Security review is one of the highest-leverage tasks you can hand to an AI agent — and one of the most inconsistent when left to ad-hoc prompting. A good security skill gives your agent a repeatable procedure: the same checks, the same output format, the same severity ratings on every run.
Here's a breakdown of the best security skills available in the MDSkill directory, what they check, and when to use each.
What makes a good security skill
Before the list, it's worth knowing what separates a strong security skill from a weak one:
Scope is tight. A skill that checks for one category of vulnerability (SQL injection, secrets, SSRF) does it thoroughly. A skill that claims to "check everything" is usually shallow on all of it.
Output is structured. Severity, location, and a concrete recommendation — every finding. Unstructured prose makes it hard to act on results or track them in a ticket.
The Purpose field is precise. The agent activates a skill based on its Purpose field. "Review code for security vulnerabilities" is too broad; "review pull request diffs for OWASP Top 10 vulnerabilities, focusing on injection and authentication issues" activates correctly and produces better results.
Security score is high. Every skill in the MDSkill directory carries an audit score. For security skills specifically, aim for 90+. A security skill with a low score may itself contain problematic instructions.
Searching the directory
Search for security skills from your terminal:
npx mdskill search "security"
Or browse the security category on the site to see current top-ranked skills with scores and install commands.
Types of security skills to look for
OWASP Top 10 reviewers
These check pull request diffs for the ten most common web application vulnerabilities: injection, broken authentication, sensitive data exposure, insecure deserialization, and so on.
Best for: reviewing code before it merges to main. Install one and run it on every PR your team opens.
Dependency auditors
These scan your package.json, requirements.txt, Cargo.toml, or other manifest files for dependencies with known CVEs. The skill cross-references against published vulnerability databases and flags anything with an open issue.
Best for: running on a schedule or as part of your CI-adjacent workflow.
Secret and credential detectors
These scan staged or committed files for API keys, tokens, connection strings, and other credentials that should never be in source control. They check common patterns: AWS keys, GitHub tokens, Stripe secrets, .env variables committed accidentally.
Best for: running before every commit, especially in fast-moving projects where developers might accidentally include test credentials.
Infrastructure-as-code security scanners
These review Terraform, CloudFormation, Kubernetes manifests, and Dockerfile configurations for common misconfigurations: overly permissive IAM roles, public S3 buckets, containers running as root, open security group rules.
Best for: projects with significant infrastructure as code.
SQL injection focused
Single-purpose skills that check database queries exclusively — identifying raw string concatenation in SQL, missing parameterisation, ORM misuse patterns. Tight scope means they catch more subtle cases than broad reviewers.
Installing a security skill
Find one you want to use in the security category, then copy the install command from its detail page:
npx mdskill add owner/repo/skill-name
The CLI fetches the SKILL.md from GitHub, shows you the security audit score, and installs it to .claude/skills/ in your current project. Claude Code picks it up automatically on the next run.
To share the skill across your team, commit .claude/skills/ to your repository. Everyone who clones the repo gets the same security procedures.
Running a security review
Once a skill is installed, trigger it naturally:
"Review this PR for security issues" "Check these API route handlers for vulnerabilities" "Audit the authentication middleware"
The agent reads the skill's procedure and follows it — consistent checks, consistent output, every time. No re-explaining what to look for.
Building a custom security skill
If your team has specific security requirements — a compliance framework, internal security standards, known weak spots in your stack — you can write a skill that encodes them:
# internal-security-reviewer
## Purpose
Review pull requests against our internal security standards:
HIPAA-relevant data handling, encryption at rest, and audit logging.
## Instructions
1. Check all data operations touching PII for encryption
2. Verify audit log entries for any data access or modification
3. Flag any data stored without explicit retention policy
4. Check API endpoints for proper authentication middleware
## Output format
severity: critical | high | medium
location: file:line
issue: what was found
requirement: which internal standard this violates
recommendation: one-line fix
Keep the output format tight and machine-readable — this makes it easy to pipe results into a ticket or alert system. See how to build a skill for the full process.
What's next?
- Browse the security category for currently ranked skills
- Install your first skill — two minutes from search to active
- Read about security score methodology to understand how skills are audited