Security work is repetitive in the worst way. You know the dependency tree has CVEs piling up. You know someone should review the retention policy against GDPR. But the work keeps getting deferred because no one has budgeted the time.
Agent skills change the math. They run inside your coding agent — Claude Code, Codex, Cursor — and handle the structured, rule-based security and compliance work that eats hours every sprint. The skills below cover code scanning, dependency auditing, threat modeling, penetration testing, regulatory compliance, and audit infrastructure.
What to Look For
Coverage depth. A security skill that flags “possible XSS” without telling you where, why, or how to fix it is just noise. The best skills return prioritized findings with severity scores, affected code locations, and concrete remediation steps.
Framework awareness. GDPR, HIPAA, SOC 2, PCI-DSS, and ISO 27001 each have distinct requirements. A skill that treats them interchangeably will produce generic output. Look for skills that tailor analysis to your target framework.
Integration with your stack. A dependency auditor that only reads package.json is useless if your project runs on pip and cargo. Check that the skill handles your actual dependency managers and languages.
Actionable output. The strongest skills produce reports you can hand directly to a developer or paste into a ticket — severity, location, fix, done.
Top Agent Skills for Security and Compliance
1. Security Auditor
The broadest security scanning skill available. Security Auditor checks codebases against the OWASP Top 10: exposed secrets, SQL injection, XSS, insecure dependencies, broken access control, and more. It returns a prioritized finding report ranked by severity.
Each finding includes the vulnerability type, affected file and line, a severity rating, and a recommended fix. Run it before every PR merge and get a structured report that maps directly to tickets.
Compatible with: Claude Code, Codex, Cursor
Category: Security
Install: gh skill install wshobson/agents/security-auditor
2. Dependency Auditor
Your code might be clean, but your dependencies are someone else’s problem — until they are not. Dependency Auditor scans npm, pip, and cargo dependency trees for known CVEs, deprecated packages, license conflicts, and version drift. It returns a severity-ranked report.
The license conflict detection matters. Shipping a GPL dependency inside a proprietary product is a legal issue, not just a technical one. This skill catches that before your legal team does. It also flags deprecated packages that still work but will not get security patches.
Compatible with: Claude Code, Codex, Cursor
Category: Security
Install: gh skill install alirezarezvani/claude-skills/dependency-auditor
3. Threat Modeler
Most teams skip threat modeling because it takes a full day with a whiteboard. Threat Modeler generates structured threat models using STRIDE methodology from a description of your system architecture, API surface, or data flows.
Feed it a system diagram or architecture doc and it returns attack vectors mapped to each component, impact severity ratings, and mitigation priorities. The output drops directly into a security review document. Most useful at the design phase — before you write code that bakes in assumptions an attacker will test.
Compatible with: Claude Code, Codex, Universal
Category: Security
Install: gh skill install sickn33/antigravity-awesome-skills/threat-modeler
4. Penetration Testing Skill
For teams that run their own security assessments. Penetration Testing Skill executes structured assessments on web applications, APIs, and network targets. It covers OWASP Top 10, authentication bypass, injection vectors, broken access control, and secrets exposure.
The output is formatted for security teams: CVSS scores, proof-of-concept steps, and remediation guidance for every finding. This is not a passive scanner — it actively tests for authentication bypass, JWT misconfiguration, and injection vectors. Built for authorized testing workflows.
Compatible with: Claude Code, Codex
Category: Security
Install: gh skill install OWASP/web-security-testing-guide
5. Compliance Checker
Compliance Checker reviews code, documentation, and policy against GDPR, HIPAA, SOC 2, PCI-DSS, and ISO 27001. It returns a gap analysis with remediation steps for each finding.
If your product handles health data in the EU, you need both HIPAA and GDPR coverage in a single pass. This skill runs both frameworks simultaneously, flagging where requirements overlap and where they diverge. The gap analysis maps directly to audit preparation checklists.
Compatible with: Claude Code, Universal
Category: Compliance
Install: gh skill install sickn33/antigravity-awesome-skills/compliance-checker
6. GDPR Compliance Auditor
GDPR Compliance Auditor goes deeper on privacy regulation. It audits code, data flows, and policies for GDPR, CCPA, and LGPD — covering consent mechanisms, retention policies, PII handling, and right-to-erasure workflows.
It goes deeper than the general Compliance Checker by tracing PII through your codebase — where it enters, where it is stored, who it is shared with, and whether deletion workflows cover every storage point. It also generates draft Data Processing Agreement language. If you are preparing for a GDPR audit, this is the skill that finds what you missed.
Compatible with: Claude Code, Cursor, Universal
Category: Compliance
Install: gh skill install wshobson/agents/gdpr-compliance
7. Audit Trail Designer
Logging is easy. Designing an audit trail that satisfies compliance requirements, resists tampering, and remains queryable at scale is not. Audit Trail Designer handles the architecture: what to log, schema design, tamper-evidence mechanisms, retention periods, and query patterns.
Most useful when building a new system or retrofitting for compliance. It specifies the schema, immutability guarantees, and retention rules tailored to your regulatory context. The output is a design document, not just recommendations. For fintech, healthtech, or any product facing auditors, this saves weeks of architecture work.
Compatible with: Claude Code, Codex
Category: Compliance
Install: gh skill install ComposioHQ/awesome-claude-skills/audit-trail-designer
How to Choose
Start with what is blocking you right now.
If you are shipping code, Security Auditor and Dependency Auditor cover the two biggest risk surfaces. Run both on every PR.
If you are designing a new system, run Threat Modeler before writing code. Catching a design flaw at the architecture phase costs a fraction of finding it in production.
If you are preparing for an audit, Compliance Checker gives the broadest coverage. Add GDPR Compliance Auditor for privacy-specific depth and Audit Trail Designer if you need logging infrastructure from scratch.
Most teams will get the highest return from stacking two or three of these. Security Auditor + Dependency Auditor + Compliance Checker covers code, supply chain, and regulatory risk in a single workflow.
FAQ
Q: Can these skills replace a security team? A: No. They automate the structured, repeatable parts of security work — scanning, checking, reporting. Judgment calls, incident response, and adversarial thinking still require humans. Think of these skills as force multipliers, not replacements.
Q: Do these skills work with monorepos? A: Yes. They operate at the file and package level, so monorepo structures work without special configuration.
Q: How do I combine security and compliance skills in one workflow? A: Run them sequentially. A practical pattern: Dependency Auditor first (supply chain), then Security Auditor (code-level), then Compliance Checker (regulatory gaps). See our guide on combining multiple agent skills in one workflow for detailed patterns.