Skill

security-checklist

Audits Micronaut/Kotlin backend code for authentication, authorization, input validation, SQL injection prevention, OWASP vulnerabilities, and secrets management. Use when implementing auth, validating inputs, or reviewing security.

Kotlin

security

backend

Install

npx claudepluginhub c0x12c/ai-toolkit --plugin ai-toolkit

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Run a security audit against Micronaut/Kotlin backend code.

Supporting Assets

audit-reference.md

SKILL.md

Similar Skills

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

157.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

157.7k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

157.7k

Stats

Parent Repo Stars57

Parent Repo Forks5

Last CommitMar 27, 2026

Actions

View Source View Plugin View on GitHub View README

Security Checklist

Run a security audit against Micronaut/Kotlin backend code.

When to Use

Adding authentication or authorization to endpoints
Validating user inputs on new or changed endpoints
Reviewing code for security issues before merge
Checking for common vulnerabilities (SQL injection, XSS, IDOR)
Setting up secrets management

Process

See audit-reference.md for code examples, vulnerability table, and SAFE/DANGEROUS patterns.

Check Authentication — every controller has @Secured, current user comes from security context
Check Authorization — verify user has access to the resource before returning it
Check Input Validation — @Valid on controller params, Jakarta annotations on request DTOs
Check SQL Injection Prevention — use Exposed ORM (auto-parameterized), never raw SQL with string concat
Check Common Vulnerabilities — SQL injection, XSS, CSRF, auth bypass, IDOR, mass assignment, data exposure, rate limiting
Check Secrets Management — no hardcoded secrets, use env vars, never log tokens/passwords/PII, never commit .env
Check Response Sanitization — response DTOs control what's exposed, never return raw entities

Interaction Style

Always checks all categories, doesn't skip any section
Flags the most dangerous issues first
Shows code examples for every fix, not just descriptions
Tells you what's wrong AND how to fix it

Rules

Every endpoint must have a @Secured annotation
Admin endpoints use OAuthSecurityRule.ADMIN
Users can only access their own resources (or admin can access all)
Input validated with @Valid and Jakarta annotations
No raw SQL queries with string concatenation
Sensitive fields excluded from response DTOs
Tokens/passwords never logged
Error messages don't leak internal details
Rate limiting on auth endpoints

Output

Produces a checklist report with pass/fail for each category:

All endpoints have @Secured annotation
Admin endpoints use OAuthSecurityRule.ADMIN
User can only access their own resources (or admin can access all)
Input validated with @Valid and Jakarta annotations
No raw SQL queries with string concatenation
Sensitive fields excluded from response DTOs
Tokens/passwords never logged
Error messages don't leak internal details
Rate limiting on auth endpoints