Agent Skills

StackHawk agent skills are instruction sets that teach AI coding agents how to run security scans, parse findings, fix vulnerabilities, and verify fixes. Install a skill and your agent gains full runtime security testing capability — no separate tools, no context switching.

How Agent Skills Work

When you install a StackHawk agent skill, your AI coding agent learns how to:

1. Configure — Generate a stackhawk.yml config file based on your app type, host, and auth pattern
2. Scan — Run HawkScan against your running application
3. Parse — Read structured JSON findings with vulnerability type, severity, affected path, and method
4. Fix — Remediate vulnerabilities directly in your codebase (parameterized queries, output encoding, security headers, etc.)
5. Verify — Rescan to confirm all fixes are effective

When you finish building a feature, the agent automatically runs this loop — “done” means “done and secure.”

Supported Platforms

Prerequisites

• An AI coding agent
• A StackHawk account (Secure, Scale, or Wingman)
• A StackHawk API key (generate at app.stackhawk.com → Settings → API Keys)
• hawk CLI v5.5.11 or later — see Install and Run HawkScan for signed installers (macOS .pkg, Windows .msi, Linux .zip) or Homebrew. Verify with hawk version.
• hawkop CLI — required by the API skill to interact with the StackHawk Platform. See Downloads for all platforms for signed installers (macOS .pkg, Windows .msi, Linux .zip) or Homebrew.
• An application running locally that the scanner can reach and it’s source code so the agent can FIX the found issues.

Two Skills Included

The StackHawk agent skills package includes two skills:

Skill	Purpose
HawkScan	Configure, run, and interpret security scans. Fix vulnerabilities and verify fixes.
StackHawk API	Query the StackHawk platform for security posture, findings reports, scan history, and triage status.

Marketplace vs. Plugin Repo

For plugin-based agents (Claude Code, Codex, GitHub Copilot), you install from the marketplace catalog, not directly from the source repo. There are two distinct repositories:

Repository	What it is	What you do with it
stackhawk/agent-skills-marketplace	The curated catalog — a manifest that points each plugin (hawkscan, stackhawk-api) at a pinned, tested release.	This is what you marketplace add. It pins you to a tested GA release (StackHawk advances the pin as new versions ship) rather than the latest main.
stackhawk/agent-skills	The source code — the actual skill definitions, scripts, and rule files.	Browse it to read the skills, file issues, or contribute. Cursor and Antigravity install directly from here (see below).

In short: the marketplace is what you install; the agent-skills repo is what it’s built from.

Cursor and Antigravity don’t use the StackHawk marketplace — Cursor copies rule files directly from stackhawk/agent-skills, and Antigravity (agy) installs the plugin directly from the stackhawk/agent-skills GitHub URL. Their install pages reflect this.

How to Update

Installing from the marketplace pins you to StackHawk’s current GA release — a stable, tested version, not the latest in-development main. You’re never auto-pushed unreleased changes.

When StackHawk publishes a new GA version, the catalog is re-pinned to it — so updates follow our release cadence, not every incubating commit. The pin lives in the marketplace catalog, so to move up you refresh the catalog and then update the plugin with your agent’s own update command (no reinstall):

• Claude Code — /plugin marketplace update stackhawk, then /plugin update hawkscan (and stackhawk-api)
• GitHub Copilot — copilot plugin marketplace update, then copilot plugin update hawkscan@stackhawk
• Codex — codex plugin marketplace upgrade (Codex has no per-plugin update command; re-run codex plugin add hawkscan@stackhawk to pull the refreshed pin)

Watch the marketplace release log to see when a new version ships and what changed.

Cursor and Antigravity install directly from stackhawk/agent-skills (not the marketplace), so they track main — re-run their install commands to pull the latest.