Provides guidance on secure coding practices including OWASP Top 10 2025, CWE Top 25, input validation, output encoding, and language-specific security patterns. Use when reviewing code for security vulnerabilities, implementing security controls, or learning secure development practices.
Provides OWASP Top 10 2025 guidance and secure coding patterns for input validation, output encoding, and injection prevention. Use when reviewing code for vulnerabilities or implementing security controls.
/plugin marketplace add melodic-software/claude-code-plugins/plugin install security@melodic-softwareThis skill is limited to using the following tools:
references/cwe-top-25.mdreferences/owasp-top-10-2025.mdComprehensive guidance for writing secure code, covering OWASP Top 10 2025, CWE Top 25, and language-specific security patterns.
Use this skill when:
| Rank | Vulnerability | Key Mitigation |
|---|---|---|
| A01 | Broken Access Control | Server-side access checks, deny by default, CORS restrictions |
| A02 | Security Misconfiguration | Hardened configs, remove defaults, disable unnecessary features |
| A03 | Software Supply Chain Failures | SCA, SBOM, verify dependencies, integrity checks |
| A04 | Cryptographic Failures | Strong encryption (AES-256), TLS 1.2+, no deprecated algorithms |
| A05 | Injection | Parameterized queries, input validation, context-aware encoding |
| A06 | Insecure Design | Threat modeling, secure design patterns, defense in depth |
| A07 | Authentication Failures | MFA, strong passwords, secure session management |
| A08 | Data Integrity Failures | Digital signatures, integrity verification, secure CI/CD |
| A09 | Logging & Alerting Failures | Centralized logging, anomaly detection, audit trails |
| A10 | Mishandling Exceptions | Fail securely, generic error messages, complete exception handling |
For detailed mitigations: See OWASP Top 10 2025 Reference
Never trust user input. Validate all inputs on the server side.
using System.Text.RegularExpressions;
// Good: Server-side validation with allowlist
public static partial class InputValidation
{
[GeneratedRegex(@"^[a-zA-Z0-9_]{3,20}$")]
private static partial Regex UsernamePattern();
/// <summary>
/// Validate username against allowlist pattern.
/// </summary>
public static bool ValidateUsername(string username) =>
!string.IsNullOrEmpty(username) && UsernamePattern().IsMatch(username);
}
// Bad: No validation
public string ProcessUsername(string username) => username; // Dangerous!
Validation strategies:
Encode output based on context to prevent injection attacks.
| Context | Encoding Method | Example |
|---|---|---|
| HTML body | HTML entity encoding | <script> |
| HTML attributes | Attribute encoding | ' for ' |
| JavaScript | JavaScript encoding | \x3Cscript\x3E |
| URL parameters | URL encoding | %3Cscript%3E |
| CSS | CSS encoding | \3C script\3E |
| SQL | Parameterized queries | Use prepared statements |
Always use parameterized queries for database operations.
// Good: Parameterized query with SqlCommand
using var cmd = new SqlCommand(
"SELECT * FROM Users WHERE Username = @username AND Status = @status",
connection);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@status", status);
// Good: Parameterized query with Dapper
var users = await connection.QueryAsync<User>(
"SELECT * FROM Users WHERE Username = @Username AND Status = @Status",
new { Username = username, Status = status });
// Bad: String interpolation (SQL Injection vulnerable)
var query = $"SELECT * FROM Users WHERE Username = '{username}'"; // VULNERABLE
cryptography skill)// Good: Generic error message to user, detailed logging
public async Task<IActionResult> ProcessData([FromBody] DataRequest request)
{
try
{
await _dataService.ProcessSensitiveDataAsync(request.Data);
return Ok();
}
catch (DbException ex)
{
_logger.LogError(ex, "Database error processing request for user {UserId}", User.GetUserId());
return StatusCode(500, new { error = "An error occurred" });
}
}
// Bad: Exposing internal details
catch (DbException ex)
{
return StatusCode(500, new { error = ex.Message }); // VULNERABLE - exposes internals
}
Error handling rules:
// XSS Prevention - use textContent, not innerHTML
element.textContent = userInput; // Safe
element.innerHTML = userInput; // VULNERABLE
// Use DOMPurify for HTML that must be rendered
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
// Avoid eval() and Function()
eval(userInput); // VULNERABLE
new Function(userInput)(); // VULNERABLE
// Use strict mode
'use strict';
// Safe process execution - use argument list, avoid shell
using System.Diagnostics;
public static async Task<string> SafeExecuteAsync(string command, params string[] args)
{
using var process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = command,
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false, // Safe: no shell interpretation
CreateNoWindow = true
}
};
foreach (var arg in args)
process.StartInfo.ArgumentList.Add(arg); // Safe: no shell escaping needed
process.Start();
var output = await process.StandardOutput.ReadToEndAsync();
await process.WaitForExitAsync();
return output;
}
// Bad: Shell injection vulnerable
Process.Start("cmd", $"/c dir {userInput}"); // VULNERABLE
// Safe file operations - prevent path traversal
public static class SafeFileAccess
{
/// <summary>
/// Safely read a file, preventing path traversal attacks.
/// </summary>
public static string SafeReadFile(string baseDir, string filename)
{
var basePath = Path.GetFullPath(baseDir);
var filePath = Path.GetFullPath(Path.Combine(baseDir, filename));
if (!filePath.StartsWith(basePath, StringComparison.OrdinalIgnoreCase))
throw new UnauthorizedAccessException("Path traversal detected");
return File.ReadAllText(filePath);
}
}
// Use parameterized queries with Entity Framework
var users = context.Users
.Where(u => u.Username == username) // Safe - parameterized
.ToList();
// Avoid raw SQL when possible, use parameters if needed
var users = context.Users
.FromSqlRaw("SELECT * FROM Users WHERE Username = {0}", username)
.ToList();
// Anti-forgery tokens for CSRF protection
[ValidateAntiForgeryToken]
public IActionResult UpdateProfile(ProfileModel model)
{
// Process update
}
// Input validation with data annotations
public sealed class UserInput
{
[Required]
[StringLength(100, MinimumLength = 3)]
[RegularExpression(@"^[a-zA-Z0-9_]+$")]
public required string Username { get; init; }
}
What security concern are you addressing?
authentication-patterns skillauthorization-models skillcryptography skillsecrets-management skillapi-security skill| Skill | Relationship |
|---|---|
authentication-patterns | Auth implementation details (JWT, OAuth, Passkeys) |
authorization-models | Access control (RBAC, ABAC) |
cryptography | Encryption, hashing, TLS |
api-security | API-specific security patterns |
secrets-management | Credential and secret handling |
Last Updated: 2025-12-26
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.