Available Skills
Sub-skills are focused security knowledge modules that phases load automatically on demand, according to the project's scope. You can also run them yourself (including in prompts unrelated to Blue Spec) to keep security alongside development.
The catalog
| Sub-Skill | Path | Focus |
|---|---|---|
regex | .bluespec/skills/regex.md | ReDoS: patterns that explode on crafted input. |
javascript | .bluespec/skills/javascript.md | Language-level risks: RCE, prototype pollution, etc. |
browser | .bluespec/skills/browser.md | Client-side risks: DOM XSS, origin, storage, etc. |
The catalog grows by adding one knowledge file plus one catalog row, never a new command.
A worked example
Direct free-form prompt to generate a safe RegExp collection with Python:
@.bluespec/skills/regex.md
Create a collection of regular expressions in @src/utils/regex.py to validate emails and usernames.
This uses a hook to test each RegExp against ReDoS, keeps the safe ones, and produces something like:
import re
EMAIL = re.compile(r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$")
USERNAME = re.compile(r"^[a-zA-Z0-9_]{3,20}$")
def is_email(value: str) -> bool:
return EMAIL.match(value) is not None
def is_username(value: str) -> bool:
return USERNAME.match(value) is not None
Test a pattern yourself at devina.io/redos-checker.
How to load them
There are two ways, one for the flow and one for you:
- A phase loads it for you. When detect or verify hits a context a sub-skill covers, it runs the
/bluespec.skillsdispatcher itself and the right module is pulled in. This is automatic, you do nothing. - You run it yourself. Import the file with
@and write the task in the same prompt, as in the example above:@.bluespec/skills/<name>.md. This is the user-facing way, and it works in any prompt, even outside the Blue Spec flow.
Running /bluespec.skills <name> by hand only loads the knowledge into context, so on its own it does no work. To act on your code, use the @ import with a task.