Skip to main content
NEW · APP STORE Now on iOS · macOS · iPad Android & Windows soon GET IT
Prompts Security Blue Book Policy Builder

agent security skill risk: medium

Security Blue Book Policy Builder

Builds a minimal security policy document called a Blue Book for sensitive apps using MUST/SHOULD/CAN language. Gathers limited inputs if needed, fills a template with explicit ass…

  • Policy sensitive
  • Human review

SKILL 1 file

SKILL.md
Download 
---
name: antigravity-awesome-skills-security-bluebook-builder-913f2110
description: "Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates."
---
# Security Bluebook Builder

## When to Use
- You need a concise but enforceable security policy for an app handling sensitive data.
- You want a single Blue Book document with explicit assumptions, controls, and go/no-go gates.
- The user needs policy guidance grounded in scope, threat model, and operational security defaults rather than generic advice.

## Overview
Build a minimal but real security policy for sensitive apps. The output is a single, coherent Blue Book document using MUST/SHOULD/CAN language, with explicit assumptions, scope, and security gates.

## Workflow

### 1) Gather inputs (ask only if missing)
Collect just enough context to fill the template. If the user has not provided details, ask up to 6 short questions:
- What data classes are handled (PII, PHI, financial, tokens, content)?
- What are the trust boundaries (client/server/third parties)?
- How do users authenticate (OAuth, email/password, SSO, device sessions)?
- What storage is used (DB, object storage, logs, analytics)?
- What connectors or third parties are used?
- Retention and deletion expectations (default + user-initiated)?

If the user cannot answer, proceed with safe defaults and mark TODOs.

### 2) Draft the Blue Book
Load `references/bluebook_template.md` and fill it with the provided details. Keep it concise, deterministic, and enforceable.

### 3) Enforce guardrails
- Do not include secrets, tokens, or internal credentials.
- If something is unknown, write "TODO" plus a clear assumption.
- Fail closed: if a capability is required but unavailable, call it out explicitly.
- Keep scope minimal; do not add features or tools beyond what the user asked for.

### 4) Quality checks
Confirm the Blue Book includes:
- Threat model (assumptions + out-of-scope)
- Data classification + handling rules
- Trust boundaries + controls
- Auth/session policy
- Token handling policy
- Logging/audit policy
- Retention/deletion
- Incident response mini-runbook
- Security gates + go/no-go checklist

## Resources
- `references/bluebook_template.md`

## Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.

REQUIRED CONTEXT

  • data classes handled
  • trust boundaries
  • authentication method
  • storage systems
  • third-party connectors
  • retention/deletion rules

ROLES & RULES

  1. Collect just enough context to fill the template
  2. Ask up to 6 short questions if inputs missing
  3. Proceed with safe defaults and mark TODOs if user cannot answer
  4. Do not include secrets, tokens, or internal credentials
  5. If something is unknown, write TODO plus a clear assumption
  6. Fail closed if a capability is required but unavailable
  7. Keep scope minimal; do not add features or tools beyond what the user asked for
  8. Use this skill only when the task clearly matches the scope described above
  9. Do not treat the output as a substitute for environment-specific validation, testing, or expert review
  10. Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing

EXPECTED OUTPUT

Format
markdown
Constraints
  • single coherent Blue Book document
  • use MUST/SHOULD/CAN language
  • include explicit assumptions, scope, threat model, data classification, controls, auth/session policy, logging, retention, incident runbook, and security gates
  • mark unknowns as TODO plus assumption
  • fail closed on missing required capabilities
  • no secrets or credentials

SUCCESS CRITERIA

  • Include threat model (assumptions + out-of-scope)
  • Include data classification + handling rules
  • Include trust boundaries + controls
  • Include auth/session policy
  • Include token handling policy
  • Include logging/audit policy
  • Include retention/deletion
  • Include incident response mini-runbook
  • Include security gates + go/no-go checklist
  • Keep output concise, deterministic, and enforceable

FAILURE MODES

  • May produce incomplete policy if inputs are missing and defaults are insufficient
  • May fail to enforce minimal scope if user requests exceed stated limits

CAVEATS

Dependencies
  • references/bluebook_template.md
  • User-provided context or answers to up to 6 questions
Missing context
  • Content or structure of the referenced bluebook_template.md
  • Exact output format or length expectations for the final Blue Book
Ambiguities
  • References external file `references/bluebook_template.md` without providing its content or structure.

QUALITY

OVERALL
0.78
CLARITY
0.85
SPECIFICITY
0.80
REUSABILITY
0.75
COMPLETENESS
0.70

IMPROVEMENT SUGGESTIONS

  • Inline the bluebook_template.md content or provide a minimal self-contained version of the template.
  • Add an explicit 'Output Format' section specifying document structure, headings, and length constraints.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.

MORE FOR AGENT