Skip to content

SocketDev/skills

BranchesTags

Repository files navigation

Socket Security Skills

Socket Security Skills are definitions for dependency security tasks like vulnerability scanning, package review, patching, firewall configuration, and secure dependency updates. They follow the standardized Agent Skill format and are compatible with 40+ coding agent tools including:

  • Claude Code (Anthropic) — native skill/plugin support
  • Codex (OpenAI) — Agent Skills standard + AGENTS.md fallback
  • Gemini CLI (Google DeepMind) — extensions support
  • OpenCode — skill directory support
  • Cursor — plugin manifest support
  • VS Code Copilot / GitHub Copilot — via AGENTS.md or Skills CLI
  • Windsurf — via Skills CLI
  • Roo Code — via Skills CLI
  • Any agent supporting the Agent Skills standard — via npx skills add

If your agent isn't listed above but supports skills, extensions, or custom instructions, it can likely use these skills via the Skills CLI or the agents/AGENTS.md fallback.

How do Skills work?

In practice, skills are self-contained folders that package instructions, scripts, and resources together for an AI agent to use on a specific use case. Each folder includes a SKILL.md file with YAML frontmatter (name and description) followed by the guidance your coding agent follows while the skill is active.

Note

'Skills' is actually an Anthropic term used within Claude AI and Claude Code and not adopted by other agent tools, but we love it! OpenAI Codex uses the open Agent Skills format, where each skill is a directory with a SKILL.md file that Codex discovers from standard .agents/skills locations documented in the Codex Skills guide. Codex can also work with an AGENTS.md file. Google Gemini uses 'extensions' to define the instructions for your coding agent in a gemini-extension.json file. This repo is compatible with all of them, and more!

Tip

If your agent doesn't support skills, you can use agents/AGENTS.md directly as a fallback.

Installation

Socket Security Skills are compatible with Claude Code, Codex, Gemini CLI, Cursor, and any agent supporting the Agent Skills standard.

Quick Install

Install skills using the Skills CLI (works with Claude Code, Codex, Gemini CLI, Cursor, and 40+ agents):

npx skills add SocketDev/skills

To list available skills before installing:

npx skills add SocketDev/skills --list

Claude Code

  1. Register the repository as a plugin marketplace:
/plugin marketplace add SocketDev/skills
  1. To install a skill, run:
/plugin install <skill-name>@SocketDev/skills

For example:

/plugin install scan@SocketDev/skills

Codex

  1. Copy or symlink any skills you want to use from this repository's skills/ directory into one of Codex's standard .agents/skills locations (for example, $REPO_ROOT/.agents/skills or $HOME/.agents/skills) as described in the Codex Skills guide.

  2. Once a skill is available in one of those locations, Codex will discover it using the Agent Skills standard and load the SKILL.md instructions when it decides to use that skill or when you explicitly invoke it.

  3. If your Codex setup still relies on AGENTS.md, you can use the generated agents/AGENTS.md file in this repo as a fallback bundle of instructions.

Gemini CLI

  1. This repo includes gemini-extension.json to integrate with the Gemini CLI.

  2. Install locally:

gemini extensions install . --consent

or use the GitHub URL:

gemini extensions install https://github.com/SocketDev/skills.git --consent
  1. See Gemini CLI extensions docs for more help.

Cursor

This repository includes Cursor plugin manifests:

  • .cursor-plugin/plugin.json

Install from repository URL (or local checkout) via the Cursor plugin flow.

For contributors, regenerate manifests with:

./scripts/publish.sh

OpenCode

This repository includes an .opencode/skills directory that OpenCode discovers automatically.

  1. Clone or install this repo into your project
  2. OpenCode will discover skills from .opencode/skills/

Or manually copy skill folders into your project's .opencode/skills/ directory.

Other Agents (VS Code Copilot, Windsurf, Roo Code, etc.)

For any agent that supports the Agent Skills standard or custom instructions:

  1. Use the Skills CLI (recommended):
npx skills add SocketDev/skills

  1. Or manually copy the agents/AGENTS.md file into your agent's instructions/context directory. This file contains a summary of all available skills and their locations.

  2. Skills use the Socket CLI and Batch PURL API directly — no MCP server required.

Skills

This repository contains security-focused skills for dependency management. You can also contribute your own skills to the repository.

Available skills

Setup

Install, authenticate, and configure Socket for your project.

Name Description Documentation
socket-setup Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. SKILL.md

Analysis

Scan dependencies and inspect individual packages for security risks.

Name Description Documentation
socket-inspect Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. SKILL.md
socket-scan Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. SKILL.md

Dependency Management

Upgrade, patch, and clean up individual dependencies.

Name Description Documentation
socket-dep-cleanup Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. SKILL.md
socket-dep-patch Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /socket-setup skill. SKILL.md
socket-dep-replace Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. SKILL.md
socket-dep-upgrade Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. SKILL.md

Fix

Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow.

Name Description Documentation
socket-fix Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). SKILL.md

Contributing

  1. Create a new directory under skills/ with a descriptive name
  2. Add a SKILL.md file with YAML frontmatter (name and description) followed by guidance content
  3. Add an entry in .claude-plugin/marketplace.json with matching name and source path
  4. Run ./scripts/publish.sh to regenerate all artifacts
  5. Run ./scripts/publish.sh --check to verify everything is in sync
  6. Submit a pull request

License

MIT - see LICENSE for details.

About

Skills for coding agents to interact with Socket

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages