Security is a first-class capability in ECC, not an afterthought. TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/affaan-m/ECC/llms.txt
Use this file to discover all available pages before exploring further.
capability:security component — and the security module it resolves to — ships a suite of skills that cover the full lifecycle of secure development: proactive code review checklists, automated scanning patterns, framework-specific hardening, regulatory compliance (HIPAA, PHI), and specialised workflows for blockchain and AI-agent security. Every skill in this module is OWASP-aligned and immediately actionable.
The Security Module (capability:security)
Component ID: capability:securityModule:
securityStability: stable
Cost: medium The
security module installs the following skills plus the-security-guide.md as a supplementary reference doc:
security module automatically: framework:quarkus, framework:rails, framework:laravel, lang:ruby, and lang:perl all include security skills by default when installed.
Installing Security Skills
Security Skill Inventory
security-review
The core security review skill. Activates when adding authentication, handling user input, creating API endpoints, working with secrets, or implementing payment features.
Covers:
- Secrets management checklist (env vars, no hardcoding, git history audit)
- Input validation with Zod schemas and file upload restrictions
- SQL injection prevention via parameterised queries
- JWT token handling (httpOnly cookies vs. localStorage)
- Authorization checks and Row Level Security (Supabase/PostgreSQL)
- XSS prevention: DOMPurify, Content Security Policy headers
- CSRF tokens and SameSite cookie configuration
- Rate limiting for APIs and expensive operations
- Sensitive data exposure in logs and error messages
- Blockchain wallet signature verification (Solana)
- Dependency security:
npm audit, lock file hygiene
security-scan
Automated scanning workflow patterns for continuous security assessment. Use this skill to run and interpret dependency vulnerability scans, static analysis, and supply-chain checks as part of a CI/CD pipeline or ad-hoc audit.
Activates when:
- Running a security audit on an existing codebase
- Setting up automated security scanning in CI
- Investigating a dependency vulnerability report
security-bounty-hunter
Bug bounty workflow patterns for structured vulnerability discovery. This skill encodes a systematic approach to hunting for security issues — framing the investigation, enumerating attack surface, documenting findings, and writing reproducible proofs of concept.
Activates when:
- Conducting a security audit with a bug bounty mindset
- Preparing a vulnerability report
- Reviewing a codebase for potential bounty-eligible issues
django-security
Django-specific security hardening patterns. Complements django-patterns with security-focused guidance for views, middleware, authentication, session management, and deployment configuration.
Covers:
- Django security middleware configuration (
SECURE_*settings) - CSRF protection in API and AJAX contexts
- Permission and authentication decorator patterns
- Avoiding common Django ORM injection pitfalls
- Content Security Policy via
django-csp
laravel-security
Laravel-specific security guidance. Included automatically when you install framework:laravel.
Covers:
- CSRF token verification in forms and AJAX
- Auth guards and policy-based authorisation
- Mass-assignment protection with
$fillableand$guarded - SQL injection prevention in Eloquent and raw queries
- Secure session and cookie configuration
springboot-security
Spring Boot security hardening. Complements springboot-patterns with Spring Security configuration patterns.
Covers:
- Spring Security filter chain configuration
- JWT and OAuth2 resource server setup
- Method-level security with
@PreAuthorize - CORS and CSRF configuration for REST APIs
- Actuator endpoint security
quarkus-security
Quarkus security patterns — included automatically when you install framework:quarkus.
Covers:
- Quarkus OIDC integration (Keycloak, Auth0)
- Role-based access control with
@RolesAllowed - JWT claim extraction and validation
- Security testing with
@TestSecurity
hipaa-compliance
HIPAA compliance review workflow for applications that store, transmit, or process Protected Health Information (PHI).
Covers:
- HIPAA Security Rule technical safeguards checklist
- PHI identification and minimum-necessary access
- Audit logging requirements for PHI access
- Encryption at rest and in transit for PHI
- Business Associate Agreement (BAA) considerations
- Breach notification requirements
- Building healthcare applications
- Storing or transmitting patient data
- Conducting a HIPAA security assessment
healthcare-phi-compliance
Granular PHI handling patterns at the code level. Where hipaa-compliance covers the regulatory framework, this skill covers the implementation — how to handle PHI in data models, APIs, logs, and error messages.
Covers:
- PHI field identification and tagging in data models
- Redaction patterns for logs and error messages
- De-identification and pseudonymisation patterns
- Role-based access patterns for PHI fields
- Audit trail implementation
defi-amm-security
Security patterns for DeFi Automated Market Maker (AMM) smart contracts. Covers the specific vulnerability classes — reentrancy, price oracle manipulation, flash loan attacks, slippage exploits — that affect AMM protocols.
Covers:
- Reentrancy guard patterns
- Price oracle security (using TWAP, avoiding spot-price manipulation)
- Slippage and minimum-output validation
- Flash loan attack surface analysis
- Integer overflow/underflow (Solidity
SafeMath/ unchecked blocks) - Access control for privileged AMM functions
llm-trading-agent-security
Security patterns specific to LLM-based trading agents — a growing attack surface combining prompt injection, financial logic abuse, and autonomous execution risk.
Covers:
- Prompt injection defences for trading agent instructions
- Output validation before executing trades
- Position and exposure limits as hard constraints
- Audit trails for agent-initiated transactions
- Kill switch and circuit-breaker patterns
- Sandboxing agent tool use to financial read/write scopes
nodejs-keccak256
Node.js keccak256 hashing patterns. A focused skill for correctly implementing Ethereum-compatible keccak256 hashing in Node.js applications — avoiding common misimplementations that can lead to signature verification failures or hash collisions.
evm-token-decimals
EVM token decimal handling patterns. Documents the common pitfalls of EVM token decimal arithmetic (USDC’s 6 decimals vs. ETH’s 18) and provides safe patterns for display, comparison, and computation.
perl-security
Security guidance specific to Perl — included automatically when you install lang:perl. Covers taint mode, use strict/use warnings, safe string handling, and CPAN dependency hygiene.
Combining Security Skills with Agents
Thesecurity-reviewer agent (installed via baseline:agents) is designed to work alongside these skills. For deep reviews, delegate to the security-reviewer agent and reference the security-review skill explicitly:
Security Skill Activation Reference
| Skill | Auto-activates when |
|---|---|
security-review | Auth, API endpoints, secrets, payments, file uploads |
security-scan | Running audits, CI security checks |
security-bounty-hunter | Security audits, vulnerability research |
django-security | Django project, settings, middleware |
laravel-security | Laravel project, auth, controllers |
springboot-security | Spring Security configuration |
quarkus-security | Quarkus OIDC, @RolesAllowed |
hipaa-compliance | Healthcare app, patient data, PHI |
healthcare-phi-compliance | PHI fields, health data models |
defi-amm-security | Solidity AMM contracts, liquidity pools |
llm-trading-agent-security | AI trading agents, automated execution |
The
security module depends on workflow-quality. Installing capability:security will also ensure workflow-quality is present, giving you access to verification-loop and eval-harness alongside the security skills.