> browse/registry

> gh-create-pr

Create or update GitHub pull requests using the repository-required workflow and template compliance. Use when asked to create/open/update a PR so the assistant reads `.github/pull_request_template.md`, fills every template section, preserves markdown structure exactly, and marks missing data as N/A or None instead of skipping sections.

> skill-sentinel

Auditoria e evolucao do ecossistema de skills. Qualidade de codigo, seguranca, custos, gaps, duplicacoes, dependencias e relatorios de saude.

> openclaw-github-repo-commander

7-stage super workflow for GitHub repo audit, cleanup, PR review, and competitor analysis

> 007

Security audit, hardening, threat modeling (STRIDE/PASTA), Red/Blue Team, OWASP checks, code review, incident response, and infrastructure security for any project.

> ai-md

Convert human-written CLAUDE.md into AI-native structured-label format. Battle-tested across 4 models. Same rules, fewer tokens, higher compliance.

> antigravity-workflows

Orchestrate multiple Antigravity skills through guided workflows for SaaS MVP delivery, security audits, AI agent builds, and browser QA.

> audit-skills

Expert security auditor for AI Skills and Bundles. Performs non-intrusive static analysis to identify malicious patterns, data leaks, system stability risks, and obfuscated payloads across Windows, macOS, Linux/Unix, and Mobile (Android/iOS).

> web-design-guidelines

Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".

> semgrep

Semgrep is a fast, lightweight static analysis tool for finding bugs, security vulnerabilities, and enforcing code standards across a codebase. The agent should use this skill when asked to run static analysis, scan code for security issues, detect code patterns or anti-patterns, write or test custom Semgrep rules, set up SAST in CI/CD pipelines, triage scan findings, suppress false positives, or perform a rapid security audit without building the project.

> fix-review

Verifies that git commits address security audit findings without introducing bugs. This skill should be used when the user asks to "verify these commits fix the audit findings", "check if TOB-XXX was addressed", "review the fix branch", "validate remediation commits", "did these changes address the security report", "post-audit remediation review", "compare fix commits to audit report", or when reviewing commits against security audit reports.

> healthcheck

Host security hardening and risk-tolerance configuration for Otto deployments. Use when a user asks for security audits, firewall/SSH/update hardening, risk posture, exposure review, Otto cron scheduling for periodic checks, or version status checks on a machine running Otto (laptop, workstation, Pi, VPS).

> k8s-policy

Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.

> k8s-security

Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.

> k8s-backup

Kubernetes backup and restore with Velero. Use when creating backups, restoring applications, managing disaster recovery, or migrating workloads between clusters.

> go-defensive

Use when hardening Go code at API boundaries — copying slices/maps, verifying interface compliance, using defer for cleanup, time.Time/time.Duration, or avoiding mutable globals. Also use when reviewing for robustness concerns like missing cleanup or unsafe crypto usage, even if the user doesn't mention "defensive programming." Does not cover error handling strategy (see go-error-handling).

> meeting-briefing

Prepare structured briefings for meetings with legal relevance and track resulting action items. Use when preparing for contract negotiations, board meetings, compliance reviews, or any meeting where legal context, background research, or action tracking is needed.

> solidity-audit

Security audit and code review checklist. Covers 30+ vulnerability types with real-world exploit cases (2021-2026) and EVMbench Code4rena patterns. Use when conducting security audits, code reviews, or pre-deployment security assessments.

> grc-messaging-guardrails

Validates compliance, security, and GRC terminology in marketing copy. Enforces accurate claims, prevents common mistakes (e.g., calling SOC 2 a "certification"), and applies risk-first narrative framing for B2B SaaS audiences. Use when writing or reviewing any marketing content that references compliance frameworks, security standards, regulatory requirements, or audit processes. Also use when creating ads, landing pages, emails, case studies, or sales collateral for GRC/cybersecurity B2B SaaS

> schemathesis

Automatically test APIs by generating test cases from OpenAPI/GraphQL schemas. Use when tasks involve API fuzzing, finding edge cases in REST or GraphQL APIs, testing schema compliance, generating property-based tests from API specs, finding crashes and 500 errors, or validating API contracts. Schemathesis generates thousands of test cases from your schema and finds bugs that manual testing misses.

> paddle

Accept payments with Paddle as merchant of record. Use when a user asks to add subscription billing without handling tax compliance, accept international payments, implement a payment system where Paddle handles VAT/sales tax, or build a SaaS billing system.