Agent Skills
StackHawk agent skills are instruction sets that teach AI coding agents how to run security scans, parse findings, fix vulnerabilities, and verify fixes. Install a skill and your agent gains full runtime security testing capability — no separate tools, no context switching.
How Agent Skills Work
When you install a StackHawk agent skill, your AI coding agent learns how to:
- Configure — Generate a
stackhawk.ymlconfig file based on your app type, host, and auth pattern - Scan — Run HawkScan against your running application
- Parse — Read structured JSON findings with vulnerability type, severity, affected path, and method
- Fix — Remediate vulnerabilities directly in your codebase (parameterized queries, output encoding, security headers, etc.)
- Verify — Rescan to confirm all fixes are effective
When you finish building a feature, the agent automatically runs this loop — “done” means “done and secure.”
Supported Agents
Claude Code
Install with one command from the plugin marketplace.
Cursor
Copy rule files into your project's .cursor/rules/ directory.
Codex
Install with one command from the plugin marketplace.
Antigravity
Install with one command from the plugin registry.
GitHub Copilot
Install with one command from the plugin marketplace.
Prerequisites
- An AI coding agent
- A StackHawk account (Secure, Scale, or Wingman)
- The
hawkCLI v6.0.0 or later — a single self-contained binary. See Install and Run HawkScan or the downloads page. Verify withhawk version. - Authentication via
hawk init --browser, which opens your browser and provisions your API key automatically (or generate one at app.stackhawk.com → Settings → API Keys). - An application running locally that the scanner can reach, plus its source code so the agent can fix what it finds.
Agent Skills Overview
Follow the steps for your agent under Supported Agents above to enable the full StackHawk skill set in your AI coding agent:
| Skill | Purpose |
|---|---|
| HawkScan | Configure, run, and interpret security scans. Fix vulnerabilities and verify fixes. |
| StackHawk API | Query the StackHawk platform for security posture, findings reports, scan history, and triage status. |
| Data Seed | Seed checked-in test data so authenticated scans can reach non-trivial application paths. |
| Optimize | Analyze a codebase and produce an optimal HawkScan setup (tech flags, scan policy, stackhawk.yml). |
On the plugin-based agents (Claude Code, Codex, GitHub Copilot), a single install of the wingman plugin pulls in all four — it’s a meta-plugin that depends on the others, so you don’t install them one by one. Cursor and Antigravity install the same set directly from the stackhawk/agent-skills repo. See Marketplace vs. Plugin Repo below for how installs are pinned and updated.
Marketplace vs. Plugin Repo
For plugin-based agents (Claude Code, Codex, GitHub Copilot), you install from the marketplace catalog, not directly from the source repo. There are two distinct repositories:
| Repository | What it is | What you do with it |
|---|---|---|
stackhawk/agent-skills-marketplace | The curated catalog — a manifest that points the wingman umbrella (and each underlying plugin) at a pinned, tested release. | This is what you marketplace add. It pins you to a tested GA release (StackHawk advances the pin as new versions ship) rather than the latest main. |
stackhawk/agent-skills | The source code — the actual skill definitions, scripts, and rule files. | Browse it to read the skills, file issues, or contribute. Cursor and Antigravity install directly from here (see below). |
In short: the marketplace is what you install; the agent-skills repo is what it’s built from.
Cursor and Antigravity don’t use the StackHawk marketplace — Cursor copies rule files directly from stackhawk/agent-skills, and Antigravity (agy) installs the plugin directly from the stackhawk/agent-skills GitHub URL. Their install pages reflect this.
How to Update
Installing from the marketplace pins you to StackHawk’s current GA release — a stable, tested version, not the latest in-development main. You’re never auto-pushed unreleased changes.
When StackHawk publishes a new GA version, the catalog is re-pinned to it — so updates follow our release cadence, not every incubating commit. The pin lives in the marketplace catalog, so to move up you refresh the catalog and then update the plugin with your agent’s own update command (no reinstall):
- Claude Code —
/plugin marketplace update stackhawk, then/plugin update wingman - GitHub Copilot —
copilot plugin marketplace update, thencopilot plugin update wingman@stackhawk - Codex —
codex plugin marketplace upgrade(Codex has no per-plugin update command; re-runcodex plugin add wingman@stackhawkto pull the refreshed pin)
Watch the marketplace release log to see when a new version ships and what changed.
Cursor and Antigravity install directly from stackhawk/agent-skills (not the marketplace), so they track main — re-run their install commands to pull the latest.