Security First is a preventive guardrail that integrates security into the development lifecycle during the planning phase, before any code is written. Rather than conducting retrospective audits, it forces an AI agent to identify trust boundaries, surface security assumptions, and define verification steps while a task is being scoped. The skill addresses a common pattern where standard LLMs prioritize functionality over safety, proposing insecure defaults or neglecting edge cases such as untrusted input and session handling. It shifts security left by requiring structured analysis of the attack surface relevant to the specific task. Authentication, authorization, and data handling are treated as first-class requirements rather than afterthoughts. The supported workflows are Trust Boundary Mapping, Secure Defaults, Attack Surface Reduction, and Pre-implementation Verification. These workflows compel the agent to clarify where data changes trust levels, reject weak initial configurations, minimize exposed interfaces, and list concrete validation checks. When activated against a specific task, the agent produces a concise, actionable security brief that outlines the trust boundaries, surfaced assumptions, required verification steps, and risk points identified during the structured analysis.
Security First
Prevent vulnerabilities before they happen by forcing early security framing and secure-by-default design patterns.
Install
cmdop skills install agensi-security-first
Use cases
- Force an agent to map trust boundaries before it generates implementation code
- Surface hidden security assumptions during architectural planning
- Generate a pre-implementation verification checklist for a new feature
- Require secure-by-default handling of authentication and authorization logic
- Identify attack-surface reduction opportunities in a task brief
- Obtain a concise security brief tailored to a specific development task
When to use it
- You want security analysis during the planning phase rather than after code is written
- You need to counter an agent's tendency to suggest insecure defaults
- Your task involves authentication, authorization, or sensitive data handling
- You require structured attack surface analysis before implementation
When not to use it
- You need automated runtime security scanning or penetration testing of existing code
- You require compliance auditing against formal security frameworks
- You are looking for a skill that provides specific secure coding patterns for a language or framework