1754
+ "id": "testability",
1755
+ "name": "Testability",
1756
+ "score": 1,
1757
+ "max": 10
1758
+ },
1759
+ {
1760
+ "id": "naming",
1761
+ "name": "Naming & conventions",
1762
+ "score": 10,
1763
+ "max": 10
1764
+ }
1765
+ ],
1766
+ "evaluatedAt": "2026-06-08T23:20:57.651Z",
1767
+ "evaluatedVersion": "0.0.0"
1768
+ },
1769
+ "skill-best-practice": {
1770
+ "providerId": "skill-best-practice",
1771
+ "providerVersion": "1.1.0",
1772
+ "schemaVersion": 1,
1773
+ "passed": false,
1774
+ "overallScore": 69,
1775
+ "grade": "C",
1776
+ "categories": [
1777
+ {
1778
+ "id": "validation",
1779
+ "name": "Deterministic validation",
1780
+ "score": 9,
1781
+ "max": 13
1782
+ }
1783
+ ],
1784
+ "evaluatedAt": "2026-06-08T23:20:57.651Z",
1785
+ "evaluatedVersion": "0.0.0"
1786
+ }
1787
+ }
1788
+ },
1789
+ {
1790
+ "name": "mobile-audit",
1791
+ "description": "Audit iOS and Android mobile applications against OWASP MASVS / MASTG — insecure storage, weak crypto, certificate pinning, deeplinks, IPC, jailbreak/root detection, reverse-engineering resistance. Use when the user mentions 'mobile security,' 'iOS security,' 'Android security,' 'mobile audit,' 'mobile pentest,' 'MASVS,' 'MASTG,' 'certificate pinning,' 'jailbreak detection,' 'root detection,' 'deeplink,' 'URL scheme,' 'app transport security,' 'keychain,' 'keystore,' 'mobile reverse engineering,' or has a mobile app to review.",
1792
+ "version": "0.0.0",
1793
+ "license": "",
1794
+ "creator": "",
1795
+ "compatibility": "",
1796
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
1797
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/mobile-audit",
1798
+ "relPath": "skills/mobile-audit",
1799
+ "verified": true,
1800
+ "tokenCount": 2888,
1801
+ "evalSummary": {
1802
+ "overallScore": 74,
1803
+ "grade": "C",
1804
+ "categories": [
1805
+ {
1806
+ "id": "structure",
1807
+ "name": "Structure & completeness",
1808
+ "score": 7,
1809
+ "max": 10
1810
+ },
1811
+ {
1812
+ "id": "description",
1813
+ "name": "Description quality",
1814
+ "score": 6,
1815
+ "max": 10
1816
+ },
1817
+ {
1818
+ "id": "prompt-engineering",
1819
+ "name": "Prompt engineering",
1820
+ "score": 4,
1821
+ "max": 10
1822
+ },
1823
+ {
1824
+ "id": "context-efficiency",
1825
+ "name": "Context efficiency",
1826
+ "score": 10,
1827
+ "max": 10
1828
+ },
1829
+ {
1830
+ "id": "safety",
1831
+ "name": "Safety & guardrails",
1832
+ "score": 10,
1833
+ "max": 10
1834
+ },
1835
+ {
1836
+ "id": "testability",
1837
+ "name": "Testability",
1838
+ "score": 5,
1839
+ "max": 10
1840
+ },
1841
+ {
1842
+ "id": "naming",
1843
+ "name": "Naming & conventions",
1844
+ "score": 10,
1845
+ "max": 10
1846
+ }
1847
+ ],
1848
+ "evaluatedAt": "2026-06-08T23:20:57.653Z",
1849
+ "evaluatedVersion": "0.0.0"
1850
+ },
1851
+ "evalSummaries": {
1852
+ "quality": {
1853
+ "providerId": "quality",
1854
+ "providerVersion": "1.0.0",
1855
+ "schemaVersion": 1,
1856
+ "passed": true,
1857
+ "overallScore": 74,
1858
+ "grade": "C",
1859
+ "categories": [
1860
+ {
1861
+ "id": "structure",
1862
+ "name": "Structure & completeness",
1863
+ "score": 7,
1864
+ "max": 10
1865
+ },
1866
+ {
1867
+ "id": "description",
1868
+ "name": "Description quality",
1869
+ "score": 6,
1870
+ "max": 10
1871
+ },
1872
+ {
1873
+ "id": "prompt-engineering",
1874
+ "name": "Prompt engineering",
1875
+ "score": 4,
1876
+ "max": 10
1877
+ },
1878
+ {
1879
+ "id": "context-efficiency",
1880
+ "name": "Context efficiency",
1881
+ "score": 10,
1882
+ "max": 10
1883
+ },
1884
+ {
1885
+ "id": "safety",
1886
+ "name": "Safety & guardrails",
1887
+ "score": 10,
1888
+ "max": 10
1889
+ },
1890
+ {
1891
+ "id": "testability",
1892
+ "name": "Testability",
1893
+ "score": 5,
1894
+ "max": 10
1895
+ },
1896
+ {
1897
+ "id": "naming",
1898
+ "name": "Naming & conventions",
1899
+ "score": 10,
1900
+ "max": 10
1901
+ }
1902
+ ],
1903
+ "evaluatedAt": "2026-06-08T23:20:57.653Z",
1904
+ "evaluatedVersion": "0.0.0"
1905
+ },
1906
+ "skill-best-practice": {
1907
+ "providerId": "skill-best-practice",
1908
+ "providerVersion": "1.1.0",
1909
+ "schemaVersion": 1,
1910
+ "passed": false,
1911
+ "overallScore": 69,
1912
+ "grade": "C",
1913
+ "categories": [
1914
+ {
1915
+ "id": "validation",
1916
+ "name": "Deterministic validation",
1917
+ "score": 9,
1918
+ "max": 13
1919
+ }
1920
+ ],
1921
+ "evaluatedAt": "2026-06-08T23:20:57.653Z",
1922
+ "evaluatedVersion": "0.0.0"
1923
+ }
1924
+ }
1925
+ },
1926
+ {
1927
+ "name": "osint-recon",
1928
+ "description": "Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.",
1929
+ "version": "0.0.0",
1930
+ "license": "",
1931
+ "creator": "",
1932
+ "compatibility": "",
1933
+ "allowedTools": ["Bash", "WebSearch", "WebFetch", "Read", "Write"],
1934
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/osint-recon",
1935
+ "relPath": "skills/osint-recon",
1936
+ "verified": true,
1937
+ "tokenCount": 1178,
1938
+ "evalSummary": {
1939
+ "overallScore": 71,
1940
+ "grade": "C",
1941
+ "categories": [
1942
+ {
1943
+ "id": "structure",
1944
+ "name": "Structure & completeness",
1945
+ "score": 7,
1946
+ "max": 10
1947
+ },
1948
+ {
1949
+ "id": "description",
1950
+ "name": "Description quality",
1951
+ "score": 5,
1952
+ "max": 10
1953
+ },
1954
+ {
1955
+ "id": "prompt-engineering",
1956
+ "name": "Prompt engineering",
1957
+ "score": 7,
1958
+ "max": 10
1959
+ },
1960
+ {
1961
+ "id": "context-efficiency",
1962
+ "name": "Context efficiency",
1963
+ "score": 9,
1964
+ "max": 10
1965
+ },
1966
+ {
1967
+ "id": "safety",
1968
+ "name": "Safety & guardrails",
1969
+ "score": 9,
1970
+ "max": 10
1971
+ },
1972
+ {
1973
+ "id": "testability",
1974
+ "name": "Testability",
1975
+ "score": 3,
1976
+ "max": 10
1977
+ },
1978
+ {
1979
+ "id": "naming",
1980
+ "name": "Naming & conventions",
1981
+ "score": 10,
1982
+ "max": 10
1983
+ }
1984
+ ],
1985
+ "evaluatedAt": "2026-06-08T23:20:57.655Z",
1986
+ "evaluatedVersion": "0.0.0"
1987
+ },
1988
+ "evalSummaries": {
1989
+ "quality": {
1990
+ "providerId": "quality",
1991
+ "providerVersion": "1.0.0",
1992
+ "schemaVersion": 1,
1993
+ "passed": true,
1994
+ "overallScore": 71,
1995
+ "grade": "C",
1996
+ "categories": [
1997
+ {
1998
+ "id": "structure",
1999
+ "name": "Structure & completeness",
2000
+ "score": 7,
2001
+ "max": 10
2002
+ },
2003
+ {
2004
+ "id": "description",
2005
+ "name": "Description quality",
2006
+ "score": 5,
2007
+ "max": 10
2008
+ },
2009
+ {
2010
+ "id": "prompt-engineering",
2011
+ "name": "Prompt engineering",
2012
+ "score": 7,
2013
+ "max": 10
2014
+ },
2015
+ {
2016
+ "id": "context-efficiency",
2017
+ "name": "Context efficiency",
2018
+ "score": 9,
2019
+ "max": 10
2020
+ },
2021
+ {
2022
+ "id": "safety",
2023
+ "name": "Safety & guardrails",
2024
+ "score": 9,
2025
+ "max": 10
2026
+ },
2027
+ {
2028
+ "id": "testability",
2029
+ "name": "Testability",
2030
+ "score": 3,
2031
+ "max": 10
2032
+ },
2033
+ {
2034
+ "id": "naming",
2035
+ "name": "Naming & conventions",
2036
+ "score": 10,
2037
+ "max": 10
2038
+ }
2039
+ ],
2040
+ "evaluatedAt": "2026-06-08T23:20:57.655Z",
2041
+ "evaluatedVersion": "0.0.0"
2042
+ },
2043
+ "skill-best-practice": {
2044
+ "providerId": "skill-best-practice",
2045
+ "providerVersion": "1.1.0",
2046
+ "schemaVersion": 1,
2047
+ "passed": false,
2048
+ "overallScore": 69,
2049
+ "grade": "C",
2050
+ "categories": [
2051
+ {
2052
+ "id": "validation",
2053
+ "name": "Deterministic validation",
2054
+ "score": 9,
2055
+ "max": 13
2056
+ }
2057
+ ],
2058
+ "evaluatedAt": "2026-06-08T23:20:57.655Z",
2059
+ "evaluatedVersion": "0.0.0"
2060
+ }
2061
+ }
2062
+ },
2063
+ {
2064
+ "name": "owasp-audit",
2065
+ "description": "Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.",
2066
+ "version": "0.0.0",
2067
+ "license": "",
2068
+ "creator": "",
2069
+ "compatibility": "",
2070
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write"],
2071
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/owasp-audit",
2072
+ "relPath": "skills/owasp-audit",
2073
+ "verified": true,
2074
+ "tokenCount": 9434,
2075
+ "evalSummary": {
2076
+ "overallScore": 74,
2077
+ "grade": "C",
2078
+ "categories": [
2079
+ {
2080
+ "id": "structure",
2081
+ "name": "Structure & completeness",
2082
+ "score": 7,
2083
+ "max": 10
2084
+ },
2085
+ {
2086
+ "id": "description",
2087
+ "name": "Description quality",
2088
+ "score": 6,
2089
+ "max": 10
2090
+ },
2091
+ {
2092
+ "id": "prompt-engineering",
2093
+ "name": "Prompt engineering",
2094
+ "score": 6,
2095
+ "max": 10
2096
+ },
2097
+ {
2098
+ "id": "context-efficiency",
2099
+ "name": "Context efficiency",
2100
+ "score": 6,
2101
+ "max": 10
2102
+ },
2103
+ {
2104
+ "id": "safety",
2105
+ "name": "Safety & guardrails",
2106
+ "score": 10,
2107
+ "max": 10
2108
+ },
2109
+ {
2110
+ "id": "testability",
2111
+ "name": "Testability",
2112
+ "score": 7,
2113
+ "max": 10
2114
+ },
2115
+ {
2116
+ "id": "naming",
2117
+ "name": "Naming & conventions",
2118
+ "score": 10,
2119
+ "max": 10
2120
+ }
2121
+ ],
2122
+ "evaluatedAt": "2026-06-08T23:20:57.657Z",
2123
+ "evaluatedVersion": "0.0.0"
2124
+ },
2125
+ "evalSummaries": {
2126
+ "quality": {
2127
+ "providerId": "quality",
2128
+ "providerVersion": "1.0.0",
2129
+ "schemaVersion": 1,
2130
+ "passed": true,
2131
+ "overallScore": 74,
2132
+ "grade": "C",
2133
+ "categories": [
2134
+ {
2135
+ "id": "structure",
2136
+ "name": "Structure & completeness",
2137
+ "score": 7,
2138
+ "max": 10
2139
+ },
2140
+ {
2141
+ "id": "description",
2142
+ "name": "Description quality",
2143
+ "score": 6,
2144
+ "max": 10
2145
+ },
2146
+ {
2147
+ "id": "prompt-engineering",
2148
+ "name": "Prompt engineering",
2149
+ "score": 6,
2150
+ "max": 10
2151
+ },
2152
+ {
2153
+ "id": "context-efficiency",
2154
+ "name": "Context efficiency",
2155
+ "score": 6,
2156
+ "max": 10
2157
+ },
2158
+ {
2159
+ "id": "safety",
2160
+ "name": "Safety & guardrails",
2161
+ "score": 10,
2162
+ "max": 10
2163
+ },
2164
+ {
2165
+ "id": "testability",
2166
+ "name": "Testability",
2167
+ "score": 7,
2168
+ "max": 10
2169
+ },
2170
+ {
2171
+ "id": "naming",
2172
+ "name": "Naming & conventions",
2173
+ "score": 10,
2174
+ "max": 10
2175
+ }
2176
+ ],
2177
+ "evaluatedAt": "2026-06-08T23:20:57.658Z",
2178
+ "evaluatedVersion": "0.0.0"
2179
+ },
2180
+ "skill-best-practice": {
2181
+ "providerId": "skill-best-practice",
2182
+ "providerVersion": "1.1.0",
2183
+ "schemaVersion": 1,
2184
+ "passed": false,
2185
+ "overallScore": 69,
2186
+ "grade": "C",
2187
+ "categories": [
2188
+ {
2189
+ "id": "validation",
2190
+ "name": "Deterministic validation",
2191
+ "score": 9,
2192
+ "max": 13
2193
+ }
2194
+ ],
2195
+ "evaluatedAt": "2026-06-08T23:20:57.658Z",
2196
+ "evaluatedVersion": "0.0.0"
2197
+ }
2198
+ }
2199
+ },
2200
+ {
2201
+ "name": "pci-audit",
2202
+ "description": "Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.",
2203
+ "version": "0.0.0",
2204
+ "license": "",
2205
+ "creator": "",
2206
+ "compatibility": "",
2207
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write", "WebSearch"],
2208
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/pci-audit",
2209
+ "relPath": "skills/pci-audit",
2210
+ "verified": true,
2211
+ "tokenCount": 4293,
2212
+ "evalSummary": {
2213
+ "overallScore": 71,
2214
+ "grade": "C",
2215
+ "categories": [
2216
+ {
2217
+ "id": "structure",
2218
+ "name": "Structure & completeness",
2219
+ "score": 7,
2220
+ "max": 10
2221
+ },
2222
+ {
2223
+ "id": "description",
2224
+ "name": "Description quality",
2225
+ "score": 6,
2226
+ "max": 10
2227
+ },
2228
+ {
2229
+ "id": "prompt-engineering",
2230
+ "name": "Prompt engineering",
2231
+ "score": 5,
2232
+ "max": 10
2233
+ },
2234
+ {
2235
+ "id": "context-efficiency",
2236
+ "name": "Context efficiency",
2237
+ "score": 8,
2238
+ "max": 10
2239
+ },
2240
+ {
2241
+ "id": "safety",
2242
+ "name": "Safety & guardrails",
2243
+ "score": 9,
2244
+ "max": 10
2245
+ },
2246
+ {
2247
+ "id": "testability",
2248
+ "name": "Testability",
2249
+ "score": 5,
2250
+ "max": 10
2251
+ },
2252
+ {
2253
+ "id": "naming",
2254
+ "name": "Naming & conventions",
2255
+ "score": 10,
2256
+ "max": 10
2257
+ }
2258
+ ],
2259
+ "evaluatedAt": "2026-06-08T23:20:57.661Z",
2260
+ "evaluatedVersion": "0.0.0"
2261
+ },
2262
+ "evalSummaries": {
2263
+ "quality": {
2264
+ "providerId": "quality",
2265
+ "providerVersion": "1.0.0",
2266
+ "schemaVersion": 1,
2267
+ "passed": true,
2268
+ "overallScore": 71,
2269
+ "grade": "C",
2270
+ "categories": [
2271
+ {
2272
+ "id": "structure",
2273
+ "name": "Structure & completeness",
2274
+ "score": 7,
2275
+ "max": 10
2276
+ },
2277
+ {
2278
+ "id": "description",
2279
+ "name": "Description quality",
2280
+ "score": 6,
2281
+ "max": 10
2282
+ },
2283
+ {
2284
+ "id": "prompt-engineering",
2285
+ "name": "Prompt engineering",
2286
+ "score": 5,
2287
+ "max": 10
2288
+ },
2289
+ {
2290
+ "id": "context-efficiency",
2291
+ "name": "Context efficiency",
2292
+ "score": 8,
2293
+ "max": 10
2294
+ },
2295
+ {
2296
+ "id": "safety",
2297
+ "name": "Safety & guardrails",
2298
+ "score": 9,
2299
+ "max": 10
2300
+ },
2301
+ {
2302
+ "id": "testability",
2303
+ "name": "Testability",
2304
+ "score": 5,
2305
+ "max": 10
2306
+ },
2307
+ {
2308
+ "id": "naming",
2309
+ "name": "Naming & conventions",
2310
+ "score": 10,
2311
+ "max": 10
2312
+ }
2313
+ ],
2314
+ "evaluatedAt": "2026-06-08T23:20:57.661Z",
2315
+ "evaluatedVersion": "0.0.0"
2316
+ },
2317
+ "skill-best-practice": {
2318
+ "providerId": "skill-best-practice",
2319
+ "providerVersion": "1.1.0",
2320
+ "schemaVersion": 1,
2321
+ "passed": false,
2322
+ "overallScore": 69,
2323
+ "grade": "C",
2324
+ "categories": [
2325
+ {
2326
+ "id": "validation",
2327
+ "name": "Deterministic validation",
2328
+ "score": 9,
2329
+ "max": 13
2330
+ }
2331
+ ],
2332
+ "evaluatedAt": "2026-06-08T23:20:57.661Z",
2333
+ "evaluatedVersion": "0.0.0"
2334
+ }
2335
+ }
2336
+ },
2337
+ {
2338
+ "name": "privacy-engineering",
2339
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
2340
+ "version": "0.0.0",
2341
+ "license": "",
2342
+ "creator": "",
2343
+ "compatibility": "",
2344
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write", "WebSearch"],
2345
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
2346
+ "relPath": "skills/privacy-engineering",
2347
+ "verified": true,
2348
+ "tokenCount": 4610,
2349
+ "evalSummary": {
2350
+ "overallScore": 67,
2351
+ "grade": "C",
2352
+ "categories": [
2353
+ {
2354
+ "id": "structure",
2355
+ "name": "Structure & completeness",
2356
+ "score": 7,
2357
+ "max": 10
2358
+ },
2359
+ {
2360
+ "id": "description",
2361
+ "name": "Description quality",
2362
+ "score": 3,
2363
+ "max": 10
2364
+ },
2365
+ {
2366
+ "id": "prompt-engineering",
2367
+ "name": "Prompt engineering",
2368
+ "score": 5,
2369
+ "max": 10
2370
+ },
2371
+ {
2372
+ "id": "context-efficiency",
2373
+ "name": "Context efficiency",
2374
+ "score": 7,
2375
+ "max": 10
2376
+ },
2377
+ {
2378
+ "id": "safety",
2379
+ "name": "Safety & guardrails",
2380
+ "score": 10,
2381
+ "max": 10
2382
+ },
2383
+ {
2384
+ "id": "testability",
2385
+ "name": "Testability",
2386
+ "score": 5,
2387
+ "max": 10
2388
+ },
2389
+ {
2390
+ "id": "naming",
2391
+ "name": "Naming & conventions",
2392
+ "score": 10,
2393
+ "max": 10
2394
+ }
2395
+ ],
2396
+ "evaluatedAt": "2026-06-08T23:20:57.663Z",
2397
+ "evaluatedVersion": "0.0.0"
2398
+ },
2399
+ "evalSummaries": {
2400
+ "quality": {
2401
+ "providerId": "quality",
2402
+ "providerVersion": "1.0.0",
2403
+ "schemaVersion": 1,
2404
+ "passed": true,
2405
+ "overallScore": 67,
2406
+ "grade": "C",
2407
+ "categories": [
2408
+ {
2409
+ "id": "structure",
2410
+ "name": "Structure & completeness",
2411
+ "score": 7,
2412
+ "max": 10
2413
+ },
2414
+ {
2415
+ "id": "description",
2416
+ "name": "Description quality",
2417
+ "score": 3,
2418
+ "max": 10
2419
+ },
2420
+ {
2421
+ "id": "prompt-engineering",
2422
+ "name": "Prompt engineering",
2423
+ "score": 5,
2424
+ "max": 10
2425
+ },
2426
+ {
2427
+ "id": "context-efficiency",
2428
+ "name": "Context efficiency",
2429
+ "score": 7,
2430
+ "max": 10
2431
+ },
2432
+ {
2433
+ "id": "safety",
2434
+ "name": "Safety & guardrails",
2435
+ "score": 10,
2436
+ "max": 10
2437
+ },
2438
+ {
2439
+ "id": "testability",
2440
+ "name": "Testability",
2441
+ "score": 5,
2442
+ "max": 10
2443
+ },
2444
+ {
2445
+ "id": "naming",
2446
+ "name": "Naming & conventions",
2447
+ "score": 10,
2448
+ "max": 10
2449
+ }
2450
+ ],
2451
+ "evaluatedAt": "2026-06-08T23:20:57.663Z",
2452
+ "evaluatedVersion": "0.0.0"
2453
+ },
2454
+ "skill-best-practice": {
2455
+ "providerId": "skill-best-practice",
2456
+ "providerVersion": "1.1.0",
2457
+ "schemaVersion": 1,
2458
+ "passed": false,
2459
+ "overallScore": 69,
2460
+ "grade": "C",
2461
+ "categories": [
2462
+ {
2463
+ "id": "validation",
2464
+ "name": "Deterministic validation",
2465
+ "score": 9,
2466
+ "max": 13
2467
+ }
2468
+ ],
2469
+ "evaluatedAt": "2026-06-08T23:20:57.663Z",
2470
+ "evaluatedVersion": "0.0.0"
2471
+ }
2472
+ }
2473
+ },
2474
+ {
2475
+ "name": "prompt-injection",
2476
+ "description": "Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.",
2477
+ "version": "0.0.0",
2478
+ "license": "",
2479
+ "creator": "",
2480
+ "compatibility": "",
2481
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "Write", "WebSearch"],
2482
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/prompt-injection",
2483
+ "relPath": "skills/prompt-injection",
2484
+ "verified": true,
2485
+ "tokenCount": 3857,
2486
+ "evalSummary": {
2487
+ "overallScore": 73,
2488
+ "grade": "C",
2489
+ "categories": [
2490
+ {
2491
+ "id": "structure",
2492
+ "name": "Structure & completeness",
2493
+ "score": 7,
2494
+ "max": 10
2495
+ },
2496
+ {
2497
+ "id": "description",
2498
+ "name": "Description quality",
2499
+ "score": 6,
2500
+ "max": 10
2501
+ },
2502
+ {
2503
+ "id": "prompt-engineering",
2504
+ "name": "Prompt engineering",
2505
+ "score": 10,
2506
+ "max": 10
2507
+ },
2508
+ {
2509
+ "id": "context-efficiency",
2510
+ "name": "Context efficiency",
2511
+ "score": 8,
2512
+ "max": 10
2513
+ },
2514
+ {
2515
+ "id": "safety",
2516
+ "name": "Safety & guardrails",
2517
+ "score": 7,
2518
+ "max": 10
2519
+ },
2520
+ {
2521
+ "id": "testability",
2522
+ "name": "Testability",
2523
+ "score": 3,
2524
+ "max": 10
2525
+ },
2526
+ {
2527
+ "id": "naming",
2528
+ "name": "Naming & conventions",
2529
+ "score": 10,
2530
+ "max": 10
2531
+ }
2532
+ ],
2533
+ "evaluatedAt": "2026-06-08T23:20:57.666Z",
2534
+ "evaluatedVersion": "0.0.0"
2535
+ },
2536
+ "evalSummaries": {
2537
+ "quality": {
2538
+ "providerId": "quality",
2539
+ "providerVersion": "1.0.0",
2540
+ "schemaVersion": 1,
2541
+ "passed": true,
2542
+ "overallScore": 73,
2543
+ "grade": "C",
2544
+ "categories": [
2545
+ {
2546
+ "id": "structure",
2547
+ "name": "Structure & completeness",
2548
+ "score": 7,
2549
+ "max": 10
2550
+ },
2551
+ {
2552
+ "id": "description",
2553
+ "name": "Description quality",
2554
+ "score": 6,
2555
+ "max": 10
2556
+ },
2557
+ {
2558
+ "id": "prompt-engineering",
2559
+ "name": "Prompt engineering",
2560
+ "score": 10,
2561
+ "max": 10
2562
+ },
2563
+ {
2564
+ "id": "context-efficiency",
2565
+ "name": "Context efficiency",
2566
+ "score": 8,
2567
+ "max": 10
2568
+ },
2569
+ {
2570
+ "id": "safety",
2571
+ "name": "Safety & guardrails",
2572
+ "score": 7,
2573
+ "max": 10
2574
+ },
2575
+ {
2576
+ "id": "testability",
2577
+ "name": "Testability",
2578
+ "score": 3,
2579
+ "max": 10
2580
+ },
2581
+ {
2582
+ "id": "naming",
2583
+ "name": "Naming & conventions",
2584
+ "score": 10,
2585
+ "max": 10
2586
+ }
2587
+ ],
2588
+ "evaluatedAt": "2026-06-08T23:20:57.666Z",
2589
+ "evaluatedVersion": "0.0.0"
2590
+ },
2591
+ "skill-best-practice": {
2592
+ "providerId": "skill-best-practice",
2593
+ "providerVersion": "1.1.0",
2594
+ "schemaVersion": 1,
2595
+ "passed": false,
2596
+ "overallScore": 69,
2597
+ "grade": "C",
2598
+ "categories": [
2599
+ {
2600
+ "id": "validation",
2601
+ "name": "Deterministic validation",
2602
+ "score": 9,
2603
+ "max": 13
2604
+ }
2605
+ ],
2606
+ "evaluatedAt": "2026-06-08T23:20:57.666Z",
2607
+ "evaluatedVersion": "0.0.0"
2608
+ }
2609
+ }
2610
+ },
2611
+ {
2612
+ "name": "recon",
2613
+ "description": "Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.",
2614
+ "version": "0.0.0",
2615
+ "license": "",
2616
+ "creator": "",
2617
+ "compatibility": "",
2618
+ "allowedTools": ["Bash", "Read", "Write", "WebSearch", "WebFetch"],
2619
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/recon",
2620
+ "relPath": "skills/recon",
2621
+ "verified": true,
2622
+ "tokenCount": 1116,
2623
+ "evalSummary": {
2624
+ "overallScore": 63,
2625
+ "grade": "D",
2626
+ "categories": [
2627
+ {
2628
+ "id": "structure",
2629
+ "name": "Structure & completeness",
2630
+ "score": 7,
2631
+ "max": 10
2632
+ },
2633
+ {
2634
+ "id": "description",
2635
+ "name": "Description quality",
2636
+ "score": 5,
2637
+ "max": 10
2638
+ },
2639
+ {
2640
+ "id": "prompt-engineering",
2641
+ "name": "Prompt engineering",
2642
+ "score": 6,
2643
+ "max": 10
2644
+ },
2645
+ {
2646
+ "id": "context-efficiency",
2647
+ "name": "Context efficiency",
2648
+ "score": 9,
2649
+ "max": 10
2650
+ },
2651
+ {
2652
+ "id": "safety",
2653
+ "name": "Safety & guardrails",
2654
+ "score": 4,
2655
+ "max": 10
2656
+ },
2657
+ {
2658
+ "id": "testability",
2659
+ "name": "Testability",
2660
+ "score": 3,
2661
+ "max": 10
2662
+ },
2663
+ {
2664
+ "id": "naming",
2665
+ "name": "Naming & conventions",
2666
+ "score": 10,
2667
+ "max": 10
2668
+ }
2669
+ ],
2670
+ "evaluatedAt": "2026-06-08T23:20:57.667Z",
2671
+ "evaluatedVersion": "0.0.0"
2672
+ },
2673
+ "evalSummaries": {
2674
+ "quality": {
2675
+ "providerId": "quality",
2676
+ "providerVersion": "1.0.0",
2677
+ "schemaVersion": 1,
2678
+ "passed": true,
2679
+ "overallScore": 63,
2680
+ "grade": "D",
2681
+ "categories": [
2682
+ {
2683
+ "id": "structure",
2684
+ "name": "Structure & completeness",
2685
+ "score": 7,
2686
+ "max": 10
2687
+ },
2688
+ {
2689
+ "id": "description",
2690
+ "name": "Description quality",
2691
+ "score": 5,
2692
+ "max": 10
2693
+ },
2694
+ {
2695
+ "id": "prompt-engineering",
2696
+ "name": "Prompt engineering",
2697
+ "score": 6,
2698
+ "max": 10
2699
+ },
2700
+ {
2701
+ "id": "context-efficiency",
2702
+ "name": "Context efficiency",
2703
+ "score": 9,
2704
+ "max": 10
2705
+ },
2706
+ {
2707
+ "id": "safety",
2708
+ "name": "Safety & guardrails",
2709
+ "score": 4,
2710
+ "max": 10
2711
+ },
2712
+ {
2713
+ "id": "testability",
2714
+ "name": "Testability",
2715
+ "score": 3,
2716
+ "max": 10
2717
+ },
2718
+ {
2719
+ "id": "naming",
2720
+ "name": "Naming & conventions",
2721
+ "score": 10,
2722
+ "max": 10
2723
+ }
2724
+ ],
2725
+ "evaluatedAt": "2026-06-08T23:20:57.667Z",
2726
+ "evaluatedVersion": "0.0.0"
2727
+ },
2728
+ "skill-best-practice": {
2729
+ "providerId": "skill-best-practice",
2730
+ "providerVersion": "1.1.0",
2731
+ "schemaVersion": 1,
2732
+ "passed": false,
2733
+ "overallScore": 69,
2734
+ "grade": "C",
2735
+ "categories": [
2736
+ {
2737
+ "id": "validation",
2738
+ "name": "Deterministic validation",
2739
+ "score": 9,
2740
+ "max": 13
2741
+ }
2742
+ ],
2743
+ "evaluatedAt": "2026-06-08T23:20:57.667Z",
2744
+ "evaluatedVersion": "0.0.0"
2745
+ }
2746
+ }
2747
+ },
2748
+ {
2749
+ "name": "red-team-engagement",
2750
+ "description": "Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.",
2751
+ "version": "0.0.0",
2752
+ "license": "",
2753
+ "creator": "",
2754
+ "compatibility": "",
2755
+ "allowedTools": ["Read", "Write", "Bash", "Grep", "Glob", "WebSearch"],
2756
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/red-team-engagement",
2757
+ "relPath": "skills/red-team-engagement",
2758
+ "verified": true,
2759
+ "tokenCount": 4497,
2760
+ "evalSummary": {
2761
+ "overallScore": 77,
2762
+ "grade": "C",
2763
+ "categories": [
2764
+ {
2765
+ "id": "structure",
2766
+ "name": "Structure & completeness",
2767
+ "score": 7,
2768
+ "max": 10
2769
+ },
2770
+ {
2771
+ "id": "description",
2772
+ "name": "Description quality",
2773
+ "score": 6,
2774
+ "max": 10
2775
+ },
2776
+ {
2777
+ "id": "prompt-engineering",
2778
+ "name": "Prompt engineering",
2779
+ "score": 8,
2780
+ "max": 10
2781
+ },
2782
+ {
2783
+ "id": "context-efficiency",
2784
+ "name": "Context efficiency",
2785
+ "score": 8,
2786
+ "max": 10
2787
+ },
2788
+ {
2789
+ "id": "safety",
2790
+ "name": "Safety & guardrails",
2791
+ "score": 10,
2792
+ "max": 10
2793
+ },
2794
+ {
2795
+ "id": "testability",
2796
+ "name": "Testability",
2797
+ "score": 5,
2798
+ "max": 10
2799
+ },
2800
+ {
2801
+ "id": "naming",
2802
+ "name": "Naming & conventions",
2803
+ "score": 10,
2804
+ "max": 10
2805
+ }
2806
+ ],
2807
+ "evaluatedAt": "2026-06-08T23:20:57.669Z",
2808
+ "evaluatedVersion": "0.0.0"
2809
+ },
2810
+ "evalSummaries": {
2811
+ "quality": {
2812
+ "providerId": "quality",
2813
+ "providerVersion": "1.0.0",
2814
+ "schemaVersion": 1,
2815
+ "passed": true,
2816
+ "overallScore": 77,
2817
+ "grade": "C",
2818
+ "categories": [
2819
+ {
2820
+ "id": "structure",
2821
+ "name": "Structure & completeness",
2822
+ "score": 7,
2823
+ "max": 10
2824
+ },
2825
+ {
2826
+ "id": "description",
2827
+ "name": "Description quality",
2828
+ "score": 6,
2829
+ "max": 10
2830
+ },
2831
+ {
2832
+ "id": "prompt-engineering",
2833
+ "name": "Prompt engineering",
2834
+ "score": 8,
2835
+ "max": 10
2836
+ },
2837
+ {
2838
+ "id": "context-efficiency",
2839
+ "name": "Context efficiency",
2840
+ "score": 8,
2841
+ "max": 10
2842
+ },
2843
+ {
2844
+ "id": "safety",
2845
+ "name": "Safety & guardrails",
2846
+ "score": 10,
2847
+ "max": 10
2848
+ },
2849
+ {
2850
+ "id": "testability",
2851
+ "name": "Testability",
2852
+ "score": 5,
2853
+ "max": 10
2854
+ },
2855
+ {
2856
+ "id": "naming",
2857
+ "name": "Naming & conventions",
2858
+ "score": 10,
2859
+ "max": 10
2860
+ }
2861
+ ],
2862
+ "evaluatedAt": "2026-06-08T23:20:57.669Z",
2863
+ "evaluatedVersion": "0.0.0"
2864
+ },
2865
+ "skill-best-practice": {
2866
+ "providerId": "skill-best-practice",
2867
+ "providerVersion": "1.1.0",
2868
+ "schemaVersion": 1,
2869
+ "passed": false,
2870
+ "overallScore": 69,
2871
+ "grade": "C",
2872
+ "categories": [
2873
+ {
2874
+ "id": "validation",
2875
+ "name": "Deterministic validation",
2876
+ "score": 9,
2877
+ "max": 13
2878
+ }
2879
+ ],
2880
+ "evaluatedAt": "2026-06-08T23:20:57.669Z",
2881
+ "evaluatedVersion": "0.0.0"
2882
+ }
2883
+ }
2884
+ },
2885
+ {
2886
+ "name": "secrets-audit",
2887
+ "description": "Find leaked secrets in source code, Git history, build artifacts, and infrastructure — and audit the secrets-management posture preventing future leaks. Use when the user mentions 'secrets audit,' 'secret scanning,' 'leaked credentials,' 'API key in code,' 'gitleaks,' 'trufflehog,' 'git history scan,' 'secrets management,' 'vault audit,' 'rotation policy,' 'AWS Secrets Manager,' 'HashiCorp Vault,' 'Doppler,' '1Password Secrets Automation,' 'sealed-secrets,' 'External Secrets Operator,' or needs to find or prevent credential exposure.",
2888
+ "version": "0.0.0",
2889
+ "license": "",
2890
+ "creator": "",
2891
+ "compatibility": "",
2892
+ "allowedTools": ["Bash", "Read", "Write", "Grep", "Glob", "WebSearch"],
2893
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/secrets-audit",
2894
+ "relPath": "skills/secrets-audit",
2895
+ "verified": true,
2896
+ "tokenCount": 2966,
2897
+ "evalSummary": {
2898
+ "overallScore": 79,
2899
+ "grade": "C",
2900
+ "categories": [
2901
+ {
2902
+ "id": "structure",
2903
+ "name": "Structure & completeness",
2904
+ "score": 7,
2905
+ "max": 10
2906
+ },
2907
+ {
2908
+ "id": "description",
2909
+ "name": "Description quality",
2910
+ "score": 6,
2911
+ "max": 10
2912
+ },
2913
+ {
2914
+ "id": "prompt-engineering",
2915
+ "name": "Prompt engineering",
2916
+ "score": 7,
2917
+ "max": 10
2918
+ },
2919
+ {
2920
+ "id": "context-efficiency",
2921
+ "name": "Context efficiency",
2922
+ "score": 10,
2923
+ "max": 10
2924
+ },
2925
+ {
2926
+ "id": "safety",
2927
+ "name": "Safety & guardrails",
2928
+ "score": 10,
2929
+ "max": 10
2930
+ },
2931
+ {
2932
+ "id": "testability",
2933
+ "name": "Testability",
2934
+ "score": 5,
2935
+ "max": 10
2936
+ },
2937
+ {
2938
+ "id": "naming",
2939
+ "name": "Naming & conventions",
2940
+ "score": 10,
2941
+ "max": 10
2942
+ }
2943
+ ],
2944
+ "evaluatedAt": "2026-06-08T23:20:57.671Z",
2945
+ "evaluatedVersion": "0.0.0"
2946
+ },
2947
+ "evalSummaries": {
2948
+ "quality": {
2949
+ "providerId": "quality",
2950
+ "providerVersion": "1.0.0",
2951
+ "schemaVersion": 1,
2952
+ "passed": true,
2953
+ "overallScore": 79,
2954
+ "grade": "C",
2955
+ "categories": [
2956
+ {
2957
+ "id": "structure",
2958
+ "name": "Structure & completeness",
2959
+ "score": 7,
2960
+ "max": 10
2961
+ },
2962
+ {
2963
+ "id": "description",
2964
+ "name": "Description quality",
2965
+ "score": 6,
2966
+ "max": 10
2967
+ },
2968
+ {
2969
+ "id": "prompt-engineering",
2970
+ "name": "Prompt engineering",
2971
+ "score": 7,
2972
+ "max": 10
2973
+ },
2974
+ {
2975
+ "id": "context-efficiency",
2976
+ "name": "Context efficiency",
2977
+ "score": 10,
2978
+ "max": 10
2979
+ },
2980
+ {
2981
+ "id": "safety",
2982
+ "name": "Safety & guardrails",
2983
+ "score": 10,
2984
+ "max": 10
2985
+ },
2986
+ {
2987
+ "id": "testability",
2988
+ "name": "Testability",
2989
+ "score": 5,
2990
+ "max": 10
2991
+ },
2992
+ {
2993
+ "id": "naming",
2994
+ "name": "Naming & conventions",
2995
+ "score": 10,
2996
+ "max": 10
2997
+ }
2998
+ ],
2999
+ "evaluatedAt": "2026-06-08T23:20:57.671Z",
3000
+ "evaluatedVersion": "0.0.0"
3001
+ },
3002
+ "skill-best-practice": {
3003
+ "providerId": "skill-best-practice",
3004
+ "providerVersion": "1.1.0",
3005
+ "schemaVersion": 1,
3006
+ "passed": false,
3007
+ "overallScore": 69,
3008
+ "grade": "C",
3009
+ "categories": [
3010
+ {
3011
+ "id": "validation",
3012
+ "name": "Deterministic validation",
3013
+ "score": 9,
3014
+ "max": 13
3015
+ }
3016
+ ],
3017
+ "evaluatedAt": "2026-06-08T23:20:57.671Z",
3018
+ "evaluatedVersion": "0.0.0"
3019
+ }
3020
+ }
3021
+ },
3022
+ {
3023
+ "name": "security-comms",
3024
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
3025
+ "version": "0.0.0",
3026
+ "license": "",
3027
+ "creator": "",
3028
+ "compatibility": "",
3029
+ "allowedTools": ["Read", "Write", "WebSearch"],
3030
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
3031
+ "relPath": "skills/security-comms",
3032
+ "verified": true,
3033
+ "tokenCount": 4344,
3034
+ "evalSummary": {
3035
+ "overallScore": 76,
3036
+ "grade": "C",
3037
+ "categories": [
3038
+ {
3039
+ "id": "structure",
3040
+ "name": "Structure & completeness",
3041
+ "score": 7,
3042
+ "max": 10
3043
+ },
3044
+ {
3045
+ "id": "description",
3046
+ "name": "Description quality",
3047
+ "score": 6,
3048
+ "max": 10
3049
+ },
3050
+ {
3051
+ "id": "prompt-engineering",
3052
+ "name": "Prompt engineering",
3053
+ "score": 8,
3054
+ "max": 10
3055
+ },
3056
+ {
3057
+ "id": "context-efficiency",
3058
+ "name": "Context efficiency",
3059
+ "score": 8,
3060
+ "max": 10
3061
+ },
3062
+ {
3063
+ "id": "safety",
3064
+ "name": "Safety & guardrails",
3065
+ "score": 9,
3066
+ "max": 10
3067
+ },
3068
+ {
3069
+ "id": "testability",
3070
+ "name": "Testability",
3071
+ "score": 5,
3072
+ "max": 10
3073
+ },
3074
+ {
3075
+ "id": "naming",
3076
+ "name": "Naming & conventions",
3077
+ "score": 10,
3078
+ "max": 10
3079
+ }
3080
+ ],
3081
+ "evaluatedAt": "2026-06-08T23:20:57.673Z",
3082
+ "evaluatedVersion": "0.0.0"
3083
+ },
3084
+ "evalSummaries": {
3085
+ "quality": {
3086
+ "providerId": "quality",
3087
+ "providerVersion": "1.0.0",
3088
+ "schemaVersion": 1,
3089
+ "passed": true,
3090
+ "overallScore": 76,
3091
+ "grade": "C",
3092
+ "categories": [
3093
+ {
3094
+ "id": "structure",
3095
+ "name": "Structure & completeness",
3096
+ "score": 7,
3097
+ "max": 10
3098
+ },
3099
+ {
3100
+ "id": "description",
3101
+ "name": "Description quality",
3102
+ "score": 6,
3103
+ "max": 10
3104
+ },
3105
+ {
3106
+ "id": "prompt-engineering",
3107
+ "name": "Prompt engineering",
3108
+ "score": 8,
3109
+ "max": 10
3110
+ },
3111
+ {
3112
+ "id": "context-efficiency",
3113
+ "name": "Context efficiency",
3114
+ "score": 8,
3115
+ "max": 10
3116
+ },
3117
+ {
3118
+ "id": "safety",
3119
+ "name": "Safety & guardrails",
3120
+ "score": 9,
3121
+ "max": 10
3122
+ },
3123
+ {
3124
+ "id": "testability",
3125
+ "name": "Testability",
3126
+ "score": 5,
3127
+ "max": 10
3128
+ },
3129
+ {
3130
+ "id": "naming",
3131
+ "name": "Naming & conventions",
3132
+ "score": 10,
3133
+ "max": 10
3134
+ }
3135
+ ],
3136
+ "evaluatedAt": "2026-06-08T23:20:57.673Z",
3137
+ "evaluatedVersion": "0.0.0"
3138
+ },
3139
+ "skill-best-practice": {
3140
+ "providerId": "skill-best-practice",
3141
+ "providerVersion": "1.1.0",
3142
+ "schemaVersion": 1,
3143
+ "passed": false,
3144
+ "overallScore": 69,
3145
+ "grade": "C",
3146
+ "categories": [
3147
+ {
3148
+ "id": "validation",
3149
+ "name": "Deterministic validation",
3150
+ "score": 9,
3151
+ "max": 13
3152
+ }
3153
+ ],
3154
+ "evaluatedAt": "2026-06-08T23:20:57.673Z",
3155
+ "evaluatedVersion": "0.0.0"
3156
+ }
3157
+ }
3158
+ },
3159
+ {
3160
+ "name": "siem-detection",
3161
+ "description": "Engineer and audit SIEM detection rules — log source coverage, Sigma / KQL / SPL / Elastic query authoring, MITRE ATT&CK mapping, false-positive tuning, and detection-as-code workflows. Use when the user mentions 'SIEM,' 'detection engineering,' 'detection rules,' 'Sigma,' 'KQL,' 'SPL,' 'Splunk,' 'Sentinel,' 'Elastic,' 'Wazuh,' 'Chronicle,' 'detection-as-code,' 'MITRE ATT&CK mapping,' 'log coverage,' 'alert tuning,' 'use case development,' or needs help building or improving security detections.",
3162
+ "version": "0.0.0",
3163
+ "license": "",
3164
+ "creator": "",
3165
+ "compatibility": "",
3166
+ "allowedTools": ["Read", "Write", "Bash", "Grep", "Glob", "WebSearch"],
3167
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/siem-detection",
3168
+ "relPath": "skills/siem-detection",
3169
+ "verified": true,
3170
+ "tokenCount": 2928,
3171
+ "evalSummary": {
3172
+ "overallScore": 67,
3173
+ "grade": "C",
3174
+ "categories": [
3175
+ {
3176
+ "id": "structure",
3177
+ "name": "Structure & completeness",
3178
+ "score": 7,
3179
+ "max": 10
3180
+ },
3181
+ {
3182
+ "id": "description",
3183
+ "name": "Description quality",
3184
+ "score": 3,
3185
+ "max": 10
3186
+ },
3187
+ {
3188
+ "id": "prompt-engineering",
3189
+ "name": "Prompt engineering",
3190
+ "score": 7,
3191
+ "max": 10
3192
+ },
3193
+ {
3194
+ "id": "context-efficiency",
3195
+ "name": "Context efficiency",
3196
+ "score": 9,
3197
+ "max": 10
3198
+ },
3199
+ {
3200
+ "id": "safety",
3201
+ "name": "Safety & guardrails",
3202
+ "score": 6,
3203
+ "max": 10
3204
+ },
3205
+ {
3206
+ "id": "testability",
3207
+ "name": "Testability",
3208
+ "score": 5,
3209
+ "max": 10
3210
+ },
3211
+ {
3212
+ "id": "naming",
3213
+ "name": "Naming & conventions",
3214
+ "score": 10,
3215
+ "max": 10
3216
+ }
3217
+ ],
3218
+ "evaluatedAt": "2026-06-08T23:20:57.675Z",
3219
+ "evaluatedVersion": "0.0.0"
3220
+ },
3221
+ "evalSummaries": {
3222
+ "quality": {
3223
+ "providerId": "quality",
3224
+ "providerVersion": "1.0.0",
3225
+ "schemaVersion": 1,
3226
+ "passed": true,
3227
+ "overallScore": 67,
3228
+ "grade": "C",
3229
+ "categories": [
3230
+ {
3231
+ "id": "structure",
3232
+ "name": "Structure & completeness",
3233
+ "score": 7,
3234
+ "max": 10
3235
+ },
3236
+ {
3237
+ "id": "description",
3238
+ "name": "Description quality",
3239
+ "score": 3,
3240
+ "max": 10
3241
+ },
3242
+ {
3243
+ "id": "prompt-engineering",
3244
+ "name": "Prompt engineering",
3245
+ "score": 7,
3246
+ "max": 10
3247
+ },
3248
+ {
3249
+ "id": "context-efficiency",
3250
+ "name": "Context efficiency",
3251
+ "score": 9,
3252
+ "max": 10
3253
+ },
3254
+ {
3255
+ "id": "safety",
3256
+ "name": "Safety & guardrails",
3257
+ "score": 6,
3258
+ "max": 10
3259
+ },
3260
+ {
3261
+ "id": "testability",
3262
+ "name": "Testability",
3263
+ "score": 5,
3264
+ "max": 10
3265
+ },
3266
+ {
3267
+ "id": "naming",
3268
+ "name": "Naming & conventions",
3269
+ "score": 10,
3270
+ "max": 10
3271
+ }
3272
+ ],
3273
+ "evaluatedAt": "2026-06-08T23:20:57.676Z",
3274
+ "evaluatedVersion": "0.0.0"
3275
+ },
3276
+ "skill-best-practice": {
3277
+ "providerId": "skill-best-practice",
3278
+ "providerVersion": "1.1.0",
3279
+ "schemaVersion": 1,
3280
+ "passed": false,
3281
+ "overallScore": 69,
3282
+ "grade": "C",
3283
+ "categories": [
3284
+ {
3285
+ "id": "validation",
3286
+ "name": "Deterministic validation",
3287
+ "score": 9,
3288
+ "max": 13
3289
+ }
3290
+ ],
3291
+ "evaluatedAt": "2026-06-08T23:20:57.676Z",
3292
+ "evaluatedVersion": "0.0.0"
3293
+ }
3294
+ }
3295
+ },
3296
+ {
3297
+ "name": "soc-operations",
3298
+ "description": "Build, run, and improve a Security Operations Center — alert prioritization, runbook authoring, escalation criteria, on-call structure, alert tuning workflow, MTTD / MTTR / fidelity KPIs, analyst tiering, and shift handoffs. Use when the user mentions 'SOC,' 'security operations,' 'SOC analyst,' 'alert triage workflow,' 'runbook,' 'escalation,' 'on-call,' 'SOC tiering,' 'tier 1 / tier 2,' 'MTTD,' 'MTTR,' 'alert fatigue,' 'alert tuning,' 'shift handoff,' 'SOAR,' or wants to design or improve a security operations team.",
3299
+ "version": "0.0.0",
3300
+ "license": "",
3301
+ "creator": "",
3302
+ "compatibility": "",
3303
+ "allowedTools": ["Read", "Write", "Grep", "Glob", "WebSearch"],
3304
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/soc-operations",
3305
+ "relPath": "skills/soc-operations",
3306
+ "verified": true,
3307
+ "tokenCount": 3618,
3308
+ "evalSummary": {
3309
+ "overallScore": 70,
3310
+ "grade": "C",
3311
+ "categories": [
3312
+ {
3313
+ "id": "structure",
3314
+ "name": "Structure & completeness",
3315
+ "score": 7,
3316
+ "max": 10
3317
+ },
3318
+ {
3319
+ "id": "description",
3320
+ "name": "Description quality",
3321
+ "score": 6,
3322
+ "max": 10
3323
+ },
3324
+ {
3325
+ "id": "prompt-engineering",
3326
+ "name": "Prompt engineering",
3327
+ "score": 8,
3328
+ "max": 10
3329
+ },
3330
+ {
3331
+ "id": "context-efficiency",
3332
+ "name": "Context efficiency",
3333
+ "score": 7,
3334
+ "max": 10
3335
+ },
3336
+ {
3337
+ "id": "safety",
3338
+ "name": "Safety & guardrails",
3339
+ "score": 9,
3340
+ "max": 10
3341
+ },
3342
+ {
3343
+ "id": "testability",
3344
+ "name": "Testability",
3345
+ "score": 2,
3346
+ "max": 10
3347
+ },
3348
+ {
3349
+ "id": "naming",
3350
+ "name": "Naming & conventions",
3351
+ "score": 10,
3352
+ "max": 10
3353
+ }
3354
+ ],
3355
+ "evaluatedAt": "2026-06-08T23:20:57.678Z",
3356
+ "evaluatedVersion": "0.0.0"
3357
+ },
3358
+ "evalSummaries": {
3359
+ "quality": {
3360
+ "providerId": "quality",
3361
+ "providerVersion": "1.0.0",
3362
+ "schemaVersion": 1,
3363
+ "passed": true,
3364
+ "overallScore": 70,
3365
+ "grade": "C",
3366
+ "categories": [
3367
+ {
3368
+ "id": "structure",
3369
+ "name": "Structure & completeness",
3370
+ "score": 7,
3371
+ "max": 10
3372
+ },
3373
+ {
3374
+ "id": "description",
3375
+ "name": "Description quality",
3376
+ "score": 6,
3377
+ "max": 10
3378
+ },
3379
+ {
3380
+ "id": "prompt-engineering",
3381
+ "name": "Prompt engineering",
3382
+ "score": 8,
3383
+ "max": 10
3384
+ },
3385
+ {
3386
+ "id": "context-efficiency",
3387
+ "name": "Context efficiency",
3388
+ "score": 7,
3389
+ "max": 10
3390
+ },
3391
+ {
3392
+ "id": "safety",
3393
+ "name": "Safety & guardrails",
3394
+ "score": 9,
3395
+ "max": 10
3396
+ },
3397
+ {
3398
+ "id": "testability",
3399
+ "name": "Testability",
3400
+ "score": 2,
3401
+ "max": 10
3402
+ },
3403
+ {
3404
+ "id": "naming",
3405
+ "name": "Naming & conventions",
3406
+ "score": 10,
3407
+ "max": 10
3408
+ }
3409
+ ],
3410
+ "evaluatedAt": "2026-06-08T23:20:57.678Z",
3411
+ "evaluatedVersion": "0.0.0"
3412
+ },
3413
+ "skill-best-practice": {
3414
+ "providerId": "skill-best-practice",
3415
+ "providerVersion": "1.1.0",
3416
+ "schemaVersion": 1,
3417
+ "passed": false,
3418
+ "overallScore": 69,
3419
+ "grade": "C",
3420
+ "categories": [
3421
+ {
3422
+ "id": "validation",
3423
+ "name": "Deterministic validation",
3424
+ "score": 9,
3425
+ "max": 13
3426
+ }
3427
+ ],
3428
+ "evaluatedAt": "2026-06-08T23:20:57.678Z",
3429
+ "evaluatedVersion": "0.0.0"
3430
+ }
3431
+ }
3432
+ },
3433
+ {
3434
+ "name": "threat-hunting",
3435
+ "description": "Conduct proactive, hypothesis-driven threat hunts — search SIEM / EDR / logs for adversaries who haven't tripped an alert yet. ATT&CK-driven, hypothesis-based methodology. Use when the user mentions 'threat hunting,' 'proactive hunt,' 'TaHiTI,' 'PEAK framework,' 'MITRE ATT&CK hunt,' 'hypothesis-driven hunt,' 'hunt hypothesis,' 'living off the land,' 'LOLBins,' 'beaconing,' 'lateral movement detection,' 'data staging,' 'persistence hunting,' or wants to find threats that have evaded existing detections.",
3436
+ "version": "0.0.0",
3437
+ "license": "",
3438
+ "creator": "",
3439
+ "compatibility": "",
3440
+ "allowedTools": ["Read", "Write", "Bash", "Grep", "Glob", "WebSearch"],
3441
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-hunting",
3442
+ "relPath": "skills/threat-hunting",
3443
+ "verified": true,
3444
+ "tokenCount": 3126,
3445
+ "evalSummary": {
3446
+ "overallScore": 63,
3447
+ "grade": "D",
3448
+ "categories": [
3449
+ {
3450
+ "id": "structure",
3451
+ "name": "Structure & completeness",
3452
+ "score": 7,
3453
+ "max": 10
3454
+ },
3455
+ {
3456
+ "id": "description",
3457
+ "name": "Description quality",
3458
+ "score": 3,
3459
+ "max": 10
3460
+ },
3461
+ {
3462
+ "id": "prompt-engineering",
3463
+ "name": "Prompt engineering",
3464
+ "score": 5,
3465
+ "max": 10
3466
+ },
3467
+ {
3468
+ "id": "context-efficiency",
3469
+ "name": "Context efficiency",
3470
+ "score": 7,
3471
+ "max": 10
3472
+ },
3473
+ {
3474
+ "id": "safety",
3475
+ "name": "Safety & guardrails",
3476
+ "score": 9,
3477
+ "max": 10
3478
+ },
3479
+ {
3480
+ "id": "testability",
3481
+ "name": "Testability",
3482
+ "score": 3,
3483
+ "max": 10
3484
+ },
3485
+ {
3486
+ "id": "naming",
3487
+ "name": "Naming & conventions",
3488
+ "score": 10,
3489
+ "max": 10
3490
+ }
3491
+ ],
3492
+ "evaluatedAt": "2026-06-08T23:20:57.679Z",
3493
+ "evaluatedVersion": "0.0.0"
3494
+ },
3495
+ "evalSummaries": {
3496
+ "quality": {
3497
+ "providerId": "quality",
3498
+ "providerVersion": "1.0.0",
3499
+ "schemaVersion": 1,
3500
+ "passed": true,
3501
+ "overallScore": 63,
3502
+ "grade": "D",
3503
+ "categories": [
3504
+ {
3505
+ "id": "structure",
3506
+ "name": "Structure & completeness",
3507
+ "score": 7,
3508
+ "max": 10
3509
+ },
3510
+ {
3511
+ "id": "description",
3512
+ "name": "Description quality",
3513
+ "score": 3,
3514
+ "max": 10
3515
+ },
3516
+ {
3517
+ "id": "prompt-engineering",
3518
+ "name": "Prompt engineering",
3519
+ "score": 5,
3520
+ "max": 10
3521
+ },
3522
+ {
3523
+ "id": "context-efficiency",
3524
+ "name": "Context efficiency",
3525
+ "score": 7,
3526
+ "max": 10
3527
+ },
3528
+ {
3529
+ "id": "safety",
3530
+ "name": "Safety & guardrails",
3531
+ "score": 9,
3532
+ "max": 10
3533
+ },
3534
+ {
3535
+ "id": "testability",
3536
+ "name": "Testability",
3537
+ "score": 3,
3538
+ "max": 10
3539
+ },
3540
+ {
3541
+ "id": "naming",
3542
+ "name": "Naming & conventions",
3543
+ "score": 10,
3544
+ "max": 10
3545
+ }
3546
+ ],
3547
+ "evaluatedAt": "2026-06-08T23:20:57.679Z",
3548
+ "evaluatedVersion": "0.0.0"
3549
+ },
3550
+ "skill-best-practice": {
3551
+ "providerId": "skill-best-practice",
3552
+ "providerVersion": "1.1.0",
3553
+ "schemaVersion": 1,
3554
+ "passed": false,
3555
+ "overallScore": 69,
3556
+ "grade": "C",
3557
+ "categories": [
3558
+ {
3559
+ "id": "validation",
3560
+ "name": "Deterministic validation",
3561
+ "score": 9,
3562
+ "max": 13
3563
+ }
3564
+ ],
3565
+ "evaluatedAt": "2026-06-08T23:20:57.679Z",
3566
+ "evaluatedVersion": "0.0.0"
3567
+ }
3568
+ }
3569
+ },
3570
+ {
3571
+ "name": "threat-modeling",
3572
+ "description": "Run a structured threat-modeling session for a new feature, system, or architecture — STRIDE, attack trees, data flow diagrams, abuse cases. Use when the user mentions 'threat model,' 'threat modeling,' 'STRIDE,' 'attack tree,' 'abuse case,' 'data flow diagram,' 'DFD,' 'security architecture review,' 'security review,' 'design review,' 'pre-implementation security,' 'shift left,' 'what could go wrong,' or needs strategic security thinking before code is written.",
3573
+ "version": "0.0.0",
3574
+ "license": "",
3575
+ "creator": "",
3576
+ "compatibility": "",
3577
+ "allowedTools": ["Read", "Write", "Grep", "Glob", "WebSearch"],
3578
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-modeling",
3579
+ "relPath": "skills/threat-modeling",
3580
+ "verified": true,
3581
+ "tokenCount": 3276,
3582
+ "evalSummary": {
3583
+ "overallScore": 69,
3584
+ "grade": "C",
3585
+ "categories": [
3586
+ {
3587
+ "id": "structure",
3588
+ "name": "Structure & completeness",
3589
+ "score": 7,
3590
+ "max": 10
3591
+ },
3592
+ {
3593
+ "id": "description",
3594
+ "name": "Description quality",
3595
+ "score": 6,
3596
+ "max": 10
3597
+ },
3598
+ {
3599
+ "id": "prompt-engineering",
3600
+ "name": "Prompt engineering",
3601
+ "score": 6,
3602
+ "max": 10
3603
+ },
3604
+ {
3605
+ "id": "context-efficiency",
3606
+ "name": "Context efficiency",
3607
+ "score": 8,
3608
+ "max": 10
3609
+ },
3610
+ {
3611
+ "id": "safety",
3612
+ "name": "Safety & guardrails",
3613
+ "score": 6,
3614
+ "max": 10
3615
+ },
3616
+ {
3617
+ "id": "testability",
3618
+ "name": "Testability",
3619
+ "score": 5,
3620
+ "max": 10
3621
+ },
3622
+ {
3623
+ "id": "naming",
3624
+ "name": "Naming & conventions",
3625
+ "score": 10,
3626
+ "max": 10
3627
+ }
3628
+ ],
3629
+ "evaluatedAt": "2026-06-08T23:20:57.681Z",
3630
+ "evaluatedVersion": "0.0.0"
3631
+ },
3632
+ "evalSummaries": {
3633
+ "quality": {
3634
+ "providerId": "quality",
3635
+ "providerVersion": "1.0.0",
3636
+ "schemaVersion": 1,
3637
+ "passed": true,
3638
+ "overallScore": 69,
3639
+ "grade": "C",
3640
+ "categories": [
3641
+ {
3642
+ "id": "structure",
3643
+ "name": "Structure & completeness",
3644
+ "score": 7,
3645
+ "max": 10
3646
+ },
3647
+ {
3648
+ "id": "description",
3649
+ "name": "Description quality",
3650
+ "score": 6,
3651
+ "max": 10
3652
+ },
3653
+ {
3654
+ "id": "prompt-engineering",
3655
+ "name": "Prompt engineering",
3656
+ "score": 6,
3657
+ "max": 10
3658
+ },
3659
+ {
3660
+ "id": "context-efficiency",
3661
+ "name": "Context efficiency",
3662
+ "score": 8,
3663
+ "max": 10
3664
+ },
3665
+ {
3666
+ "id": "safety",
3667
+ "name": "Safety & guardrails",
3668
+ "score": 6,
3669
+ "max": 10
3670
+ },
3671
+ {
3672
+ "id": "testability",
3673
+ "name": "Testability",
3674
+ "score": 5,
3675
+ "max": 10
3676
+ },
3677
+ {
3678
+ "id": "naming",
3679
+ "name": "Naming & conventions",
3680
+ "score": 10,
3681
+ "max": 10
3682
+ }
3683
+ ],
3684
+ "evaluatedAt": "2026-06-08T23:20:57.681Z",
3685
+ "evaluatedVersion": "0.0.0"
3686
+ },
3687
+ "skill-best-practice": {
3688
+ "providerId": "skill-best-practice",
3689
+ "providerVersion": "1.1.0",
3690
+ "schemaVersion": 1,
3691
+ "passed": false,
3692
+ "overallScore": 69,
3693
+ "grade": "C",
3694
+ "categories": [
3695
+ {
3696
+ "id": "validation",
3697
+ "name": "Deterministic validation",
3698
+ "score": 9,
3699
+ "max": 13
3700
+ }
3701
+ ],
3702
+ "evaluatedAt": "2026-06-08T23:20:57.681Z",
3703
+ "evaluatedVersion": "0.0.0"
3704
+ }
3705
+ }
3706
+ },
3707
+ {
3708
+ "name": "vuln-research",
3709
+ "description": "Research a specific CVE or vulnerability disclosure end-to-end — what version is affected, is your code reachable, is there a public PoC, is there a patch, what's the exposure window, what's the mitigation if you can't patch immediately. Use when the user mentions 'CVE,' 'vulnerability research,' 'is this CVE relevant,' 'zero-day,' 'CISA KEV,' 'GitHub Security Advisory,' 'reachability analysis,' 'patch analysis,' 'exploit availability,' 'EPSS,' 'CVSS,' or 'should we drop everything and patch this.'",
3710
+ "version": "0.0.0",
3711
+ "license": "",
3712
+ "creator": "",
3713
+ "compatibility": "",
3714
+ "allowedTools": ["Read", "Grep", "Glob", "Bash", "WebSearch", "WebFetch"],
3715
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/vuln-research",
3716
+ "relPath": "skills/vuln-research",
3717
+ "verified": true,
3718
+ "tokenCount": 3040,
3719
+ "evalSummary": {
3720
+ "overallScore": 74,
3721
+ "grade": "C",
3722
+ "categories": [
3723
+ {
3724
+ "id": "structure",
3725
+ "name": "Structure & completeness",
3726
+ "score": 7,
3727
+ "max": 10
3728
+ },
3729
+ {
3730
+ "id": "description",
3731
+ "name": "Description quality",
3732
+ "score": 6,
3733
+ "max": 10
3734
+ },
3735
+ {
3736
+ "id": "prompt-engineering",
3737
+ "name": "Prompt engineering",
3738
+ "score": 7,
3739
+ "max": 10
3740
+ },
3741
+ {
3742
+ "id": "context-efficiency",
3743
+ "name": "Context efficiency",
3744
+ "score": 9,
3745
+ "max": 10
3746
+ },
3747
+ {
3748
+ "id": "safety",
3749
+ "name": "Safety & guardrails",
3750
+ "score": 8,
3751
+ "max": 10
3752
+ },
3753
+ {
3754
+ "id": "testability",
3755
+ "name": "Testability",
3756
+ "score": 5,
3757
+ "max": 10
3758
+ },
3759
+ {
3760
+ "id": "naming",
3761
+ "name": "Naming & conventions",
3762
+ "score": 10,
3763
+ "max": 10
3764
+ }
3765
+ ],
3766
+ "evaluatedAt": "2026-06-08T23:20:57.683Z",
3767
+ "evaluatedVersion": "0.0.0"
3768
+ },
3769
+ "evalSummaries": {
3770
+ "quality": {
3771
+ "providerId": "quality",
3772
+ "providerVersion": "1.0.0",
3773
+ "schemaVersion": 1,
3774
+ "passed": true,
3775
+ "overallScore": 74,
3776
+ "grade": "C",
3777
+ "categories": [
3778
+ {
3779
+ "id": "structure",
3780
+ "name": "Structure & completeness",
3781
+ "score": 7,
3782
+ "max": 10
3783
+ },
3784
+ {
3785
+ "id": "description",
3786
+ "name": "Description quality",
3787
+ "score": 6,
3788
+ "max": 10
3789
+ },
3790
+ {
3791
+ "id": "prompt-engineering",
3792
+ "name": "Prompt engineering",
3793
+ "score": 7,
3794
+ "max": 10
3795
+ },
3796
+ {
3797
+ "id": "context-efficiency",
3798
+ "name": "Context efficiency",
3799
+ "score": 9,
3800
+ "max": 10
3801
+ },
3802
+ {
3803
+ "id": "safety",
3804
+ "name": "Safety & guardrails",
3805
+ "score": 8,
3806
+ "max": 10
3807
+ },
3808
+ {
3809
+ "id": "testability",
3810
+ "name": "Testability",
3811
+ "score": 5,
3812
+ "max": 10
3813
+ },
3814
+ {
3815
+ "id": "naming",
3816
+ "name": "Naming & conventions",
3817
+ "score": 10,
3818
+ "max": 10
3819
+ }
3820
+ ],
3821
+ "evaluatedAt": "2026-06-08T23:20:57.683Z",
3822
+ "evaluatedVersion": "0.0.0"
3823
+ },
3824
+ "skill-best-practice": {
3825
+ "providerId": "skill-best-practice",
3826
+ "providerVersion": "1.1.0",
3827
+ "schemaVersion": 1,
3828
+ "passed": false,
3829
+ "overallScore": 69,
3830
+ "grade": "C",
3831
+ "categories": [
3832
+ {
3833
+ "id": "validation",
3834
+ "name": "Deterministic validation",
3835
+ "score": 9,
3836
+ "max": 13
3837
+ }
3838
+ ],
3839
+ "evaluatedAt": "2026-06-08T23:20:57.683Z",
3840
+ "evaluatedVersion": "0.0.0"
3841
+ }
3842
+ }
3843
+ },
3844
+ {
3845
+ "name": "web-pentest",
3846
+ "description": "Perform black-box / grey-box web application penetration testing on an authorized target — auth bypass, IDOR, session handling, business-logic flaws, parameter tampering, Burp Suite / OWASP ZAP workflows. Use when the user mentions 'web pentest,' 'web application penetration test,' 'pentesting,' 'bug bounty,' 'Burp Suite,' 'ZAP,' 'OWASP testing,' 'authentication testing,' 'session testing,' 'authorization testing,' 'business logic testing,' 'web vulnerability testing,' or has explicit authorization to test a live web application.",
3847
+ "version": "0.0.0",
3848
+ "license": "",
3849
+ "creator": "",
3850
+ "compatibility": "",
3851
+ "allowedTools": ["Bash", "Read", "Write", "WebFetch", "WebSearch"],
3852
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/web-pentest",
3853
+ "relPath": "skills/web-pentest",
3854
+ "verified": true,
3855
+ "tokenCount": 3342,
3856
+ "evalSummary": {
3857
+ "overallScore": 70,
3858
+ "grade": "C",
3859
+ "categories": [
3860
+ {
3861
+ "id": "structure",
3862
+ "name": "Structure & completeness",
3863
+ "score": 7,
3864
+ "max": 10
3865
+ },
3866
+ {
3867
+ "id": "description",
3868
+ "name": "Description quality",
3869
+ "score": 3,
3870
+ "max": 10
3871
+ },
3872
+ {
3873
+ "id": "prompt-engineering",
3874
+ "name": "Prompt engineering",
3875
+ "score": 6,
3876
+ "max": 10
3877
+ },
3878
+ {
3879
+ "id": "context-efficiency",
3880
+ "name": "Context efficiency",
3881
+ "score": 8,
3882
+ "max": 10
3883
+ },
3884
+ {
3885
+ "id": "safety",
3886
+ "name": "Safety & guardrails",
3887
+ "score": 10,
3888
+ "max": 10
3889
+ },
3890
+ {
3891
+ "id": "testability",
3892
+ "name": "Testability",
3893
+ "score": 5,
3894
+ "max": 10
3895
+ },
3896
+ {
3897
+ "id": "naming",
3898
+ "name": "Naming & conventions",
3899
+ "score": 10,
3900
+ "max": 10
3901
+ }
3902
+ ],
3903
+ "evaluatedAt": "2026-06-08T23:20:57.685Z",
3904
+ "evaluatedVersion": "0.0.0"
3905
+ },
3906
+ "evalSummaries": {
3907
+ "quality": {
3908
+ "providerId": "quality",
3909
+ "providerVersion": "1.0.0",
3910
+ "schemaVersion": 1,
3911
+ "passed": true,
3912
+ "overallScore": 70,
3913
+ "grade": "C",
3914
+ "categories": [
3915
+ {
3916
+ "id": "structure",
3917
+ "name": "Structure & completeness",
3918
+ "score": 7,
3919
+ "max": 10
3920
+ },
3921
+ {
3922
+ "id": "description",
3923
+ "name": "Description quality",
3924
+ "score": 3,
3925
+ "max": 10
3926
+ },
3927
+ {
3928
+ "id": "prompt-engineering",
3929
+ "name": "Prompt engineering",
3930
+ "score": 6,
3931
+ "max": 10
3932
+ },
3933
+ {
3934
+ "id": "context-efficiency",
3935
+ "name": "Context efficiency",
3936
+ "score": 8,
3937
+ "max": 10
3938
+ },
3939
+ {
3940
+ "id": "safety",
3941
+ "name": "Safety & guardrails",
3942
+ "score": 10,
3943
+ "max": 10
3944
+ },
3945
+ {
3946
+ "id": "testability",
3947
+ "name": "Testability",
3948
+ "score": 5,
3949
+ "max": 10
3950
+ },
3951
+ {
3952
+ "id": "naming",
3953
+ "name": "Naming & conventions",
3954
+ "score": 10,
3955
+ "max": 10
3956
+ }
3957
+ ],
3958
+ "evaluatedAt": "2026-06-08T23:20:57.685Z",
3959
+ "evaluatedVersion": "0.0.0"
3960
+ },
3961
+ "skill-best-practice": {
3962
+ "providerId": "skill-best-practice",
3963
+ "providerVersion": "1.1.0",
3964
+ "schemaVersion": 1,
3965
+ "passed": false,
3966
+ "overallScore": 69,
3967
+ "grade": "C",
3968
+ "categories": [
3969
+ {
3970
+ "id": "validation",
3971
+ "name": "Deterministic validation",
3972
+ "score": 9,
3973
+ "max": 13
3974
+ }
3975
+ ],
3976
+ "evaluatedAt": "2026-06-08T23:20:57.685Z",
3977
+ "evaluatedVersion": "0.0.0"
3978
+ }
3979
+ }
3980
+ }
3981
+ ],
3982
+ "bundles": [
3983
+ {
3984
+ "version": 1,
3985
+ "name": "briiirussell-cybersecurity-skills-data-ai",
3986
+ "description": "Data, analytics, AI, model, prompt, agent, and automation skills. Derived from briiirussell/cybersecurity-skills.",
3987
+ "author": "ASM (briiirussell/cybersecurity-skills)",
3988
+ "createdAt": "2026-06-08T23:20:57.686Z",
3989
+ "tags": [
3990
+ "repo-derived",
3991
+ "inferred",
3992
+ "data",
3993
+ "ai",
3994
+ "agents",
3995
+ "briiirussell",
3996
+ "cybersecurity-skills"
3997
+ ],
3998
+ "skills": [
3999
+ {
4000
+ "name": "ai-risk-management",
4001
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/ai-risk-management",
4002
+ "description": "Apply the NIST AI Risk Management Framework (AI RMF 1.0) and adjacent guidance to AI / ML systems — model lifecycle governance, fairness and bias evaluation, robustness, transparency, accountability, third-party model risk, monitoring for drift, and AI incident response. Broader than prompt-injection (which is the security slice). Use when the user mentions 'AI risk,' 'AI governance,' 'NIST AI RMF,' 'AI compliance,' 'ML governance,' 'model risk management,' 'AI fairness,' 'AI bias,' 'algorithmic accountability,' 'AI Bill of Rights,' 'EU AI Act,' 'AI transparency,' 'model card,' 'AI red team,' 'AI safety,' 'responsible AI,' 'model drift,' 'concept drift,' 'AI monitoring,' 'AI incident,' or needs to assess or govern an AI / ML system.",
4003
+ "version": "0.0.0"
4004
+ },
4005
+ {
4006
+ "name": "api-audit",
4007
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/api-audit",
4008
+ "description": "Audit REST, GraphQL, and RPC APIs against the OWASP API Security Top 10 (2023). Use when the user mentions 'API security,' 'API audit,' 'BOLA,' 'broken object level authorization,' 'BFLA,' 'function-level authorization,' 'mass assignment,' 'API rate limiting,' 'GraphQL security,' 'REST security,' 'API authentication,' 'API authorization,' 'excessive data exposure,' or needs to review API endpoints for security weaknesses.",
4009
+ "version": "0.0.0"
4010
+ },
4011
+ {
4012
+ "name": "breach-patterns",
4013
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
4014
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
4015
+ "version": "0.0.0"
4016
+ },
4017
+ {
4018
+ "name": "container-audit",
4019
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/container-audit",
4020
+ "description": "Audit container images, Dockerfiles, and Kubernetes manifests for misconfigurations, excessive privileges, exposed secrets, and runtime risks. Use when the user mentions 'container security,' 'Docker security,' 'Dockerfile audit,' 'Kubernetes security,' 'K8s security,' 'pod security,' 'container hardening,' 'kubectl audit,' 'image scanning,' 'distroless,' 'rootless containers,' 'pod security policy,' 'pod security standards,' 'PSS,' 'network policy,' 'OPA Gatekeeper,' 'Kyverno,' 'runtime security,' or needs to review container or orchestration security.",
4021
+ "version": "0.0.0"
4022
+ },
4023
+ {
4024
+ "name": "csf-mapping",
4025
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/csf-mapping",
4026
+ "description": "Map your security posture against the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Produce a gap analysis, current/target tier assessment, and roadmap in the governance language that boards, auditors, and CISOs actually use. Use when the user mentions 'NIST CSF,' 'CSF 2.0,' 'cybersecurity framework,' 'security posture,' 'governance mapping,' 'CSF gap analysis,' 'CSF tiers,' 'cybersecurity maturity,' 'security roadmap,' 'CISO report,' 'board reporting,' 'security program,' or needs to translate technical findings into governance language.",
4027
+ "version": "0.0.0"
4028
+ },
4029
+ {
4030
+ "name": "dependency-audit",
4031
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/dependency-audit",
4032
+ "description": "Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.",
4033
+ "version": "0.0.0"
4034
+ },
4035
+ {
4036
+ "name": "disk-forensics",
4037
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/disk-forensics",
4038
+ "description": "Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.",
4039
+ "version": "0.0.0"
4040
+ },
4041
+ {
4042
+ "name": "hipaa-audit",
4043
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/hipaa-audit",
4044
+ "description": "Audit applications and infrastructure handling Protected Health Information against HIPAA — Security Rule (administrative, physical, technical safeguards), Privacy Rule, Breach Notification Rule, plus HITECH. Covers ePHI scoping, the 18 HIPAA identifiers, Business Associate Agreement (BAA) chain-of-liability, minimum-necessary standard, and breach notification timing. Use when the user mentions 'HIPAA,' 'HIPAA Security Rule,' 'HIPAA Privacy Rule,' 'PHI,' 'ePHI,' 'protected health information,' 'BAA,' 'business associate agreement,' 'covered entity,' 'business associate,' 'minimum necessary,' 'HIPAA breach,' 'HITECH,' 'healthcare compliance,' 'medical data,' 'patient data,' or audits any system that creates, receives, maintains, or transmits PHI.",
4045
+ "version": "0.0.0"
4046
+ },
4047
+ {
4048
+ "name": "mobile-audit",
4049
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/mobile-audit",
4050
+ "description": "Audit iOS and Android mobile applications against OWASP MASVS / MASTG — insecure storage, weak crypto, certificate pinning, deeplinks, IPC, jailbreak/root detection, reverse-engineering resistance. Use when the user mentions 'mobile security,' 'iOS security,' 'Android security,' 'mobile audit,' 'mobile pentest,' 'MASVS,' 'MASTG,' 'certificate pinning,' 'jailbreak detection,' 'root detection,' 'deeplink,' 'URL scheme,' 'app transport security,' 'keychain,' 'keystore,' 'mobile reverse engineering,' or has a mobile app to review.",
4051
+ "version": "0.0.0"
4052
+ },
4053
+ {
4054
+ "name": "osint-recon",
4055
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/osint-recon",
4056
+ "description": "Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.",
4057
+ "version": "0.0.0"
4058
+ },
4059
+ {
4060
+ "name": "owasp-audit",
4061
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/owasp-audit",
4062
+ "description": "Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.",
4063
+ "version": "0.0.0"
4064
+ },
4065
+ {
4066
+ "name": "pci-audit",
4067
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/pci-audit",
4068
+ "description": "Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.",
4069
+ "version": "0.0.0"
4070
+ },
4071
+ {
4072
+ "name": "privacy-engineering",
4073
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4074
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4075
+ "version": "0.0.0"
4076
+ },
4077
+ {
4078
+ "name": "prompt-injection",
4079
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/prompt-injection",
4080
+ "description": "Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.",
4081
+ "version": "0.0.0"
4082
+ },
4083
+ {
4084
+ "name": "recon",
4085
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/recon",
4086
+ "description": "Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.",
4087
+ "version": "0.0.0"
4088
+ },
4089
+ {
4090
+ "name": "red-team-engagement",
4091
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/red-team-engagement",
4092
+ "description": "Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.",
4093
+ "version": "0.0.0"
4094
+ },
4095
+ {
4096
+ "name": "secrets-audit",
4097
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/secrets-audit",
4098
+ "description": "Find leaked secrets in source code, Git history, build artifacts, and infrastructure — and audit the secrets-management posture preventing future leaks. Use when the user mentions 'secrets audit,' 'secret scanning,' 'leaked credentials,' 'API key in code,' 'gitleaks,' 'trufflehog,' 'git history scan,' 'secrets management,' 'vault audit,' 'rotation policy,' 'AWS Secrets Manager,' 'HashiCorp Vault,' 'Doppler,' '1Password Secrets Automation,' 'sealed-secrets,' 'External Secrets Operator,' or needs to find or prevent credential exposure.",
4099
+ "version": "0.0.0"
4100
+ },
4101
+ {
4102
+ "name": "security-comms",
4103
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
4104
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
4105
+ "version": "0.0.0"
4106
+ },
4107
+ {
4108
+ "name": "threat-hunting",
4109
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-hunting",
4110
+ "description": "Conduct proactive, hypothesis-driven threat hunts — search SIEM / EDR / logs for adversaries who haven't tripped an alert yet. ATT&CK-driven, hypothesis-based methodology. Use when the user mentions 'threat hunting,' 'proactive hunt,' 'TaHiTI,' 'PEAK framework,' 'MITRE ATT&CK hunt,' 'hypothesis-driven hunt,' 'hunt hypothesis,' 'living off the land,' 'LOLBins,' 'beaconing,' 'lateral movement detection,' 'data staging,' 'persistence hunting,' or wants to find threats that have evaded existing detections.",
4111
+ "version": "0.0.0"
4112
+ },
4113
+ {
4114
+ "name": "threat-modeling",
4115
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-modeling",
4116
+ "description": "Run a structured threat-modeling session for a new feature, system, or architecture — STRIDE, attack trees, data flow diagrams, abuse cases. Use when the user mentions 'threat model,' 'threat modeling,' 'STRIDE,' 'attack tree,' 'abuse case,' 'data flow diagram,' 'DFD,' 'security architecture review,' 'security review,' 'design review,' 'pre-implementation security,' 'shift left,' 'what could go wrong,' or needs strategic security thinking before code is written.",
4117
+ "version": "0.0.0"
4118
+ },
4119
+ {
4120
+ "name": "vuln-research",
4121
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/vuln-research",
4122
+ "description": "Research a specific CVE or vulnerability disclosure end-to-end — what version is affected, is your code reachable, is there a public PoC, is there a patch, what's the exposure window, what's the mitigation if you can't patch immediately. Use when the user mentions 'CVE,' 'vulnerability research,' 'is this CVE relevant,' 'zero-day,' 'CISA KEV,' 'GitHub Security Advisory,' 'reachability analysis,' 'patch analysis,' 'exploit availability,' 'EPSS,' 'CVSS,' or 'should we drop everything and patch this.'",
4123
+ "version": "0.0.0"
4124
+ }
4125
+ ],
4126
+ "sourceRepo": {
4127
+ "owner": "briiirussell",
4128
+ "repo": "cybersecurity-skills",
4129
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4130
+ },
4131
+ "inferred": true
4132
+ },
4133
+ {
4134
+ "version": 1,
4135
+ "name": "briiirussell-cybersecurity-skills-devops",
4136
+ "description": "Deployment, CI/CD, infrastructure, cloud, Docker, Kubernetes, and automation skills. Derived from briiirussell/cybersecurity-skills.",
4137
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4138
+ "createdAt": "2026-06-08T23:20:57.686Z",
4139
+ "tags": [
4140
+ "repo-derived",
4141
+ "inferred",
4142
+ "devops",
4143
+ "infra",
4144
+ "automation",
4145
+ "briiirussell",
4146
+ "cybersecurity-skills"
4147
+ ],
4148
+ "skills": [
4149
+ {
4150
+ "name": "ai-risk-management",
4151
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/ai-risk-management",
4152
+ "description": "Apply the NIST AI Risk Management Framework (AI RMF 1.0) and adjacent guidance to AI / ML systems — model lifecycle governance, fairness and bias evaluation, robustness, transparency, accountability, third-party model risk, monitoring for drift, and AI incident response. Broader than prompt-injection (which is the security slice). Use when the user mentions 'AI risk,' 'AI governance,' 'NIST AI RMF,' 'AI compliance,' 'ML governance,' 'model risk management,' 'AI fairness,' 'AI bias,' 'algorithmic accountability,' 'AI Bill of Rights,' 'EU AI Act,' 'AI transparency,' 'model card,' 'AI red team,' 'AI safety,' 'responsible AI,' 'model drift,' 'concept drift,' 'AI monitoring,' 'AI incident,' or needs to assess or govern an AI / ML system.",
4153
+ "version": "0.0.0"
4154
+ },
4155
+ {
4156
+ "name": "breach-patterns",
4157
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
4158
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
4159
+ "version": "0.0.0"
4160
+ },
4161
+ {
4162
+ "name": "cloud-audit",
4163
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/cloud-audit",
4164
+ "description": "Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.",
4165
+ "version": "0.0.0"
4166
+ },
4167
+ {
4168
+ "name": "container-audit",
4169
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/container-audit",
4170
+ "description": "Audit container images, Dockerfiles, and Kubernetes manifests for misconfigurations, excessive privileges, exposed secrets, and runtime risks. Use when the user mentions 'container security,' 'Docker security,' 'Dockerfile audit,' 'Kubernetes security,' 'K8s security,' 'pod security,' 'container hardening,' 'kubectl audit,' 'image scanning,' 'distroless,' 'rootless containers,' 'pod security policy,' 'pod security standards,' 'PSS,' 'network policy,' 'OPA Gatekeeper,' 'Kyverno,' 'runtime security,' or needs to review container or orchestration security.",
4171
+ "version": "0.0.0"
4172
+ },
4173
+ {
4174
+ "name": "crypto-audit",
4175
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/crypto-audit",
4176
+ "description": "Audit cryptography implementation — algorithm choice, key sizes, KDF parameters, IV/nonce handling, signature verification, randomness, TLS configuration, and key rotation. Deeper than owasp-audit A02. Use when the user mentions 'crypto review,' 'cryptography audit,' 'encryption review,' 'KDF,' 'PBKDF2,' 'Argon2,' 'bcrypt cost,' 'IV reuse,' 'nonce reuse,' 'AES mode,' 'AES-GCM,' 'AES-ECB,' 'signature verification,' 'TLS configuration,' 'cipher suites,' 'key rotation,' 'libsodium,' 'BoringSSL,' or 'is this crypto right.'",
4177
+ "version": "0.0.0"
4178
+ },
4179
+ {
4180
+ "name": "csf-mapping",
4181
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/csf-mapping",
4182
+ "description": "Map your security posture against the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Produce a gap analysis, current/target tier assessment, and roadmap in the governance language that boards, auditors, and CISOs actually use. Use when the user mentions 'NIST CSF,' 'CSF 2.0,' 'cybersecurity framework,' 'security posture,' 'governance mapping,' 'CSF gap analysis,' 'CSF tiers,' 'cybersecurity maturity,' 'security roadmap,' 'CISO report,' 'board reporting,' 'security program,' or needs to translate technical findings into governance language.",
4183
+ "version": "0.0.0"
4184
+ },
4185
+ {
4186
+ "name": "dependency-audit",
4187
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/dependency-audit",
4188
+ "description": "Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.",
4189
+ "version": "0.0.0"
4190
+ },
4191
+ {
4192
+ "name": "finding-triage",
4193
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/finding-triage",
4194
+ "description": "Triage a single security finding — from a scanner, audit, advisory, or report — to a defensible disposition with a mitigation plan, false-positive justification, or accepted-risk writeup. Use when the user mentions 'triage this finding,' 'is this a real vulnerability,' 'mitigation plan,' 'false positive,' 'accept this risk,' 'compensating controls,' 'risk justification,' 'security ticket,' 'CVSS this,' 'should we fix this,' 'disposition,' 'sign off on,' or has a single security finding and needs to decide what to do.",
4195
+ "version": "0.0.0"
4196
+ },
4197
+ {
4198
+ "name": "hipaa-audit",
4199
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/hipaa-audit",
4200
+ "description": "Audit applications and infrastructure handling Protected Health Information against HIPAA — Security Rule (administrative, physical, technical safeguards), Privacy Rule, Breach Notification Rule, plus HITECH. Covers ePHI scoping, the 18 HIPAA identifiers, Business Associate Agreement (BAA) chain-of-liability, minimum-necessary standard, and breach notification timing. Use when the user mentions 'HIPAA,' 'HIPAA Security Rule,' 'HIPAA Privacy Rule,' 'PHI,' 'ePHI,' 'protected health information,' 'BAA,' 'business associate agreement,' 'covered entity,' 'business associate,' 'minimum necessary,' 'HIPAA breach,' 'HITECH,' 'healthcare compliance,' 'medical data,' 'patient data,' or audits any system that creates, receives, maintains, or transmits PHI.",
4201
+ "version": "0.0.0"
4202
+ },
4203
+ {
4204
+ "name": "iam-audit",
4205
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/iam-audit",
4206
+ "description": "Audit, design, and migrate Identity and Access Management — cloud provider IAM (AWS, GCP, Azure), identity providers (Okta, Entra ID / Azure AD, Auth0, Google Workspace), application authorization (RBAC, ABAC, ReBAC), and federated identity. Use when the user mentions 'IAM,' 'identity,' 'access management,' 'least privilege,' 'role design,' 'SSO,' 'SAML,' 'OIDC,' 'OAuth,' 'JIT access,' 'just-in-time access,' 'break-glass,' 'service accounts,' 'RBAC,' 'ABAC,' 'privilege creep,' 'role explosion,' 'identity governance,' 'IAM strategy,' 'identity migration,' 'Okta,' 'Entra ID,' 'Azure AD,' 'Auth0,' 'Cognito,' or needs identity consultant-level guidance.",
4207
+ "version": "0.0.0"
4208
+ },
4209
+ {
4210
+ "name": "incident-triage",
4211
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/incident-triage",
4212
+ "description": "Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.",
4213
+ "version": "0.0.0"
4214
+ },
4215
+ {
4216
+ "name": "pci-audit",
4217
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/pci-audit",
4218
+ "description": "Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.",
4219
+ "version": "0.0.0"
4220
+ },
4221
+ {
4222
+ "name": "privacy-engineering",
4223
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4224
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4225
+ "version": "0.0.0"
4226
+ },
4227
+ {
4228
+ "name": "red-team-engagement",
4229
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/red-team-engagement",
4230
+ "description": "Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.",
4231
+ "version": "0.0.0"
4232
+ },
4233
+ {
4234
+ "name": "secrets-audit",
4235
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/secrets-audit",
4236
+ "description": "Find leaked secrets in source code, Git history, build artifacts, and infrastructure — and audit the secrets-management posture preventing future leaks. Use when the user mentions 'secrets audit,' 'secret scanning,' 'leaked credentials,' 'API key in code,' 'gitleaks,' 'trufflehog,' 'git history scan,' 'secrets management,' 'vault audit,' 'rotation policy,' 'AWS Secrets Manager,' 'HashiCorp Vault,' 'Doppler,' '1Password Secrets Automation,' 'sealed-secrets,' 'External Secrets Operator,' or needs to find or prevent credential exposure.",
4237
+ "version": "0.0.0"
4238
+ },
4239
+ {
4240
+ "name": "security-comms",
4241
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
4242
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
4243
+ "version": "0.0.0"
4244
+ },
4245
+ {
4246
+ "name": "siem-detection",
4247
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/siem-detection",
4248
+ "description": "Engineer and audit SIEM detection rules — log source coverage, Sigma / KQL / SPL / Elastic query authoring, MITRE ATT&CK mapping, false-positive tuning, and detection-as-code workflows. Use when the user mentions 'SIEM,' 'detection engineering,' 'detection rules,' 'Sigma,' 'KQL,' 'SPL,' 'Splunk,' 'Sentinel,' 'Elastic,' 'Wazuh,' 'Chronicle,' 'detection-as-code,' 'MITRE ATT&CK mapping,' 'log coverage,' 'alert tuning,' 'use case development,' or needs help building or improving security detections.",
4249
+ "version": "0.0.0"
4250
+ },
4251
+ {
4252
+ "name": "soc-operations",
4253
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/soc-operations",
4254
+ "description": "Build, run, and improve a Security Operations Center — alert prioritization, runbook authoring, escalation criteria, on-call structure, alert tuning workflow, MTTD / MTTR / fidelity KPIs, analyst tiering, and shift handoffs. Use when the user mentions 'SOC,' 'security operations,' 'SOC analyst,' 'alert triage workflow,' 'runbook,' 'escalation,' 'on-call,' 'SOC tiering,' 'tier 1 / tier 2,' 'MTTD,' 'MTTR,' 'alert fatigue,' 'alert tuning,' 'shift handoff,' 'SOAR,' or wants to design or improve a security operations team.",
4255
+ "version": "0.0.0"
4256
+ },
4257
+ {
4258
+ "name": "vuln-research",
4259
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/vuln-research",
4260
+ "description": "Research a specific CVE or vulnerability disclosure end-to-end — what version is affected, is your code reachable, is there a public PoC, is there a patch, what's the exposure window, what's the mitigation if you can't patch immediately. Use when the user mentions 'CVE,' 'vulnerability research,' 'is this CVE relevant,' 'zero-day,' 'CISA KEV,' 'GitHub Security Advisory,' 'reachability analysis,' 'patch analysis,' 'exploit availability,' 'EPSS,' 'CVSS,' or 'should we drop everything and patch this.'",
4261
+ "version": "0.0.0"
4262
+ },
4263
+ {
4264
+ "name": "web-pentest",
4265
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/web-pentest",
4266
+ "description": "Perform black-box / grey-box web application penetration testing on an authorized target — auth bypass, IDOR, session handling, business-logic flaws, parameter tampering, Burp Suite / OWASP ZAP workflows. Use when the user mentions 'web pentest,' 'web application penetration test,' 'pentesting,' 'bug bounty,' 'Burp Suite,' 'ZAP,' 'OWASP testing,' 'authentication testing,' 'session testing,' 'authorization testing,' 'business logic testing,' 'web vulnerability testing,' or has explicit authorization to test a live web application.",
4267
+ "version": "0.0.0"
4268
+ }
4269
+ ],
4270
+ "sourceRepo": {
4271
+ "owner": "briiirussell",
4272
+ "repo": "cybersecurity-skills",
4273
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4274
+ },
4275
+ "inferred": true
4276
+ },
4277
+ {
4278
+ "version": 1,
4279
+ "name": "briiirussell-cybersecurity-skills-engineering",
4280
+ "description": "Coding, debugging, testing, architecture, review, and software engineering skills. Derived from briiirussell/cybersecurity-skills.",
4281
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4282
+ "createdAt": "2026-06-08T23:20:57.686Z",
4283
+ "tags": [
4284
+ "repo-derived",
4285
+ "inferred",
4286
+ "engineering",
4287
+ "coding",
4288
+ "testing",
4289
+ "briiirussell",
4290
+ "cybersecurity-skills"
4291
+ ],
4292
+ "skills": [
4293
+ {
4294
+ "name": "api-audit",
4295
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/api-audit",
4296
+ "description": "Audit REST, GraphQL, and RPC APIs against the OWASP API Security Top 10 (2023). Use when the user mentions 'API security,' 'API audit,' 'BOLA,' 'broken object level authorization,' 'BFLA,' 'function-level authorization,' 'mass assignment,' 'API rate limiting,' 'GraphQL security,' 'REST security,' 'API authentication,' 'API authorization,' 'excessive data exposure,' or needs to review API endpoints for security weaknesses.",
4297
+ "version": "0.0.0"
4298
+ },
4299
+ {
4300
+ "name": "breach-patterns",
4301
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
4302
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
4303
+ "version": "0.0.0"
4304
+ },
4305
+ {
4306
+ "name": "cloud-audit",
4307
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/cloud-audit",
4308
+ "description": "Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.",
4309
+ "version": "0.0.0"
4310
+ },
4311
+ {
4312
+ "name": "container-audit",
4313
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/container-audit",
4314
+ "description": "Audit container images, Dockerfiles, and Kubernetes manifests for misconfigurations, excessive privileges, exposed secrets, and runtime risks. Use when the user mentions 'container security,' 'Docker security,' 'Dockerfile audit,' 'Kubernetes security,' 'K8s security,' 'pod security,' 'container hardening,' 'kubectl audit,' 'image scanning,' 'distroless,' 'rootless containers,' 'pod security policy,' 'pod security standards,' 'PSS,' 'network policy,' 'OPA Gatekeeper,' 'Kyverno,' 'runtime security,' or needs to review container or orchestration security.",
4315
+ "version": "0.0.0"
4316
+ },
4317
+ {
4318
+ "name": "crypto-audit",
4319
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/crypto-audit",
4320
+ "description": "Audit cryptography implementation — algorithm choice, key sizes, KDF parameters, IV/nonce handling, signature verification, randomness, TLS configuration, and key rotation. Deeper than owasp-audit A02. Use when the user mentions 'crypto review,' 'cryptography audit,' 'encryption review,' 'KDF,' 'PBKDF2,' 'Argon2,' 'bcrypt cost,' 'IV reuse,' 'nonce reuse,' 'AES mode,' 'AES-GCM,' 'AES-ECB,' 'signature verification,' 'TLS configuration,' 'cipher suites,' 'key rotation,' 'libsodium,' 'BoringSSL,' or 'is this crypto right.'",
4321
+ "version": "0.0.0"
4322
+ },
4323
+ {
4324
+ "name": "incident-triage",
4325
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/incident-triage",
4326
+ "description": "Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.",
4327
+ "version": "0.0.0"
4328
+ },
4329
+ {
4330
+ "name": "mobile-audit",
4331
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/mobile-audit",
4332
+ "description": "Audit iOS and Android mobile applications against OWASP MASVS / MASTG — insecure storage, weak crypto, certificate pinning, deeplinks, IPC, jailbreak/root detection, reverse-engineering resistance. Use when the user mentions 'mobile security,' 'iOS security,' 'Android security,' 'mobile audit,' 'mobile pentest,' 'MASVS,' 'MASTG,' 'certificate pinning,' 'jailbreak detection,' 'root detection,' 'deeplink,' 'URL scheme,' 'app transport security,' 'keychain,' 'keystore,' 'mobile reverse engineering,' or has a mobile app to review.",
4333
+ "version": "0.0.0"
4334
+ },
4335
+ {
4336
+ "name": "owasp-audit",
4337
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/owasp-audit",
4338
+ "description": "Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.",
4339
+ "version": "0.0.0"
4340
+ },
4341
+ {
4342
+ "name": "pci-audit",
4343
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/pci-audit",
4344
+ "description": "Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.",
4345
+ "version": "0.0.0"
4346
+ },
4347
+ {
4348
+ "name": "privacy-engineering",
4349
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4350
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4351
+ "version": "0.0.0"
4352
+ },
4353
+ {
4354
+ "name": "recon",
4355
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/recon",
4356
+ "description": "Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.",
4357
+ "version": "0.0.0"
4358
+ },
4359
+ {
4360
+ "name": "red-team-engagement",
4361
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/red-team-engagement",
4362
+ "description": "Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.",
4363
+ "version": "0.0.0"
4364
+ },
4365
+ {
4366
+ "name": "secrets-audit",
4367
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/secrets-audit",
4368
+ "description": "Find leaked secrets in source code, Git history, build artifacts, and infrastructure — and audit the secrets-management posture preventing future leaks. Use when the user mentions 'secrets audit,' 'secret scanning,' 'leaked credentials,' 'API key in code,' 'gitleaks,' 'trufflehog,' 'git history scan,' 'secrets management,' 'vault audit,' 'rotation policy,' 'AWS Secrets Manager,' 'HashiCorp Vault,' 'Doppler,' '1Password Secrets Automation,' 'sealed-secrets,' 'External Secrets Operator,' or needs to find or prevent credential exposure.",
4369
+ "version": "0.0.0"
4370
+ },
4371
+ {
4372
+ "name": "siem-detection",
4373
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/siem-detection",
4374
+ "description": "Engineer and audit SIEM detection rules — log source coverage, Sigma / KQL / SPL / Elastic query authoring, MITRE ATT&CK mapping, false-positive tuning, and detection-as-code workflows. Use when the user mentions 'SIEM,' 'detection engineering,' 'detection rules,' 'Sigma,' 'KQL,' 'SPL,' 'Splunk,' 'Sentinel,' 'Elastic,' 'Wazuh,' 'Chronicle,' 'detection-as-code,' 'MITRE ATT&CK mapping,' 'log coverage,' 'alert tuning,' 'use case development,' or needs help building or improving security detections.",
4375
+ "version": "0.0.0"
4376
+ },
4377
+ {
4378
+ "name": "soc-operations",
4379
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/soc-operations",
4380
+ "description": "Build, run, and improve a Security Operations Center — alert prioritization, runbook authoring, escalation criteria, on-call structure, alert tuning workflow, MTTD / MTTR / fidelity KPIs, analyst tiering, and shift handoffs. Use when the user mentions 'SOC,' 'security operations,' 'SOC analyst,' 'alert triage workflow,' 'runbook,' 'escalation,' 'on-call,' 'SOC tiering,' 'tier 1 / tier 2,' 'MTTD,' 'MTTR,' 'alert fatigue,' 'alert tuning,' 'shift handoff,' 'SOAR,' or wants to design or improve a security operations team.",
4381
+ "version": "0.0.0"
4382
+ },
4383
+ {
4384
+ "name": "threat-modeling",
4385
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-modeling",
4386
+ "description": "Run a structured threat-modeling session for a new feature, system, or architecture — STRIDE, attack trees, data flow diagrams, abuse cases. Use when the user mentions 'threat model,' 'threat modeling,' 'STRIDE,' 'attack tree,' 'abuse case,' 'data flow diagram,' 'DFD,' 'security architecture review,' 'security review,' 'design review,' 'pre-implementation security,' 'shift left,' 'what could go wrong,' or needs strategic security thinking before code is written.",
4387
+ "version": "0.0.0"
4388
+ },
4389
+ {
4390
+ "name": "vuln-research",
4391
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/vuln-research",
4392
+ "description": "Research a specific CVE or vulnerability disclosure end-to-end — what version is affected, is your code reachable, is there a public PoC, is there a patch, what's the exposure window, what's the mitigation if you can't patch immediately. Use when the user mentions 'CVE,' 'vulnerability research,' 'is this CVE relevant,' 'zero-day,' 'CISA KEV,' 'GitHub Security Advisory,' 'reachability analysis,' 'patch analysis,' 'exploit availability,' 'EPSS,' 'CVSS,' or 'should we drop everything and patch this.'",
4393
+ "version": "0.0.0"
4394
+ },
4395
+ {
4396
+ "name": "web-pentest",
4397
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/web-pentest",
4398
+ "description": "Perform black-box / grey-box web application penetration testing on an authorized target — auth bypass, IDOR, session handling, business-logic flaws, parameter tampering, Burp Suite / OWASP ZAP workflows. Use when the user mentions 'web pentest,' 'web application penetration test,' 'pentesting,' 'bug bounty,' 'Burp Suite,' 'ZAP,' 'OWASP testing,' 'authentication testing,' 'session testing,' 'authorization testing,' 'business logic testing,' 'web vulnerability testing,' or has explicit authorization to test a live web application.",
4399
+ "version": "0.0.0"
4400
+ }
4401
+ ],
4402
+ "sourceRepo": {
4403
+ "owner": "briiirussell",
4404
+ "repo": "cybersecurity-skills",
4405
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4406
+ },
4407
+ "inferred": true
4408
+ },
4409
+ {
4410
+ "version": 1,
4411
+ "name": "briiirussell-cybersecurity-skills-frontend-design",
4412
+ "description": "Frontend, UI, UX, visual design, component, theme, and landing-page skills. Derived from briiirussell/cybersecurity-skills.",
4413
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4414
+ "createdAt": "2026-06-08T23:20:57.686Z",
4415
+ "tags": [
4416
+ "repo-derived",
4417
+ "inferred",
4418
+ "frontend",
4419
+ "design",
4420
+ "ui",
4421
+ "briiirussell",
4422
+ "cybersecurity-skills"
4423
+ ],
4424
+ "skills": [
4425
+ {
4426
+ "name": "ai-risk-management",
4427
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/ai-risk-management",
4428
+ "description": "Apply the NIST AI Risk Management Framework (AI RMF 1.0) and adjacent guidance to AI / ML systems — model lifecycle governance, fairness and bias evaluation, robustness, transparency, accountability, third-party model risk, monitoring for drift, and AI incident response. Broader than prompt-injection (which is the security slice). Use when the user mentions 'AI risk,' 'AI governance,' 'NIST AI RMF,' 'AI compliance,' 'ML governance,' 'model risk management,' 'AI fairness,' 'AI bias,' 'algorithmic accountability,' 'AI Bill of Rights,' 'EU AI Act,' 'AI transparency,' 'model card,' 'AI red team,' 'AI safety,' 'responsible AI,' 'model drift,' 'concept drift,' 'AI monitoring,' 'AI incident,' or needs to assess or govern an AI / ML system.",
4429
+ "version": "0.0.0"
4430
+ },
4431
+ {
4432
+ "name": "breach-patterns",
4433
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
4434
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
4435
+ "version": "0.0.0"
4436
+ },
4437
+ {
4438
+ "name": "crypto-audit",
4439
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/crypto-audit",
4440
+ "description": "Audit cryptography implementation — algorithm choice, key sizes, KDF parameters, IV/nonce handling, signature verification, randomness, TLS configuration, and key rotation. Deeper than owasp-audit A02. Use when the user mentions 'crypto review,' 'cryptography audit,' 'encryption review,' 'KDF,' 'PBKDF2,' 'Argon2,' 'bcrypt cost,' 'IV reuse,' 'nonce reuse,' 'AES mode,' 'AES-GCM,' 'AES-ECB,' 'signature verification,' 'TLS configuration,' 'cipher suites,' 'key rotation,' 'libsodium,' 'BoringSSL,' or 'is this crypto right.'",
4441
+ "version": "0.0.0"
4442
+ },
4443
+ {
4444
+ "name": "iam-audit",
4445
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/iam-audit",
4446
+ "description": "Audit, design, and migrate Identity and Access Management — cloud provider IAM (AWS, GCP, Azure), identity providers (Okta, Entra ID / Azure AD, Auth0, Google Workspace), application authorization (RBAC, ABAC, ReBAC), and federated identity. Use when the user mentions 'IAM,' 'identity,' 'access management,' 'least privilege,' 'role design,' 'SSO,' 'SAML,' 'OIDC,' 'OAuth,' 'JIT access,' 'just-in-time access,' 'break-glass,' 'service accounts,' 'RBAC,' 'ABAC,' 'privilege creep,' 'role explosion,' 'identity governance,' 'IAM strategy,' 'identity migration,' 'Okta,' 'Entra ID,' 'Azure AD,' 'Auth0,' 'Cognito,' or needs identity consultant-level guidance.",
4447
+ "version": "0.0.0"
4448
+ },
4449
+ {
4450
+ "name": "incident-triage",
4451
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/incident-triage",
4452
+ "description": "Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.",
4453
+ "version": "0.0.0"
4454
+ },
4455
+ {
4456
+ "name": "owasp-audit",
4457
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/owasp-audit",
4458
+ "description": "Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.",
4459
+ "version": "0.0.0"
4460
+ },
4461
+ {
4462
+ "name": "pci-audit",
4463
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/pci-audit",
4464
+ "description": "Audit applications and infrastructure handling payment card data against PCI DSS v4.0. Heavy emphasis on scope determination (the single most-leveraged variable) plus the engineering-relevant requirements — Req 3 (storage of CHD), Req 4 (transmission), Req 6 (secure SDLC), Req 7-8 (access), Req 10 (logging), Req 11 (testing), Req 12 (program). Use when the user mentions 'PCI,' 'PCI DSS,' 'PCI DSS 4.0,' 'payment card,' 'cardholder data,' 'CHD,' 'PAN,' 'PCI scope,' 'PCI compliance,' 'SAQ,' 'AoC,' 'attestation of compliance,' 'tokenization,' 'P2PE,' 'network segmentation for PCI,' or audits any system that stores, processes, or transmits payment card data.",
4465
+ "version": "0.0.0"
4466
+ },
4467
+ {
4468
+ "name": "red-team-engagement",
4469
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/red-team-engagement",
4470
+ "description": "Plan, scope, and execute an authorized red-team engagement — distinct from a penetration test. Covers engagement methodology, assumed-breach scenarios, ATT&CK emulation plans, rules of engagement, deconfliction with the blue team, post-engagement debriefs, and the program-level work that makes red teams actually improve defenses. Use when the user mentions 'red team,' 'red team engagement,' 'red teaming,' 'adversary emulation,' 'ATT&CK emulation,' 'assumed breach,' 'purple team exercise,' 'tabletop with technical execution,' 'red team scope,' 'rules of engagement,' 'red team RoE,' 'deconfliction,' 'red team debrief,' or wants to design or run a red-team engagement against systems with authorization.",
4471
+ "version": "0.0.0"
4472
+ },
4473
+ {
4474
+ "name": "secrets-audit",
4475
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/secrets-audit",
4476
+ "description": "Find leaked secrets in source code, Git history, build artifacts, and infrastructure — and audit the secrets-management posture preventing future leaks. Use when the user mentions 'secrets audit,' 'secret scanning,' 'leaked credentials,' 'API key in code,' 'gitleaks,' 'trufflehog,' 'git history scan,' 'secrets management,' 'vault audit,' 'rotation policy,' 'AWS Secrets Manager,' 'HashiCorp Vault,' 'Doppler,' '1Password Secrets Automation,' 'sealed-secrets,' 'External Secrets Operator,' or needs to find or prevent credential exposure.",
4477
+ "version": "0.0.0"
4478
+ },
4479
+ {
4480
+ "name": "siem-detection",
4481
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/siem-detection",
4482
+ "description": "Engineer and audit SIEM detection rules — log source coverage, Sigma / KQL / SPL / Elastic query authoring, MITRE ATT&CK mapping, false-positive tuning, and detection-as-code workflows. Use when the user mentions 'SIEM,' 'detection engineering,' 'detection rules,' 'Sigma,' 'KQL,' 'SPL,' 'Splunk,' 'Sentinel,' 'Elastic,' 'Wazuh,' 'Chronicle,' 'detection-as-code,' 'MITRE ATT&CK mapping,' 'log coverage,' 'alert tuning,' 'use case development,' or needs help building or improving security detections.",
4483
+ "version": "0.0.0"
4484
+ },
4485
+ {
4486
+ "name": "soc-operations",
4487
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/soc-operations",
4488
+ "description": "Build, run, and improve a Security Operations Center — alert prioritization, runbook authoring, escalation criteria, on-call structure, alert tuning workflow, MTTD / MTTR / fidelity KPIs, analyst tiering, and shift handoffs. Use when the user mentions 'SOC,' 'security operations,' 'SOC analyst,' 'alert triage workflow,' 'runbook,' 'escalation,' 'on-call,' 'SOC tiering,' 'tier 1 / tier 2,' 'MTTD,' 'MTTR,' 'alert fatigue,' 'alert tuning,' 'shift handoff,' 'SOAR,' or wants to design or improve a security operations team.",
4489
+ "version": "0.0.0"
4490
+ },
4491
+ {
4492
+ "name": "threat-modeling",
4493
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-modeling",
4494
+ "description": "Run a structured threat-modeling session for a new feature, system, or architecture — STRIDE, attack trees, data flow diagrams, abuse cases. Use when the user mentions 'threat model,' 'threat modeling,' 'STRIDE,' 'attack tree,' 'abuse case,' 'data flow diagram,' 'DFD,' 'security architecture review,' 'security review,' 'design review,' 'pre-implementation security,' 'shift left,' 'what could go wrong,' or needs strategic security thinking before code is written.",
4495
+ "version": "0.0.0"
4496
+ },
4497
+ {
4498
+ "name": "web-pentest",
4499
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/web-pentest",
4500
+ "description": "Perform black-box / grey-box web application penetration testing on an authorized target — auth bypass, IDOR, session handling, business-logic flaws, parameter tampering, Burp Suite / OWASP ZAP workflows. Use when the user mentions 'web pentest,' 'web application penetration test,' 'pentesting,' 'bug bounty,' 'Burp Suite,' 'ZAP,' 'OWASP testing,' 'authentication testing,' 'session testing,' 'authorization testing,' 'business logic testing,' 'web vulnerability testing,' or has explicit authorization to test a live web application.",
4501
+ "version": "0.0.0"
4502
+ }
4503
+ ],
4504
+ "sourceRepo": {
4505
+ "owner": "briiirussell",
4506
+ "repo": "cybersecurity-skills",
4507
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4508
+ },
4509
+ "inferred": true
4510
+ },
4511
+ {
4512
+ "version": 1,
4513
+ "name": "briiirussell-cybersecurity-skills-marketing",
4514
+ "description": "Marketing, growth, SEO, ASO, affiliate, sales, and conversion skills. Derived from briiirussell/cybersecurity-skills.",
4515
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4516
+ "createdAt": "2026-06-08T23:20:57.686Z",
4517
+ "tags": [
4518
+ "repo-derived",
4519
+ "inferred",
4520
+ "marketing",
4521
+ "growth",
4522
+ "seo",
4523
+ "briiirussell",
4524
+ "cybersecurity-skills"
4525
+ ],
4526
+ "skills": [
4527
+ {
4528
+ "name": "disk-forensics",
4529
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/disk-forensics",
4530
+ "description": "Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.",
4531
+ "version": "0.0.0"
4532
+ },
4533
+ {
4534
+ "name": "privacy-engineering",
4535
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4536
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4537
+ "version": "0.0.0"
4538
+ },
4539
+ {
4540
+ "name": "security-comms",
4541
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
4542
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
4543
+ "version": "0.0.0"
4544
+ }
4545
+ ],
4546
+ "sourceRepo": {
4547
+ "owner": "briiirussell",
4548
+ "repo": "cybersecurity-skills",
4549
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4550
+ },
4551
+ "inferred": true
4552
+ },
4553
+ {
4554
+ "version": 1,
4555
+ "name": "briiirussell-cybersecurity-skills-product-business",
4556
+ "description": "Product, strategy, PRD, planning, finance, resume, and business workflow skills. Derived from briiirussell/cybersecurity-skills.",
4557
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4558
+ "createdAt": "2026-06-08T23:20:57.686Z",
4559
+ "tags": [
4560
+ "repo-derived",
4561
+ "inferred",
4562
+ "product",
4563
+ "business",
4564
+ "planning",
4565
+ "briiirussell",
4566
+ "cybersecurity-skills"
4567
+ ],
4568
+ "skills": [
4569
+ {
4570
+ "name": "hipaa-audit",
4571
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/hipaa-audit",
4572
+ "description": "Audit applications and infrastructure handling Protected Health Information against HIPAA — Security Rule (administrative, physical, technical safeguards), Privacy Rule, Breach Notification Rule, plus HITECH. Covers ePHI scoping, the 18 HIPAA identifiers, Business Associate Agreement (BAA) chain-of-liability, minimum-necessary standard, and breach notification timing. Use when the user mentions 'HIPAA,' 'HIPAA Security Rule,' 'HIPAA Privacy Rule,' 'PHI,' 'ePHI,' 'protected health information,' 'BAA,' 'business associate agreement,' 'covered entity,' 'business associate,' 'minimum necessary,' 'HIPAA breach,' 'HITECH,' 'healthcare compliance,' 'medical data,' 'patient data,' or audits any system that creates, receives, maintains, or transmits PHI.",
4573
+ "version": "0.0.0"
4574
+ },
4575
+ {
4576
+ "name": "iam-audit",
4577
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/iam-audit",
4578
+ "description": "Audit, design, and migrate Identity and Access Management — cloud provider IAM (AWS, GCP, Azure), identity providers (Okta, Entra ID / Azure AD, Auth0, Google Workspace), application authorization (RBAC, ABAC, ReBAC), and federated identity. Use when the user mentions 'IAM,' 'identity,' 'access management,' 'least privilege,' 'role design,' 'SSO,' 'SAML,' 'OIDC,' 'OAuth,' 'JIT access,' 'just-in-time access,' 'break-glass,' 'service accounts,' 'RBAC,' 'ABAC,' 'privilege creep,' 'role explosion,' 'identity governance,' 'IAM strategy,' 'identity migration,' 'Okta,' 'Entra ID,' 'Azure AD,' 'Auth0,' 'Cognito,' or needs identity consultant-level guidance.",
4579
+ "version": "0.0.0"
4580
+ },
4581
+ {
4582
+ "name": "privacy-engineering",
4583
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4584
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4585
+ "version": "0.0.0"
4586
+ },
4587
+ {
4588
+ "name": "security-comms",
4589
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
4590
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
4591
+ "version": "0.0.0"
4592
+ },
4593
+ {
4594
+ "name": "web-pentest",
4595
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/web-pentest",
4596
+ "description": "Perform black-box / grey-box web application penetration testing on an authorized target — auth bypass, IDOR, session handling, business-logic flaws, parameter tampering, Burp Suite / OWASP ZAP workflows. Use when the user mentions 'web pentest,' 'web application penetration test,' 'pentesting,' 'bug bounty,' 'Burp Suite,' 'ZAP,' 'OWASP testing,' 'authentication testing,' 'session testing,' 'authorization testing,' 'business logic testing,' 'web vulnerability testing,' or has explicit authorization to test a live web application.",
4597
+ "version": "0.0.0"
4598
+ }
4599
+ ],
4600
+ "sourceRepo": {
4601
+ "owner": "briiirussell",
4602
+ "repo": "cybersecurity-skills",
4603
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4604
+ },
4605
+ "inferred": true
4606
+ },
4607
+ {
4608
+ "version": 1,
4609
+ "name": "briiirussell-cybersecurity-skills-research",
4610
+ "description": "Research, academic, literature-review, citation, paper, and analysis skills. Derived from briiirussell/cybersecurity-skills.",
4611
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4612
+ "createdAt": "2026-06-08T23:20:57.686Z",
4613
+ "tags": [
4614
+ "repo-derived",
4615
+ "inferred",
4616
+ "research",
4617
+ "academic",
4618
+ "analysis",
4619
+ "briiirussell",
4620
+ "cybersecurity-skills"
4621
+ ],
4622
+ "skills": [
4623
+ {
4624
+ "name": "api-audit",
4625
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/api-audit",
4626
+ "description": "Audit REST, GraphQL, and RPC APIs against the OWASP API Security Top 10 (2023). Use when the user mentions 'API security,' 'API audit,' 'BOLA,' 'broken object level authorization,' 'BFLA,' 'function-level authorization,' 'mass assignment,' 'API rate limiting,' 'GraphQL security,' 'REST security,' 'API authentication,' 'API authorization,' 'excessive data exposure,' or needs to review API endpoints for security weaknesses.",
4627
+ "version": "0.0.0"
4628
+ },
4629
+ {
4630
+ "name": "breach-patterns",
4631
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/breach-patterns",
4632
+ "description": "Learn from public breach disclosures — extract the audit question each one implies and check your own stack. Capital One IMDS abuse, LastPass vault exfiltration, Okta Lapsus$, Snowflake credential reuse, MOVEit, SolarWinds, Equifax, Target POS, Codecov, Uber, Twilio — what would you check now if your boss said 'could that happen to us?' Use when the user mentions 'breach analysis,' 'lessons learned,' 'security postmortem,' 'breach patterns,' 'breach lessons,' 'has this happened to us,' 'apply breach lessons,' 'preempt breaches,' 'security retrospective,' 'real-world security incidents,' or wants to harden against known attacker playbooks.",
4633
+ "version": "0.0.0"
4634
+ },
4635
+ {
4636
+ "name": "cloud-audit",
4637
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/cloud-audit",
4638
+ "description": "Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.",
4639
+ "version": "0.0.0"
4640
+ },
4641
+ {
4642
+ "name": "container-audit",
4643
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/container-audit",
4644
+ "description": "Audit container images, Dockerfiles, and Kubernetes manifests for misconfigurations, excessive privileges, exposed secrets, and runtime risks. Use when the user mentions 'container security,' 'Docker security,' 'Dockerfile audit,' 'Kubernetes security,' 'K8s security,' 'pod security,' 'container hardening,' 'kubectl audit,' 'image scanning,' 'distroless,' 'rootless containers,' 'pod security policy,' 'pod security standards,' 'PSS,' 'network policy,' 'OPA Gatekeeper,' 'Kyverno,' 'runtime security,' or needs to review container or orchestration security.",
4645
+ "version": "0.0.0"
4646
+ },
4647
+ {
4648
+ "name": "crypto-audit",
4649
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/crypto-audit",
4650
+ "description": "Audit cryptography implementation — algorithm choice, key sizes, KDF parameters, IV/nonce handling, signature verification, randomness, TLS configuration, and key rotation. Deeper than owasp-audit A02. Use when the user mentions 'crypto review,' 'cryptography audit,' 'encryption review,' 'KDF,' 'PBKDF2,' 'Argon2,' 'bcrypt cost,' 'IV reuse,' 'nonce reuse,' 'AES mode,' 'AES-GCM,' 'AES-ECB,' 'signature verification,' 'TLS configuration,' 'cipher suites,' 'key rotation,' 'libsodium,' 'BoringSSL,' or 'is this crypto right.'",
4651
+ "version": "0.0.0"
4652
+ },
4653
+ {
4654
+ "name": "csf-mapping",
4655
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/csf-mapping",
4656
+ "description": "Map your security posture against the NIST Cybersecurity Framework 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). Produce a gap analysis, current/target tier assessment, and roadmap in the governance language that boards, auditors, and CISOs actually use. Use when the user mentions 'NIST CSF,' 'CSF 2.0,' 'cybersecurity framework,' 'security posture,' 'governance mapping,' 'CSF gap analysis,' 'CSF tiers,' 'cybersecurity maturity,' 'security roadmap,' 'CISO report,' 'board reporting,' 'security program,' or needs to translate technical findings into governance language.",
4657
+ "version": "0.0.0"
4658
+ },
4659
+ {
4660
+ "name": "disk-forensics",
4661
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/disk-forensics",
4662
+ "description": "Analyze disk images, file systems, and memory captures for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'timeline analysis,' 'memory forensics,' 'volatility,' 'autopsy,' 'sleuthkit,' 'plaso,' 'log2timeline,' 'artifact analysis,' 'chain of custody,' or needs to examine a forensic image.",
4663
+ "version": "0.0.0"
4664
+ },
4665
+ {
4666
+ "name": "mobile-audit",
4667
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/mobile-audit",
4668
+ "description": "Audit iOS and Android mobile applications against OWASP MASVS / MASTG — insecure storage, weak crypto, certificate pinning, deeplinks, IPC, jailbreak/root detection, reverse-engineering resistance. Use when the user mentions 'mobile security,' 'iOS security,' 'Android security,' 'mobile audit,' 'mobile pentest,' 'MASVS,' 'MASTG,' 'certificate pinning,' 'jailbreak detection,' 'root detection,' 'deeplink,' 'URL scheme,' 'app transport security,' 'keychain,' 'keystore,' 'mobile reverse engineering,' or has a mobile app to review.",
4669
+ "version": "0.0.0"
4670
+ },
4671
+ {
4672
+ "name": "osint-recon",
4673
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/osint-recon",
4674
+ "description": "Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.",
4675
+ "version": "0.0.0"
4676
+ },
4677
+ {
4678
+ "name": "owasp-audit",
4679
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/owasp-audit",
4680
+ "description": "Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.",
4681
+ "version": "0.0.0"
4682
+ },
4683
+ {
4684
+ "name": "privacy-engineering",
4685
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/privacy-engineering",
4686
+ "description": "Implement and audit privacy controls in product and infrastructure — GDPR, CCPA / CPRA, LGPD, PIPEDA. Covers data minimization, lawful basis, consent management, data subject access requests (DSARs — access, deletion, portability), data processing agreements, DPIA / TIA, breach notification timing, data classification, and the technical implementation of 'right to be forgotten' across backups, caches, analytics, and third parties. Use when the user mentions 'GDPR,' 'CCPA,' 'CPRA,' 'data privacy,' 'privacy engineering,' 'data subject access request,' 'DSAR,' 'right to deletion,' 'right to be forgotten,' 'data portability,' 'consent management,' 'cookie consent,' 'data minimization,' 'DPIA,' 'data protection impact assessment,' 'breach notification,' 'BAA,' 'DPA,' 'data processing agreement,' 'sub-processor,' 'cross-border data transfer,' 'SCCs,' or needs to implement or review privacy controls.",
4687
+ "version": "0.0.0"
4688
+ },
4689
+ {
4690
+ "name": "security-comms",
4691
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/security-comms",
4692
+ "description": "Translate technical security work into the language of non-security audiences — board, executives, engineering, customer success, customers, legal, procurement, sales. Covers incident communication, post-mortem narrative, audit-findings-for-stakeholders, risk justification, security spend justification, and customer-facing breach disclosure. Use when the user mentions 'security comms,' 'communicate this finding,' 'explain to my boss,' 'board update,' 'executive summary,' 'incident communication,' 'breach notification,' 'customer disclosure,' 'security memo,' 'post-mortem narrative,' 'risk justification,' 'why this matters to the business,' 'translate this finding,' 'stakeholder update,' or has technical security work that needs to land with a non-security audience.",
4693
+ "version": "0.0.0"
4694
+ },
4695
+ {
4696
+ "name": "threat-modeling",
4697
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-modeling",
4698
+ "description": "Run a structured threat-modeling session for a new feature, system, or architecture — STRIDE, attack trees, data flow diagrams, abuse cases. Use when the user mentions 'threat model,' 'threat modeling,' 'STRIDE,' 'attack tree,' 'abuse case,' 'data flow diagram,' 'DFD,' 'security architecture review,' 'security review,' 'design review,' 'pre-implementation security,' 'shift left,' 'what could go wrong,' or needs strategic security thinking before code is written.",
4699
+ "version": "0.0.0"
4700
+ },
4701
+ {
4702
+ "name": "vuln-research",
4703
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/vuln-research",
4704
+ "description": "Research a specific CVE or vulnerability disclosure end-to-end — what version is affected, is your code reachable, is there a public PoC, is there a patch, what's the exposure window, what's the mitigation if you can't patch immediately. Use when the user mentions 'CVE,' 'vulnerability research,' 'is this CVE relevant,' 'zero-day,' 'CISA KEV,' 'GitHub Security Advisory,' 'reachability analysis,' 'patch analysis,' 'exploit availability,' 'EPSS,' 'CVSS,' or 'should we drop everything and patch this.'",
4705
+ "version": "0.0.0"
4706
+ }
4707
+ ],
4708
+ "sourceRepo": {
4709
+ "owner": "briiirussell",
4710
+ "repo": "cybersecurity-skills",
4711
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4712
+ },
4713
+ "inferred": true
4714
+ },
4715
+ {
4716
+ "version": 1,
4717
+ "name": "briiirussell-cybersecurity-skills-writing",
4718
+ "description": "Writing, editing, documentation, publishing, and content-production skills. Derived from briiirussell/cybersecurity-skills.",
4719
+ "author": "ASM (briiirussell/cybersecurity-skills)",
4720
+ "createdAt": "2026-06-08T23:20:57.686Z",
4721
+ "tags": [
4722
+ "repo-derived",
4723
+ "inferred",
4724
+ "writing",
4725
+ "content",
4726
+ "docs",
4727
+ "briiirussell",
4728
+ "cybersecurity-skills"
4729
+ ],
4730
+ "skills": [
4731
+ {
4732
+ "name": "finding-triage",
4733
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/finding-triage",
4734
+ "description": "Triage a single security finding — from a scanner, audit, advisory, or report — to a defensible disposition with a mitigation plan, false-positive justification, or accepted-risk writeup. Use when the user mentions 'triage this finding,' 'is this a real vulnerability,' 'mitigation plan,' 'false positive,' 'accept this risk,' 'compensating controls,' 'risk justification,' 'security ticket,' 'CVSS this,' 'should we fix this,' 'disposition,' 'sign off on,' or has a single security finding and needs to decide what to do.",
4735
+ "version": "0.0.0"
4736
+ },
4737
+ {
4738
+ "name": "threat-hunting",
4739
+ "installUrl": "github:briiirussell/cybersecurity-skills:skills/threat-hunting",
4740
+ "description": "Conduct proactive, hypothesis-driven threat hunts — search SIEM / EDR / logs for adversaries who haven't tripped an alert yet. ATT&CK-driven, hypothesis-based methodology. Use when the user mentions 'threat hunting,' 'proactive hunt,' 'TaHiTI,' 'PEAK framework,' 'MITRE ATT&CK hunt,' 'hypothesis-driven hunt,' 'hunt hypothesis,' 'living off the land,' 'LOLBins,' 'beaconing,' 'lateral movement detection,' 'data staging,' 'persistence hunting,' or wants to find threats that have evaded existing detections.",
4741
+ "version": "0.0.0"
4742
+ }
4743
+ ],
4744
+ "sourceRepo": {
4745
+ "owner": "briiirussell",
4746
+ "repo": "cybersecurity-skills",
4747
+ "repoUrl": "https://github.com/briiirussell/cybersecurity-skills.git"
4748
+ },
4749
+ "inferred": true
4750
+ }
4751
+ ]
4752
+ }