/ Каталог / Песочница / security-skills
← Все серверы ↗ GitHub
● Сообщество eth0izzle ⚡ Сразу

security-skills

автор eth0izzle · eth0izzle/security-skills

Defensive security skills for Claude Code — threat modeling, config review, dependency audits. For blue teams, not pentesters.

A collection of Claude Code skills oriented around defensive security work: reviewing IAM policies, checking dependency trees for known CVEs, producing threat models for new features, auditing Dockerfiles and k8s manifests for common misconfigurations.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

security-skill.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "security-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ],
      "_inferred": true
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "security-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/eth0izzle/security-skills",
        "~/.claude/skills/security-skills"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "security-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/eth0izzle/security-skills",
          "~/.claude/skills/security-skills"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add security-skill -- git clone https://github.com/eth0izzle/security-skills ~/.claude/skills/security-skills

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: security-skills

Produce a STRIDE threat model for a new feature

👤 Security engineers, staff+ engineers owning a feature's security review ⏱ ~45 min advanced

Когда использовать: Design review for a feature that touches user data, auth, or external networks.

Предварительные требования
  • Feature design doc or architecture diagram — Paste into chat or point Claude at the file
  • Skill installed — git clone https://github.com/eth0izzle/security-skills ~/.claude/skills/security-skills
Поток
  1. Walk the system
    Use security-skills. Here's the design for [feature]. Enumerate trust boundaries and data flows.✓ Скопировано
    → Named trust boundaries, explicit data flow arrows
  2. Apply STRIDE
    For each boundary, call out Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation risks.✓ Скопировано
    → Table with threats scored, not generic 'consider XSS'
  3. Propose mitigations
    Rank the threats by likelihood * impact and propose concrete mitigations for the top 5.✓ Скопировано
    → Specific controls (rate limit, signed requests, audit log)

Итог: A threat model doc ready for a security review meeting.

Подводные камни
  • STRIDE becomes checkbox theater — Demand concrete attacker stories — 'attacker with X wants Y, does Z'
Сочетать с: filesystem

Sweep a repo's dependencies for known CVEs

👤 Dev teams responding to a security advisory ⏱ ~30 min intermediate

Когда использовать: A new CVE drops and you need to know where you're exposed.

Поток
  1. Point at the manifest
    Use security-skills. Audit package-lock.json for dependencies with known CVEs published in the last 90 days.✓ Скопировано
    → List of packages, advisory IDs, severity
  2. Triage by usage
    For each vulnerable dep, grep the codebase — is it actually reachable?✓ Скопировано
    → Reachable vs unreachable classification
  3. Draft an upgrade plan
    Plan the minimum-risk upgrade order so CI doesn't explode.✓ Скопировано
    → Ordered upgrade sequence with version pins

Итог: A concrete patch plan — not 'run npm audit fix' and pray.

Подводные камни
  • Transitive dependencies missed — Use full lockfile, not just top-level manifest
Сочетать с: filesystem · github

Review Terraform and k8s manifests for common misconfigs

👤 Platform engineers, DevSecOps ⏱ ~30 min intermediate

Когда использовать: Before merging IaC changes into main, or auditing what's already there.

Поток
  1. Point Claude at the IaC directory
    Use security-skills. Scan terraform/ for S3 buckets without encryption, IAM wildcards, public security groups.✓ Скопировано
    → File+line references with severity
  2. Get fixes
    For each finding, propose the minimal Terraform diff to fix it.✓ Скопировано
    → HCL snippets showing before/after

Итог: PR-sized security fixes you can merge incrementally.

Подводные камни
  • False positives on intentional public assets — Tag resources that are intentionally public; the skill should skip them
Сочетать с: github · filesystem

Комбинации

Сочетайте с другими MCP — эффект x10

security-skill + github

Post findings as PR comments automatically

Review this PR and leave line comments for each security finding.✓ Скопировано
security-skill + filesystem

Recursive scans across a monorepo

Walk the entire services/ tree and aggregate findings by service.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
threat_model system description Design-phase review 0
cve_audit lockfile path After a public CVE drops 0 (uses public advisory data)
iac_review directory path Pre-merge IaC audits 0
secret_scan path or diff Pre-commit or pre-push 0

Стоимость и лимиты

Во что обходится

Квота API
None built-in
Токенов на вызов
Moderate — depends on files inspected
Деньги
Free
Совет
Scope scans to specific directories; don't point at node_modules.

Безопасность

Права, секреты, радиус поражения

Хранение учётных данных: None in skill itself
Исходящий трафик: None — skill is prompts; be aware inspected code goes to Claude API

Устранение неполадок

Частые ошибки и исправления

Skill suggests exploitation techniques

Re-prompt for defensive framing: 'as a defender, how do I prevent X'

Too many false positives on IaC scan

Provide context (prod vs staging; intentional public resources)

Missed a known vulnerability

Claude's knowledge cutoff may lag. Pair with a proper scanner (Trivy, Snyk) for authoritative CVE data.

Альтернативы

security-skills в сравнении

АльтернативаКогда использоватьКомпромисс
Trivy / GrypeYou need an authoritative, up-to-date vulnerability databaseNo LLM reasoning — just raw scan output
tfsec / checkovSpecific IaC scanning with a curated rule setRule-bound; misses nuanced misconfigs

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills