Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From kernel
Enforces security best practices: OWASP top 10, input validation, secrets management, authentication, and vulnerability prevention. Activates on security and related keywords.
npx claudepluginhub ariaxhan/kernel-claude --plugin kernelHow this skill is triggered — by the user, by Claude, or both
Slash command
/kernel:securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
<skill id="security">
Conducts security reviews using checklists and patterns for authentication, user input, secrets, API endpoints, SQL injection, XSS/CSRF, and rate limiting.
Hardens code against vulnerabilities with OWASP Top 10 prevention patterns. Validates input, parameterizes queries, sets security headers, and enforces authentication best practices.
Audits code security using OWASP Top 10 checklists for input validation, auth/authz, API security, data protection, and logging. Use for secure implementations and vulnerability reviews.
Share bugs, ideas, or general feedback.
<core_principles>
Secrets check — grep for hardcoded keys/passwords/tokens before any commit.
(gate: git grep -E "(api_key|apiKey|password|secret|token)\s*=\s*['\"][^'\"]{8,}" returns empty)
Input validation — all user input validated at API boundary with schema (Zod/Pydantic). (gate: every public endpoint parses input through schema before use; see code patterns in reference)
SQL injection — all queries parameterized; no string concatenation with user data. (gate: grep for template literal SQL with user variables returns empty)
XSS prevention — user-provided HTML sanitized (DOMPurify); CSP headers configured.
(gate: dangerouslySetInnerHTML only appears with DOMPurify wrapping)
Authentication — tokens in httpOnly cookies, not localStorage; auth checked per-request.
(gate: no localStorage.setItem('token'; every protected route has auth check)
Authorization — role/ownership check before every sensitive operation. (gate: no delete/update/admin endpoint without requester role verification)
CSRF protection — tokens on state-changing requests; SameSite=Strict on session cookies. (gate: POST/PUT/DELETE endpoints verify X-CSRF-Token or use SameSite cookie)
Rate limiting — enabled on all public endpoints; stricter on expensive ops.
(gate: every /api/ route has rate limit middleware)
Error handling — generic messages in responses; stack traces only in server logs.
(gate: no error.stack or internal paths in HTTP response bodies)
Dependency audit — npm audit / pip-audit clean; lockfile committed.
(gate: audit exits 0 or all findings are acknowledged with justification)
Supply chain — verify package existence + download counts before installing AI-suggested packages. (gate: no packages added without explicit npm/pypi verification; see supply chain patterns in reference)
Prompt injection (AI-integrated features) — user text never interpolated into system prompts; LLM output validated before use. (gate: no f-string/template system prompt with raw user input; see prompt injection patterns in reference)
Agent permissions — every spawned agent has explicit tool allowlist + file scope; no admin-by-default. (gate: spawn contract lists allowed tools ≤5; sensitive scopes named explicitly)
Risk-based review priority — when doing a full security review pass, prioritize in order: logic changes → deleted validations → auth flows → query changes → areas with prior security incidents. Start where impact is highest.
<pre_deployment_checklist> Before ANY production deployment:
<anti_patterns>
<on_complete> agentdb write-end '{"skill":"security","vectors_checked":["injection","xss","authz","secrets"],"findings":N}' </on_complete>