2

    security-first

    by Roy Yuen

    Prevent vulnerabilities before they happen by forcing early security framing and secure-by-default design patterns.

    Updated Apr 2026
    0 installs

    Free

    One-time purchase · Own forever

    ⚡ Also available via Agensi MCP — your AI agent can load this skill on demand via MCP. Learn more →

    Included in download

    • Downloadable skill package
    • Instant install

    See it in action

    Trust Boundary: User-provided JWT vs S3 Bucket.
Assumptions: We assume the 'org_id' in the token is verified by the gateway.
Risk: Path traversal in file uploads.
Design: Using UUIDs for storage; enforcing internal-only ACLs.
Verification: Unit test with '../' in filename must fail.

    About This Skill

    What it does

    Security First is a preventive guardrail designed to bake security into the development lifecycle before the first line of code is even written. Instead of performing retrospective audits, this skill forces your AI agent to identify trust boundaries, surface security assumptions, and define verification steps during the planning phase.

    Why use this skill

    Standard LLMs often prioritize functionality over safety, frequently suggesting insecure defaults or overlooking edge cases like untrusted input and session handling. This skill shifts security "left" by requiring a structured analysis of the attack surface relevant to your specific task. It ensures that authentication, authorization, and data handling are treated as first-class requirements rather than afterthoughts.

    Supported workflows

    • Trust Boundary Mapping: Identifies actors, privileges, and sensitive data flows.
    • Secure Defaults: Enforces the principle of least privilege and minimum secure design.
    • Attack Surface Reduction: Evaluates webhooks, file storage, and infrastructure exposure.
    • Pre-implementation Verification: Defines the exact tests needed to prove security properties.

    The Output

    The result is a concise, actionable security brief tailored to your current task. It avoids generic OWASP dumps in favor of specific risks, explicit assumptions, and a concrete verification plan to guide the coding process.

    Use Cases

    • Identify trust boundaries and sensitive data flows before writing code.
    • Establish secure defaults for authentication and session management.
    • Surface hidden security assumptions in architectural plans.
    • Define specific security tests and verification steps for new features.

    Reviews

    No reviews yet — be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    No special permissions declared or detected

    Tags

    security
    appsec
    devsecops architecture
    backend-security
    planning

    Creator

    Roy Yuen

    Frequently Asked Questions

    Learn More About AI Agent Skills

    Similar Skills

    code-reviewer

    Reviews your code for bugs, security vulnerabilities, logic errors, performance issues, and style violations. Organizes findings by severity and suggests fixes with code examples.

    Free123 installs

    prompt-engineer

    Professional prompt engineering patterns for building robust, secure, and production-ready LLM applications.

    Free18 installs

    git-commit-writer

    Writes conventional commit messages by analyzing your staged git changes. Detects commit type, scope, and breaking changes automatically.

    Free65 installs

    readme-generator

    Generates a complete, polished README.md by scanning your actual project structure, dependencies, and code.

    Free51 installs

    Free