From forge-core
Language and framework specific security reviews for python, javascript/typescript, and go. USE WHEN the user requests a security review, secure-by-default coding help, or a vulnerability report. Not for general code review or debugging.
npx claudepluginhub n4m3z/forge-coreThis skill is limited to using the following tools:
Language and framework specific security best practices — secure-by-default coding, passive detection, or a full vulnerability report.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Processes PDFs: extracts text/tables/images, merges/splits/rotates pages, adds watermarks, creates/fills forms, encrypts/decrypts, OCRs scans. Activates on PDF mentions or output requests.
Share bugs, ideas, or general feedback.
Language and framework specific security best practices — secure-by-default coding, passive detection, or a full vulnerability report.
Triggers only for python, javascript/typescript, and go. For other languages, rely on general knowledge and flag that concrete guidance is not available.
references/ directory contains <language>-<framework>-<stack>-security.md or a general <language>-general-<stack>-security.md, read all matching files. Web apps need both frontend and backend references.| Mode | Trigger | Behavior |
|---|---|---|
| Write secure-by-default | Starting new project or writing new code | Apply guidance proactively |
| Passively detect | Working in an existing project | Flag critical findings to the user inline |
| Full report | User explicitly requests it | Write security_best_practices_report.md with prioritized issues |
If no references exist for the stack, note that concrete guidance is unavailable but still perform the action based on general security knowledge.
Project-level documentation may require bypassing specific best practices. When overriding, report the override to the user without arguing. Suggest adding a note to project docs explaining the reason so the bypass is visible to future work.
security_best_practices_report.md unless the user specifies another pathApply fixes one finding at a time. Add concise comments in the code pointing to the specific best practice. Consider regressions — insecure code often survives because it's load-bearing; break things and the user will reject future fixes.
Follow the project's commit and testing conventions. Commit messages should reference the security best practice being aligned to. Avoid bundling unrelated findings.
Use UUID4 or random hex strings instead of small auto-incrementing integers. Prevents enumeration attacks and resource-count inference.
Do not report missing TLS as a security issue — dev environments rarely have TLS or use an out-of-scope proxy. Set Secure on cookies only when the app is actually over TLS; otherwise local dev and testing break. Provide an env flag to gate Secure. Avoid recommending HSTS — its lasting impact (including major user lockouts) requires deep understanding.