Skip to content

trailofbits/skills ecosystem #21

Description

@kyau

Worth adapting, in priority order for your stack:

  1. semgrep-rule-creator (+ variant-creator). A skill for authoring custom Semgrep rules with test-driven validation. This is the delivery vehicle for §1.2's detection layer: a kyaulabs rules pack — new KYAULabs\Aurora(...true in webroot files, string-interpolated $db->query(, unescaped echo $_ sinks, missing random_bytes CSRF patterns, unserialize( on request data. Your @semgrep agent gains a --config .semgrep/ lane. [content]; the resulting rules are pure Semgrep, no CC dependence. Highest-value security adoption.
  2. differential-review. Security-focused review of changes with git-history context (what did this diff newly expose?). Slots directly beside your @semgrep --baseline-commit diff-audit as the human-reasoning complement, and would strengthen @code-review's Blocking category. [content].
  3. insecure-defaults. Detects fail-open patterns, debug flags left on, hardcoded creds — this skill as a periodic scan would have flagged the aurora-page true, true template. [content].
  4. fp-check. Systematic false-positive triage with mandatory gate reviews — the missing back half of your /security command, which currently reports findings but has no protocol for adjudicating them. [content].
  5. sharp-edges. Footgun/misuse-resistance analysis of APIs — point it at Aurora and Renderr themselves (the constructor's positional bools are a sharp edge this skill exists to name; a named-options array or Aurora::debug() factory would be its likely recommendation). [content]; note its allowed-tools frontmatter is CC-specific — replace with an OpenCode permission block.
  6. property-based-testing — medium: Pest datasets get you partway; full PBT in PHP means adding eris or pest-plugin-faker patterns. Content port plus a stack-specific rewrite of examples.

Checked: your repo-hygiene layer (gitleaks hooks, committed-lockfile audit rationale) has no ToB equivalent — they assume org-level tooling; keep yours.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions