// Read-only security audit of code for SQL injection, XSS, auth/authz flaws, input validation gaps, sensitive data exposure, and insecure cryptography. Surfaces findings without modifying code.
System diagnostics via osquery. Use when the user asks about CPU usage, memory consumption, running processes, network connections, system health, or anything resembling "why is my computer slow", "what's hammering my CPU", "what's using memory", "fan is running hot", "what processes are running", "what's on the network".
Update Java code to modern language features — records, switch expressions, pattern matching, virtual threads, sealed classes, text blocks, and current collection idioms. Triggers on Java source files.
Generate a CODEBASE.md architecture overview and a Slidev PRESENTATION.md for new team members. Use for unfamiliar projects where someone needs to come up to speed quickly.
Generate a Spring REST controller for a named entity with CRUD endpoints, validation, OpenAPI documentation, and integration tests. Invoke as /spring-controller <Entity>.
Generate a Spring Boot service class for a named entity with constructor injection, logging, exception handling, and unit tests. Invoke as /spring-service <Entity>.
Generate comprehensive, professional API documentation following industry best practices
| name | security-review |
| description | Read-only security audit of code for SQL injection, XSS, auth/authz flaws, input validation gaps, sensitive data exposure, and insecure cryptography. Surfaces findings without modifying code. |
| allowed-tools | ["Read","Grep","Glob"] |
| disable-model-invocation | true |
| user-invocable | true |
This skill is explicit-invoke only (disable-model-invocation: true) and read-only (allowed-tools covers reading + searching, no editing). It surfaces findings — fixing them is a separate, deliberate step.
For each finding, report:
Group findings by severity. Don't speculate about issues you can't see in the code; if a check requires runtime context you don't have, say so.
