StackHawk Documentation StackHawk Logo HawkDocs

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc

Agent Skills

StackHawk agent skills are instruction sets that teach AI coding agents how to run security scans, parse findings, fix vulnerabilities, and verify fixes. Install a skill and your agent gains full runtime security testing capability — no separate tools, no context switching.

When you install a StackHawk agent skill, your AI coding agent learns how to:

  1. Configure — Generate a stackhawk.yml config file based on your app type, host, and auth pattern
  2. Scan — Run HawkScan against your running application
  3. Parse — Read structured JSON findings with vulnerability type, severity, affected path, and method
  4. Fix — Remediate vulnerabilities directly in your codebase (parameterized queries, output encoding, security headers, etc.)
  5. Verify — Rescan to confirm all fixes are effective

When you finish building a feature, the agent automatically runs this loop — “done” means “done and secure.”

  • An AI coding agent
  • A StackHawk account (Secure, Scale, or Wingman)
  • The hawk CLI v6.0.0 or later — a single self-contained binary. See Install and Run HawkScan or the downloads page. Verify with hawk version.
  • Authentication via hawk init --browser, which opens your browser and provisions your API key automatically (or generate one at app.stackhawk.com → Settings → API Keys).
  • An application running locally that the scanner can reach, plus its source code so the agent can fix what it finds.

Follow the steps for your agent under Supported Agents above to enable the full StackHawk skill set in your AI coding agent:

SkillPurpose
HawkScanConfigure, run, and interpret security scans. Fix vulnerabilities and verify fixes.
StackHawk APIQuery the StackHawk platform for security posture, findings reports, scan history, and triage status.
Data SeedSeed checked-in test data so authenticated scans can reach non-trivial application paths.
OptimizeAnalyze a codebase and produce an optimal HawkScan setup (tech flags, scan policy, stackhawk.yml).

On the plugin-based agents (Claude Code, Codex, GitHub Copilot), a single install of the wingman plugin pulls in all four — it’s a meta-plugin that depends on the others, so you don’t install them one by one. Cursor and Antigravity install the same set directly from the stackhawk/agent-skills repo. See Marketplace vs. Plugin Repo below for how installs are pinned and updated.

For plugin-based agents (Claude Code, Codex, GitHub Copilot), you install from the marketplace catalog, not directly from the source repo. There are two distinct repositories:

RepositoryWhat it isWhat you do with it
stackhawk/agent-skills-marketplaceThe curated catalog — a manifest that points the wingman umbrella (and each underlying plugin) at a pinned, tested release.This is what you marketplace add. It pins you to a tested GA release (StackHawk advances the pin as new versions ship) rather than the latest main.
stackhawk/agent-skillsThe source code — the actual skill definitions, scripts, and rule files.Browse it to read the skills, file issues, or contribute. Cursor and Antigravity install directly from here (see below).

In short: the marketplace is what you install; the agent-skills repo is what it’s built from.

Cursor and Antigravity don’t use the StackHawk marketplace — Cursor copies rule files directly from stackhawk/agent-skills, and Antigravity (agy) installs the plugin directly from the stackhawk/agent-skills GitHub URL. Their install pages reflect this.

Installing from the marketplace pins you to StackHawk’s current GA release — a stable, tested version, not the latest in-development main. You’re never auto-pushed unreleased changes.

When StackHawk publishes a new GA version, the catalog is re-pinned to it — so updates follow our release cadence, not every incubating commit. The pin lives in the marketplace catalog, so to move up you refresh the catalog and then update the plugin with your agent’s own update command (no reinstall):

  • Claude Code/plugin marketplace update stackhawk, then /plugin update wingman
  • GitHub Copilotcopilot plugin marketplace update, then copilot plugin update wingman@stackhawk
  • Codexcodex plugin marketplace upgrade (Codex has no per-plugin update command; re-run codex plugin add wingman@stackhawk to pull the refreshed pin)

Watch the marketplace release log to see when a new version ships and what changed.

Cursor and Antigravity install directly from stackhawk/agent-skills (not the marketplace), so they track main — re-run their install commands to pull the latest.

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.