This is a security linter that jumps in whenever you're writing Drupal forms, controllers, or anything touching user input. It catches the classics like SQL injection from string concatenation, XSS from raw markup rendering, and missing access checks on entity queries. The pattern tables are genuinely useful, showing vulnerable code next to the safe version so you don't have to guess. It's opinionated about things like accessCheck(FALSE) and will warn you immediately. Honestly, this should probably be active on every Drupal project because these vulnerabilities still show up in contrib modules all the time. The checklist format makes it easy to scan during reviews.
npx skills add https://github.com/madsnorgaard/agent-resources --skill drupal-security