security-skills MCP — Cas d'usage, Installer & Démo en direct

Pourquoi l'utiliser

Fonctionnalités clés

Threat modeling template based on STRIDE
Dependency CVE cross-referencing workflow
IaC misconfiguration checks (Terraform, Docker, k8s)
Security code review patterns
Defensive focus — no exploitation tooling

Démo en direct

Aperçu en pratique

security-skill.replay ▶ prêt

0/0

Installer

Choisissez votre client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Ouvrez Claude Desktop → Settings → Developer → Edit Config. Redémarrez après avoir enregistré.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Cursor utilise le même schéma mcpServers que Claude Desktop. La config projet l'emporte sur la globale.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Cliquez sur l'icône MCP Servers dans la barre latérale Cline, puis "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Même format que Claude Desktop. Redémarrez Windsurf pour appliquer.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "security-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ]
    }
  ]
}

Continue utilise un tableau d'objets serveur plutôt qu'une map.

~/.config/zed/settings.json

{
  "context_servers": {
    "security-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/eth0izzle/security-skills",
          "~/.claude/skills/security-skills"
        ]
      }
    }
  }
}

Ajoutez dans context_servers. Zed recharge à chaud à la sauvegarde.

claude mcp add security-skill -- git clone https://github.com/eth0izzle/security-skills ~/.claude/skills/security-skills

Une seule ligne. Vérifiez avec claude mcp list. Supprimez avec claude mcp remove.

Cas d'usage

Usages concrets : security-skills

Produce a STRIDE threat model for a new feature

👤 Security engineers, staff+ engineers owning a feature's security review ⏱ ~45 min advanced

Quand l'utiliser : Design review for a feature that touches user data, auth, or external networks.

Prérequis

Feature design doc or architecture diagram — Paste into chat or point Claude at the file
Skill installed — git clone https://github.com/eth0izzle/security-skills ~/.claude/skills/security-skills

Déroulement

Walk the system

Use security-skills. Here's the design for [feature]. Enumerate trust boundaries and data flows.✓ Copié

→ Named trust boundaries, explicit data flow arrows
Apply STRIDE

For each boundary, call out Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation risks.✓ Copié

→ Table with threats scored, not generic 'consider XSS'
Propose mitigations

Rank the threats by likelihood * impact and propose concrete mitigations for the top 5.✓ Copié

→ Specific controls (rate limit, signed requests, audit log)

Résultat : A threat model doc ready for a security review meeting.

Pièges

STRIDE becomes checkbox theater — Demand concrete attacker stories — 'attacker with X wants Y, does Z'

Combiner avec : filesystem

Sweep a repo's dependencies for known CVEs

👤 Dev teams responding to a security advisory ⏱ ~30 min intermediate

Quand l'utiliser : A new CVE drops and you need to know where you're exposed.

Déroulement

Point at the manifest

Use security-skills. Audit package-lock.json for dependencies with known CVEs published in the last 90 days.✓ Copié

→ List of packages, advisory IDs, severity
Triage by usage

For each vulnerable dep, grep the codebase — is it actually reachable?✓ Copié

→ Reachable vs unreachable classification
Draft an upgrade plan

Plan the minimum-risk upgrade order so CI doesn't explode.✓ Copié

→ Ordered upgrade sequence with version pins

Résultat : A concrete patch plan — not 'run npm audit fix' and pray.

Pièges

Transitive dependencies missed — Use full lockfile, not just top-level manifest

Combiner avec : filesystem · github

Review Terraform and k8s manifests for common misconfigs

👤 Platform engineers, DevSecOps ⏱ ~30 min intermediate

Quand l'utiliser : Before merging IaC changes into main, or auditing what's already there.

Déroulement

Point Claude at the IaC directory

Use security-skills. Scan terraform/ for S3 buckets without encryption, IAM wildcards, public security groups.✓ Copié

→ File+line references with severity
Get fixes

For each finding, propose the minimal Terraform diff to fix it.✓ Copié

→ HCL snippets showing before/after

Résultat : PR-sized security fixes you can merge incrementally.

Pièges

False positives on intentional public assets — Tag resources that are intentionally public; the skill should skip them

Combiner avec : github · filesystem

Combinaisons

Associez-le à d'autres MCPs pour un effet X10

security-skill + github

Post findings as PR comments automatically

Review this PR and leave line comments for each security finding.✓ Copié

security-skill + filesystem

Recursive scans across a monorepo

Walk the entire services/ tree and aggregate findings by service.✓ Copié

Outils

Ce que ce MCP expose

Outil	Entrées	Quand appeler	Coût
threat_model	system description	Design-phase review	0
cve_audit	lockfile path	After a public CVE drops	0 (uses public advisory data)
iac_review	directory path	Pre-merge IaC audits	0
secret_scan	path or diff	Pre-commit or pre-push	0

Coût et limites

Coût d'exécution

Quota d'API: None built-in
Tokens par appel: Moderate — depends on files inspected
Monétaire: Free
Astuce: Scope scans to specific directories; don't point at node_modules.

Sécurité

Permissions, secrets, portée

Stockage des identifiants : None in skill itself

Sortie de données : None — skill is prompts; be aware inspected code goes to Claude API

Defensive only. Do not use for exploitation, credential harvesting, or red-team operations.
Never paste production secrets into prompts — even when asking the skill to 'find them'.

Dépannage

Erreurs courantes et correctifs

Skill suggests exploitation techniques

Re-prompt for defensive framing: 'as a defender, how do I prevent X'

Too many false positives on IaC scan

Provide context (prod vs staging; intentional public resources)

Missed a known vulnerability

Claude's knowledge cutoff may lag. Pair with a proper scanner (Trivy, Snyk) for authoritative CVE data.

Alternatives

security-skills vs autres

Alternative	Quand l'utiliser	Compromis
Trivy / Grype	You need an authoritative, up-to-date vulnerability database	No LLM reasoning — just raw scan output
tfsec / checkov	Specific IaC scanning with a curated rule set	Rule-bound; misses nuanced misconfigs

Plus

Ressources

📖 Lire le README officiel sur GitHub

🐙 Voir les issues ouvertes

🔍 Parcourir les 400+ serveurs MCP et Skills