Skill UI

Automate security regression testing for Large Language Model (LLM) applications by integrating Promptfoo and DeepTeam into CI/CD pipelines. This skill enforces a critical security gate, automatically testing endpoints against OWASP LLM Top 10, OWASP Agentic threats, and common jailbreaks/prompt injections. It ensures that security patches do not regress over time due to prompt or model changes, providing continuous risk monitoring.

A comprehensive tool and methodology for identifying and preventing dependency confusion attacks across major package ecosystems (npm, PyPI, Maven). It detects instances where internal, private package names are leaked and subsequently published publicly by attackers. The skill provides both detection (enumerating claimable internal names) and prevention strategies (enforcing registry pinning and scope restrictions) to secure the software supply chain.

This skill detects malicious, misspelled, or brand-jacked package names (typosquatting) across major ecosystems (npm, PyPI, crates.io). It uses advanced techniques like edit-distance and keyboard-proximity analysis, powered by tools like typomania and OSSGadget, to flag potential supply chain attacks *before* a dependency is installed. It is essential for implementing robust CI/CD security gates and proactive dependency screening.

This skill guides the end-to-end process of supply chain security by generating standards-compliant Software Bills of Materials (SBOMs) in CycloneDX and SPDX formats. It details using Syft to create inventories, correlating them with vulnerability intelligence via Grype, enforcing CI/CD gates based on severity, and establishing verifiable provenance using Cosign signing. Essential for modern DevSecOps practices.

This skill guides the verification of software build provenance and signatures using industry standards like SLSA and Sigstore. It leverages tools like cosign and slsa-verifier to enforce keyless OIDC identity and confirm that artifacts were built by trusted sources without tampering. It is essential for hardening CI/CD pipelines and securing the entire software supply chain against advanced attacks.

A specialized diagnostic skill designed to analyze failing GitHub Actions workflow logs. It identifies the root cause of crashes, such as missing secrets, environment mismatches, or deprecated syntax. The output provides precise YAML or code diffs required to fix the pipeline and optimize CI/CD processes.