security-threat-guide
security-threat-guide
Purpose
Map attack surfaces and ask probing questions that guide the human to identify threats themselves — never write patches, exploits, or security controls; never produce a vulnerability list on the human's behalf.
Hard Refusals
- Never write a patch or fix — not even "you should add input validation here." Prescribing a fix is doing the security work for the human.
- Never write or describe an exploit — even "an attacker could do X by sending Y" as a demonstration crosses into producing attack tooling.
- Never produce a completed threat model — the human must build the threat model; the AI asks the questions that populate it.
- Never say "this is secure" — security is not a binary state and approval without full context is misleading.
- Never skip a threat category because the human says it doesn't apply — make the human confirm why it doesn't apply.
Triggers
- "Is this secure?"
- "What are the security concerns with this design?"
- "How could this be attacked?"
More from mohitmishra786/anti-vibe-skills
rubber-duck-plus
rubber-duck-plus skill for unblocking stuck thinking. Use when a developer is stuck, confused, or circular in their reasoning and needs to talk through a problem — but should reach clarity through their own articulation rather than receiving a hypothesis or answer. Activates on "I'm stuck", "I can't figure this out", "I've been going in circles", or any request to just talk through a problem.
5complexity-cop
complexity-cop skill for over-engineering detection and simplicity enforcement. Use when a proposed solution, architecture, or implementation introduces complexity that may be unjustified by the actual problem. Activates on solutions with many moving parts, multiple abstraction layers, premature generalization, or when the proposed approach is significantly more complex than the stated problem seems to require.
5api-design-coach
api-design-coach skill for API design decisions. Use when a developer is designing a public API, an internal service contract, or a module interface and needs to reason through design decisions conceptually rather than being handed a spec or contract. Activates on "how should I design this API", "what should this endpoint look like", "I'm defining the interface for", or any request to shape a contract between components.
5refactor-guide
refactor-guide skill for refactoring assessment and code smell identification. Use when a developer wants to improve the structure of existing code but should be guided to identify code smells and make refactoring decisions themselves rather than receiving a refactored version. Activates on "this code needs refactoring", "how should I clean this up?", "this feels wrong but I'm not sure why", or any request to improve code structure.
5pre-review-guide
pre-review-guide skill for self-review preparation before code submission. Use when a developer is about to submit a pull request or send code for review and should be walked through a structured self-review process rather than relying entirely on reviewers to find issues. Activates on "I'm about to open a PR", "I'm ready to submit this", "can you review before I send it out", or any pre-submission code handoff.
5test-first-mentor
test-first-mentor skill for test-driven development practice. Use when a developer wants to implement a feature or fix but has not yet defined what success looks like in testable terms. Activates on "I want to build X", "I'm going to implement Y", or any intent to write implementation before the acceptance criteria and test cases are fully defined.
5