Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/affaan-m/ECC/llms.txt

Use this file to discover all available pages before exploring further.

Security is a first-class capability in ECC, not an afterthought. The capability:security component — and the security module it resolves to — ships a suite of skills that cover the full lifecycle of secure development: proactive code review checklists, automated scanning patterns, framework-specific hardening, regulatory compliance (HIPAA, PHI), and specialised workflows for blockchain and AI-agent security. Every skill in this module is OWASP-aligned and immediately actionable.

The Security Module (capability:security)

Component ID: capability:security
Module: security
Stability: stable
Cost: medium
The security module installs the following skills plus the-security-guide.md as a supplementary reference doc:
skills/defi-amm-security
skills/django-security
skills/healthcare-phi-compliance
skills/hipaa-compliance
skills/laravel-security
skills/llm-trading-agent-security
skills/nodejs-keccak256
skills/perl-security
skills/quarkus-security
skills/security-review
skills/security-scan
skills/security-bounty-hunter
skills/springboot-security
skills/evm-token-decimals
the-security-guide.md
Several framework components also pull in the security module automatically: framework:quarkus, framework:rails, framework:laravel, lang:ruby, and lang:perl all include security skills by default when installed.

Installing Security Skills

# Install all security skills
npx ecc install --include capability:security --target claude

# Or by module ID
npx ecc install --modules security --target claude

# Combined with a framework that auto-includes security
npx ecc install --include framework:django,capability:security --target claude

Security Skill Inventory

security-review

The core security review skill. Activates when adding authentication, handling user input, creating API endpoints, working with secrets, or implementing payment features. Covers:
  • Secrets management checklist (env vars, no hardcoding, git history audit)
  • Input validation with Zod schemas and file upload restrictions
  • SQL injection prevention via parameterised queries
  • JWT token handling (httpOnly cookies vs. localStorage)
  • Authorization checks and Row Level Security (Supabase/PostgreSQL)
  • XSS prevention: DOMPurify, Content Security Policy headers
  • CSRF tokens and SameSite cookie configuration
  • Rate limiting for APIs and expensive operations
  • Sensitive data exposure in logs and error messages
  • Blockchain wallet signature verification (Solana)
  • Dependency security: npm audit, lock file hygiene
Pre-deployment checklist — the skill ships a 17-point pre-deployment checklist covering secrets, input validation, SQL injection, XSS, CSRF, authentication, authorisation, rate limiting, HTTPS, security headers, error handling, logging, dependencies, Row Level Security, CORS, file uploads, and wallet signature verification.

security-scan

Automated scanning workflow patterns for continuous security assessment. Use this skill to run and interpret dependency vulnerability scans, static analysis, and supply-chain checks as part of a CI/CD pipeline or ad-hoc audit. Activates when:
  • Running a security audit on an existing codebase
  • Setting up automated security scanning in CI
  • Investigating a dependency vulnerability report

security-bounty-hunter

Bug bounty workflow patterns for structured vulnerability discovery. This skill encodes a systematic approach to hunting for security issues — framing the investigation, enumerating attack surface, documenting findings, and writing reproducible proofs of concept. Activates when:
  • Conducting a security audit with a bug bounty mindset
  • Preparing a vulnerability report
  • Reviewing a codebase for potential bounty-eligible issues

django-security

Django-specific security hardening patterns. Complements django-patterns with security-focused guidance for views, middleware, authentication, session management, and deployment configuration. Covers:
  • Django security middleware configuration (SECURE_* settings)
  • CSRF protection in API and AJAX contexts
  • Permission and authentication decorator patterns
  • Avoiding common Django ORM injection pitfalls
  • Content Security Policy via django-csp

laravel-security

Laravel-specific security guidance. Included automatically when you install framework:laravel. Covers:
  • CSRF token verification in forms and AJAX
  • Auth guards and policy-based authorisation
  • Mass-assignment protection with $fillable and $guarded
  • SQL injection prevention in Eloquent and raw queries
  • Secure session and cookie configuration

springboot-security

Spring Boot security hardening. Complements springboot-patterns with Spring Security configuration patterns. Covers:
  • Spring Security filter chain configuration
  • JWT and OAuth2 resource server setup
  • Method-level security with @PreAuthorize
  • CORS and CSRF configuration for REST APIs
  • Actuator endpoint security

quarkus-security

Quarkus security patterns — included automatically when you install framework:quarkus. Covers:
  • Quarkus OIDC integration (Keycloak, Auth0)
  • Role-based access control with @RolesAllowed
  • JWT claim extraction and validation
  • Security testing with @TestSecurity

hipaa-compliance

HIPAA compliance review workflow for applications that store, transmit, or process Protected Health Information (PHI). Covers:
  • HIPAA Security Rule technical safeguards checklist
  • PHI identification and minimum-necessary access
  • Audit logging requirements for PHI access
  • Encryption at rest and in transit for PHI
  • Business Associate Agreement (BAA) considerations
  • Breach notification requirements
Activates when:
  • Building healthcare applications
  • Storing or transmitting patient data
  • Conducting a HIPAA security assessment

healthcare-phi-compliance

Granular PHI handling patterns at the code level. Where hipaa-compliance covers the regulatory framework, this skill covers the implementation — how to handle PHI in data models, APIs, logs, and error messages. Covers:
  • PHI field identification and tagging in data models
  • Redaction patterns for logs and error messages
  • De-identification and pseudonymisation patterns
  • Role-based access patterns for PHI fields
  • Audit trail implementation

defi-amm-security

Security patterns for DeFi Automated Market Maker (AMM) smart contracts. Covers the specific vulnerability classes — reentrancy, price oracle manipulation, flash loan attacks, slippage exploits — that affect AMM protocols. Covers:
  • Reentrancy guard patterns
  • Price oracle security (using TWAP, avoiding spot-price manipulation)
  • Slippage and minimum-output validation
  • Flash loan attack surface analysis
  • Integer overflow/underflow (Solidity SafeMath / unchecked blocks)
  • Access control for privileged AMM functions

llm-trading-agent-security

Security patterns specific to LLM-based trading agents — a growing attack surface combining prompt injection, financial logic abuse, and autonomous execution risk. Covers:
  • Prompt injection defences for trading agent instructions
  • Output validation before executing trades
  • Position and exposure limits as hard constraints
  • Audit trails for agent-initiated transactions
  • Kill switch and circuit-breaker patterns
  • Sandboxing agent tool use to financial read/write scopes

nodejs-keccak256

Node.js keccak256 hashing patterns. A focused skill for correctly implementing Ethereum-compatible keccak256 hashing in Node.js applications — avoiding common misimplementations that can lead to signature verification failures or hash collisions.

evm-token-decimals

EVM token decimal handling patterns. Documents the common pitfalls of EVM token decimal arithmetic (USDC’s 6 decimals vs. ETH’s 18) and provides safe patterns for display, comparison, and computation.

perl-security

Security guidance specific to Perl — included automatically when you install lang:perl. Covers taint mode, use strict/use warnings, safe string handling, and CPAN dependency hygiene.

Combining Security Skills with Agents

The security-reviewer agent (installed via baseline:agents) is designed to work alongside these skills. For deep reviews, delegate to the security-reviewer agent and reference the security-review skill explicitly:
Delegate to the security-reviewer agent: run a full security-review of src/api/
using the security-review and django-security skills.
For continuous security coverage, install capability:security alongside baseline:hooks. The hooks runtime includes pre-commit and PostToolUse hook patterns that can automatically trigger the security-scan skill on modified files.

Security Skill Activation Reference

SkillAuto-activates when
security-reviewAuth, API endpoints, secrets, payments, file uploads
security-scanRunning audits, CI security checks
security-bounty-hunterSecurity audits, vulnerability research
django-securityDjango project, settings, middleware
laravel-securityLaravel project, auth, controllers
springboot-securitySpring Security configuration
quarkus-securityQuarkus OIDC, @RolesAllowed
hipaa-complianceHealthcare app, patient data, PHI
healthcare-phi-compliancePHI fields, health data models
defi-amm-securitySolidity AMM contracts, liquidity pools
llm-trading-agent-securityAI trading agents, automated execution
The security module depends on workflow-quality. Installing capability:security will also ensure workflow-quality is present, giving you access to verification-loop and eval-harness alongside the security skills.

Build docs developers (and LLMs) love