diff --git a/.gitignore b/.gitignore index 1ec0dd05..516baf9b 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,7 @@ Thumbs.db # Plan file (internal reference, not published) skillsrepo.md + +# Generated skill symlinks for agent tools (created by scripts/setup-skills.sh) +.claude/skills/ +.opencode/skills/ diff --git a/README.md b/README.md index 20bce500..00e5e7d3 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ ![Codex CLI](https://img.shields.io/badge/Codex_CLI-compatible-purple.svg) ![OpenClaw](https://img.shields.io/badge/OpenClaw-compatible-purple.svg) ![Kiro](https://img.shields.io/badge/Kiro-compatible-purple.svg) +![OpenCode](https://img.shields.io/badge/OpenCode-compatible-purple.svg) --- @@ -26,6 +27,20 @@ git clone https://github.com/UnitOneAI/SecuritySkills.git cd SecuritySkills ``` +**Quick setup (recommended)** — symlinks for all supported tools: + +```bash +# Project-local (Claude Code + OpenCode) +./scripts/setup-skills.sh + +# Or global install +./scripts/setup-skills.sh --global + +# After git pull, re-run to pick up new skills +``` + +**Tool-specific installs:** + **Claude Code** (native format — auto-discovery and `/slash-commands`) ```bash @@ -63,6 +78,16 @@ codex --context skills/appsec/threat-modeling/SKILL.md "Review this design" kiro spec --skill skills/ai-security/llm-top-10/SKILL.md ``` +**OpenCode** (auto-discovery via `.opencode/skills/` and `.claude/skills/`) + +```bash +# Setup symlinks (recommended) +./scripts/setup-skills.sh + +# Or manually: +mkdir -p .opencode/skills && cp -r skills/*/* .opencode/skills/ +``` + Each skill is a directory with `SKILL.md` as the entrypoint, following the [Agent Skills](https://agentskills.io) open standard. Claude Code discovers skills automatically; other tools can load them by path. ## Skill format @@ -296,7 +321,7 @@ Pre-configured skill sequences for common security roles. Each bundle orchestrat - **Framework-grounded.** Every skill cites real control IDs from OWASP, NIST, MITRE ATT&CK, or CIS. No invented controls. No hallucinated references. - **Consistent output format.** Structured findings with severity, CWE mapping, framework reference, evidence, remediation, and normalized JSON -- every time. - **AI-security skills that don't exist elsewhere.** OWASP LLM Top 10, Agentic AI security, prompt injection testing, model supply chain review. -- **Multi-agent compatible.** Same skill file works with Claude Code, Gemini CLI, Cursor, Codex CLI, OpenClaw, and Kiro. +- **Multi-agent compatible.** Same skill file works with Claude Code, OpenCode, Gemini CLI, Cursor, Codex CLI, OpenClaw, and Kiro. - **Prompt-injection hardened.** Every skill reviewed against OWASP LLM01:2025. CI scans for injection patterns on every PR. - **Enterprise-ready.** Built by practitioners, not scraped from blog posts. Designed for real security programs. diff --git a/scripts/setup-skills.sh b/scripts/setup-skills.sh new file mode 100755 index 00000000..14c7625a --- /dev/null +++ b/scripts/setup-skills.sh @@ -0,0 +1,177 @@ +#!/usr/bin/env bash +# setup-skills.sh — Symlink SecuritySkills into agent skill directories +# +# Usage: +# ./scripts/setup-skills.sh # project-local (.claude/ + .opencode/) +# ./scripts/setup-skills.sh --global # global (~/.config/opencode/ + ~/.claude/) +# ./scripts/setup-skills.sh --all # both local + global +# ./scripts/setup-skills.sh --clean # remove all generated symlinks +# +# Supported targets: +# Project-local: .claude/skills/, .opencode/skills/ +# Global: ~/.config/opencode/skills/, ~/.claude/skills/ + +set -euo pipefail + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" +SKILLS_DIR="$REPO_ROOT/skills" + +GLOBAL_OPENCODE_DIR="${HOME}/.config/opencode/skills" +GLOBAL_CLAUDE_DIR="${HOME}/.claude/skills" +LOCAL_CLAUDE_DIR="$REPO_ROOT/.claude/skills" +LOCAL_OPENCODE_DIR="$REPO_ROOT/.opencode/skills" + +DO_GLOBAL=false +DO_LOCAL=false +CLEAN_MODE=false + +usage() { + cat <