From odin
Harden code against vulnerabilities as you build it. Use when handling untrusted input, authentication or authorization, data storage, or external integrations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/odin:security-hardeningThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security-first development. Three standing constraints: treat every external input as hostile until validated, keep every secret out of code and logs, and check authorization on every protected action. Security is a property of each line that touches user data, authentication, or external systems, built in during construction rather than retrofitted afterward.
Security-first development. Three standing constraints: treat every external input as hostile until validated, keep every secret out of code and logs, and check authorization on every protected action. Security is a property of each line that touches user data, authentication, or external systems, built in during construction rather than retrofitted afterward.
A control added without a threat model is a guess. Before hardening, spend five minutes as the attacker:
| Threat | Ask | Typical mitigation |
|---|---|---|
| Spoofing | Can someone impersonate a user/service? | Authentication, signature verification |
| Tampering | Can data be altered in transit or at rest? | Integrity checks, parameterized queries, HTTPS |
| Repudiation | Can an action be denied later? | Audit logging of security events |
| Information disclosure | Can data leak? | Encryption, field allowlists, generic errors |
| Denial of service | Can it be overwhelmed? | Rate limiting, input size caps, timeouts |
| Elevation of privilege | Can a user gain rights they shouldn't? | Authorization checks, least privilege |
If you cannot name a feature's trust boundaries, you cannot secure it. This is OWASP A04: Insecure Design; design flaws, not code typos, drive most breaches.
npm audit, pip-audit, cargo audit, govulncheck, or equivalent) before every releaseeval, innerHTML, exec, template injection)Read on demand; the threat model and the boundary tiers above decide which.
references/owasp-patterns.md: per-vulnerability prevention code for injection, broken auth, XSS, access control, misconfiguration, data exposure, and SSRF, in two language families.references/input-validation.md: schema validation at the trust boundary (zod, pydantic) and file-upload safety.references/dependency-audit.md: triage tree for audit findings, plus supply-chain hygiene beyond what a CVE scan catches.references/operational-controls.md: rate limiting and secrets management, including rotation after an exposure.references/llm-security.md: OWASP LLM Top 10 mitigations and treating model output as untrusted input.references/security-checklist.md: the OWASP 2021 ordering as a quick-reference table, the detailed review checklists, and pre-commit verification steps.| Rationalization | Reality |
|---|---|
| "This is an internal tool, security doesn't matter" | Internal tools get compromised. Attackers target the weakest link. |
| "We'll add security later" | Retrofitting security costs far more than building it in. Add it now. |
| "No one would try to exploit this" | Automated scanners will find it. Security by obscurity is not security. |
| "The framework handles security" | Frameworks provide tools, not guarantees. You still have to use them correctly. |
| "It's just a prototype" | Prototypes become production. Security habits from day one. |
| "Threat modeling is overkill here" | Five minutes of "how would I attack this?" prevents the design flaws no control can patch later. |
| "It's just LLM output, it's only text" | That "text" can be a SQL statement, a script tag, or a shell command. Treat it like any untrusted input. |
*) originsevalAfter implementing security-relevant code:
npx claudepluginhub outlinedriven/odin-claude-plugin --plugin odinHardens code against vulnerabilities by applying threat modeling (STRIDE) and a three-tier boundary system. Use when handling user input, authentication, data storage, or external integrations.
Guides developers through threat modeling and security hardening for web applications handling user input, authentication, sensitive data, or external integrations.
Hardens code against vulnerabilities by applying threat modeling (STRIDE) and input validation, authentication, and data storage best practices.