Skills
The open registry for AI agent skills — structured prompts and workflows with recommended models, example prompts, and compatible tools.
Skills
9
Categories
9
Compatible tools
5
Contributors
1
Showing 1–9 of 9 skills
Decodes and reviews JSON Web Tokens and their surrounding auth flow for correctness and security. Explains header and claims, checks algorithm and key handling, validates expiration and audience/issuer claims, and flags common pitfalls such as the alg:none attack, weak secrets, missing validation, and over-long token lifetimes. Never treats token contents as trusted secrets to echo back.
Scans code, configuration, and git history for leaked credentials such as API keys, tokens, private keys, and connection strings. Classifies findings by severity and false-positive likelihood, and provides safe remediation steps including rotation, history scrubbing, and pre-commit prevention.
Configures HTTP security headers to harden web applications. Covers Content-Security-Policy (including nonces and strict-dynamic), HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, and cookie flags. Produces server/CDN configuration, explains tradeoffs, and provides a rollout plan using report-only mode to avoid breakage.
Reviews cloud IAM policies for least-privilege violations, overly broad wildcards, privilege escalation paths, and risky trust relationships across AWS, GCP, and Azure. Explains the risk of each finding and rewrites policies to grant only the permissions actually needed.
Detects and redacts personally identifiable information (PII) and sensitive data from text, logs, and structured datasets. Recommends anonymization techniques such as masking, tokenization, pseudonymization, k-anonymity, and differential privacy, and generates reusable redaction code while preserving analytical utility and referential integrity.
Red-teams LLM applications for prompt injection, jailbreaks, and data exfiltration risks. Generates adversarial test cases for direct and indirect injection, system prompt leakage, tool-call abuse, and unsafe output handling, then reports findings with severity ratings and concrete mitigations such as input isolation, output filtering, and least-privilege tools.
Performs systematic threat modeling for software systems using frameworks like STRIDE, PASTA, and Attack Trees. Identifies potential security threats, attack vectors, and vulnerabilities in system architectures. Produces prioritized risk assessments with mitigation strategies and security controls.
Audits project dependencies for security vulnerabilities, license compliance, maintenance status, and bundle size impact. Identifies outdated packages, suggests alternatives for abandoned libraries, and flags risky transitive dependencies.
Performs comprehensive security analysis of code and configurations. Identifies OWASP Top 10 vulnerabilities, insecure patterns, missing input validation, authentication flaws, and secrets exposure. Provides remediation steps with secure code examples.
Skills vs MCP servers
what's the difference?Skillsthe “what to do”
A skillA reusable, structured prompt/workflow with recommended models, an example prompt, and compatible tools. packages know-how — instructions, an example promptA ready-to-use prompt template that demonstrates how to invoke the skill., and recommended models — so an agent performs a task consistently. Skills add knowledge, not new connections.
MCP serversthe “how to connect”
An MCP serverModel Context Protocol server — a standard way to expose tools, resources, and prompts to AI agents and IDEs. gives an agent new capabilities by connecting it to real systems (databases, APIs, files) over a transportHow the client talks to the server: stdio (local process), SSE, or HTTP streaming.. MCP adds connections and actions, not task instructions.
Rule of thumb: reach for a skill when you need the model to do a task well, and an MCP server when you need it to reach a tool or system. They compose — a skill can rely on tools an MCP server provides.
Built a useful skill?
Submit a SKILL.md — it's open source and community-maintained.