2

    security-first

    by Roy Yuen

    Prevent vulnerabilities before they happen by forcing early security framing and secure-by-default design patterns.

    Updated Jun 2026
    8 installs
    111 views

    Free

    Included in download

    • Downloadable skill package
    • Instant install

    Sample input

    I need to implement a new file upload feature for our S3 bucket. Users will authenticate via JWT. Can you help me plan the implementation?

    Sample output

    Trust Boundary: User-provided JWT vs S3 Bucket. Assumptions: We assume the 'org_id' in the token is verified by the gateway. Risk: Path traversal in file uploads. Design: Using UUIDs for storage; enforcing internal-only ACLs. Verification: Unit test with '../' in filename must fail.

    About This Skill

    What it does

    Security First is a preventive guardrail designed to bake security into the development lifecycle before the first line of code is even written. Instead of performing retrospective audits, this skill forces your AI agent to identify trust boundaries, surface security assumptions, and define verification steps during the planning phase.

    Why use this skill

    Standard LLMs often prioritize functionality over safety, frequently suggesting insecure defaults or overlooking edge cases like untrusted input and session handling. This skill shifts security "left" by requiring a structured analysis of the attack surface relevant to your specific task. It ensures that authentication, authorization, and data handling are treated as first-class requirements rather than afterthoughts.

    Supported workflows

    • Trust Boundary Mapping: Identifies actors, privileges, and sensitive data flows.
    • Secure Defaults: Enforces the principle of least privilege and minimum secure design.
    • Attack Surface Reduction: Evaluates webhooks, file storage, and infrastructure exposure.
    • Pre-implementation Verification: Defines the exact tests needed to prove security properties.

    The Output

    The result is a concise, actionable security brief tailored to your current task. It avoids generic OWASP dumps in favor of specific risks, explicit assumptions, and a concrete verification plan to guide the coding process.

    Use Cases

    • Identify trust boundaries and sensitive data flows before writing code.
    • Establish secure defaults for authentication and session management.
    • Surface hidden security assumptions in architectural plans.
    • Define specific security tests and verification steps for new features.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    No special permissions declared or detected

    Tags

    appsec
    backend-security
    devsecops-architecture
    planning
    security

    Compatible with SKILL.md-compatible agents

    Creator

    Roy Yuen

    Frequently Asked Questions

    Learn More About AI Agent Skills

    More Premium Skills

    business-planner

    Transform business ideas into rigorous, scenario-based execution plans with explicit assumptions and KPIs.

    $52 installs

    designing-hybrid-context-layers

    Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.

    $1012 installs

    consumer-motivation-analyzer

    Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.

    $199 installs

    keyword-research

    Transform URLs or product lists into SEO keyword research packs with Google Ads data and intent-based clustering.

    $77 installs

    Free