Skip to content

General

Prompts and patterns that are not tied to a specific agent. If a prompt works the same whether you paste it into Claude, Copilot, Cursor, Codex, or Devin, it belongs here.

What usually lives here

  • Triage frameworks — the decision trees and checklists your team uses when a new finding lands, independent of which agent gets handed the fix.
  • Guardrail patterns — repeated ideas for keeping automation safe (scoped credentials, dry-run gates, review policies) that work across tools.
  • Review checklists — what a human should look at when reviewing a machine-generated PR.
  • PR templates — the body your agent should fill in when it opens a PR, agnostic of which agent is writing.
  • Commit-message conventions — style rules your agent should follow when committing.

When this is the right folder

Put a prompt here if at least two agents would use it unchanged. If you find yourself writing a Claude-only skill, put it under claude/ instead — the whole point of per-tool folders is that agent specifics stay where their context lives.

Browse entries

Every entry carries its author, team, and maturity. Click any card for the full prompt.

OWASP Top 10 (2026) — repo audit

development

A tool-agnostic hunt prompt that walks an agent through a structured audit of a repository against every category in the OWASP Top 10 (2026 iteration). The output is a prioritised …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-22
owasptop-10audithuntsastsecurity-posture

OWASP Top 10 (2026) — remediate

development

A tool-agnostic remediation prompt that takes a single finding from an OWASP Top 10 (2026) audit — or any equivalent source — and turns it into a reviewer-ready pull request. …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-22
owasptop-10remediateprfix

SAST finding — triage and fix

development

A tool-agnostic prompt that takes a single SAST finding and either opens a reviewer-ready PR (true positive, fixable), opens a suppression PR with justification and an expiry …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-25
sasttriagefalse-positiveremediatepr

Base image — bump and rebuild

development

A tool-agnostic prompt that takes a CVE finding scoped to a base image or an OS-package layer, and produces a reviewer-ready PR that bumps the FROM line (or the package install …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-25
containersdockerbase-imagecveremediate

Compromised package — cache quarantine

development

A tool-agnostic prompt that takes a “this package is malicious” advisory and runs the eviction across the org’s registries, caches, and mirrors — quarantining the …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-25
supply-chainregistrycachequarantineincident

Agent session — telemetry-driven kill rules

development

A tool-agnostic prompt that takes a workflow’s run telemetry and a draft set of decision rules, and produces (a) a vetted rule pack the session monitor can load and (b) a …

author Stephen M Abbottteam Securitymodel used Opus 4.7updated 2026-04-25
runtimetelemetryguardrailkill-switchmonitor

Classic Vulnerable Defaults

Prompts that mitigate or replace the durable, unsafe-by-default patterns that show up in new code year after year — pickle, unsafe YAML, JNDI, JWT `none`, XXE, polymorphic deserialization, `eval`, and friends.

Contribute a new general prompt →