u/Netxeo

Hey everyone!

A few days ago, I shared a 29-module Security Skill for Claude here. It blew up (over 12k views!), but the comments highlighted some litle problems: AI coding tools have dangerous blind spots.

LLMs are lazy. They skip rate-limiting 90% of the time. They miss subtle session fixation. And while traditional static tools like SonarQube are great at catching hardcoded secrets, they are completely blind to context and business logic.

So I spent the last few days completely rewriting the core engine to fix this. Here is what is new in v1.3:

• The "AI Blind Spot" Override: Claude now has strict prompt-engineering forcing it to aggressively hunt down missing Rate Limits on ALL public endpoints. No more lazy LLMs skipping the basics.
• The SonarQube Gap (Semantic Analysis): Static analysis is blind to context. The skill now explicitly forces Claude to use its semantic reasoning to focus on what SAST tools miss: complex business logic flaws, authorization bypasses, and race conditions (where your code compiles perfectly, but the logic is actually broken).
• ASVS Level 3 Session Fixation: Upgraded the auth modules to catch high-level edge cases: privilege escalation (sudo mode), OAuth state manipulation, and WebSocket vulnerabilities.
• Fast Mode (CI/CD Ready): Added a --yes flag. You can now bypass the interactive setup to instantly inject the skill into any codebase. Perfect for power users.
• Full Engine Refactor & Tests: Huge shoutout to the Reddit community (special thanks to dutch2005) for a massive PR adding full Vitest test infrastructure and refactoring the CLI.
• Official Website: I built a dedicated landing page to make the docs and commands way easier to digest.

You can try the new update on your current project with zero config: npx @netxeo/security-skill@latest

Website: https://security.ai-dev-skills.com/
Repo: https://github.com/Netxeo/skill-file-security

Let me know if you catch any other AI blind spots I should patch next!

Hey everyone!

I recently built a security CLI tool for developers. When it came to designing the landing page, I realized I was getting sick of the current meta: soft rounded bento boxes, blurry purple mesh gradients, and floating glowing orbs (the classic v0.dev look).

Since the tool is strictly for security engineering and terminal users, I went the opposite route: Pure Brutalism.

Built with Next.js 14, Tailwind, and GSAP:

• Pure #000000 backgrounds, no soft grays.
• rounded-none everywhere. Sharp 1px borders.
• Heavy use of monospace fonts to feel like a raw terminal.
• Simple staggered translateY animations instead of crazy 3D stuff.

I wanted it to feel like an old-school blueprint or a raw hacking terminal, but still feel "premium".

Here is the live site: https://security.ai-dev-skills.com/

I’d love some honest critiques on the UI/UX. Did I go too far with the brutalism? Are the font sizes too weird on mobile? Roast my padding, I can take it.

Hey everyone!

Yesterday, I shared my AI Security Skill here. The feedback was awesome, but some of you pointed out real problems with how AI coding tools handle security today.

A few users mentioned that AI tools generate way too much noise and are overly strict on theoretical issues, which just leads to developers ignoring them. Another person pointed out that my installer was injecting a bunch of config files for AI tools you don't even use, polluting the repo. Finally, someone gave me the great idea to show clear before and after audits to actually prove the value of the tool.

I took all of this to heart and just pushed v1.1.

I added a strict Signal vs Noise core rule. The AI is now explicitly forced to filter out low-risk theory and focus only on practical vulnerabilities. It also won't just dump code diffs anymore. It has to explain why something is risky in plain English so you actually learn from the process instead of just blindly patching.

I also completely rewrote the installation CLI. It is now fully interactive. It asks which AI you use and only injects the exact file you need for Claude. Zero repo pollution.

Finally, I added a /security-history command. You can see the result in the screenshots I attached to this post. It generates a clean breakdown of where your codebase started, the exact vulnerabilities it found, and how it patched them to reach a perfect score.

The package is updated and live. You can try the new interactive installer on your current project by running: npx @ netxeo/security-skill@latest in your terminal.

Repo : https://github.com/Netxeo/skill-file-security Website: https://skill-file-security-website.vercel.app/

Let me know what you think of the new audit format in the screenshots!

Hey everyone,

We all know Claude 4.6 Sonnet is a beast at coding, but like all models, if you don't give it strict context, it will generate code that works but isn't necessarily secure (missing rate limits, raw SQL risks, weak auth flows, etc.).

I wanted to create the ultimate "Security Context" for Claude.

I built a free CLI tool that injects an entire Security Skill pack directly into your project. It contains 29 detailed markdown modules covering the complete OWASP Top 10, CWE 25, and ASVS Level 3 standards.

How to use it:

In your project terminal, run: npx @netxeo/security-skill

It will automatically create a .skills/security folder filled with the 29 context files, formatted exactly how Claude likes to read them.

In your Claude Desktop chat (or Cursor/Cline), just type: /security-audit.

Claude will consume the skill pack, read your current codebase, and perform a deep security audit, giving you a score and exact diffs to fix your vulnerabilities.

It's an open-source tool, and the prompt engineering behind the modules is completely transparent.

💻 GitHub repo: https://github.com/Netxeo/skill-file-security 🌐 Full list of the 29 modules: https://skill-file-security-website.vercel.app/docs

Would love to get your feedback on the markdown formatting of the skills and if there are any other edge cases Claude struggles with that I should add to the pack!