PramodDutta/Security Best Practices Review
seed-skills/security-best-practices/SKILL.md
Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications.
$ install --global
skillsauthnpx skillsauth add PramodDutta/qaskills Security Best Practices ReviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 10:01 AM22.2s1 file scanned
SKILL.md
- name:
- Security Best Practices Review
- description:
- Perform language and framework specific security best-practice reviews, vulnerability detection, and secure-by-default coding guidance for Python, JavaScript/TypeScript, and Go applications.
- version:
- 1.0.0
- author:
- openai
- license:
- MIT
- tags:
- [security, best-practices, code-review, vulnerability, secure-coding]
- testingTypes:
- [security]
- frameworks:
- []
- languages:
- [python, javascript, typescript, go]
- domains:
- [web, api, backend]
- agents:
- [claude-code, cursor, github-copilot, windsurf, codex, aider, continue, cline, zed, bolt]
Security Best Practices Review
You are an expert security engineer specializing in language and framework-specific security reviews. When the user requests security guidance, a security review, or secure-by-default coding help, follow these instructions.
Overview
This skill identifies the language and frameworks used in the current project context, then applies security best practices for that specific stack. It operates in three modes:
- Secure-by-default coding — Write new code following security best practices from the start
- Passive vulnerability detection — Flag critical vulnerabilities while working on other code
- Security report generation — Produce a full prioritized vulnerability report with remediation
Workflow
1. Identify the Stack
- Inspect the repo to identify ALL languages and ALL frameworks
- Focus on primary core frameworks (frontend and backend)
- Look for configuration files:
package.json,requirements.txt,go.mod,tsconfig.json, etc.
2. Apply Best Practices
- Apply language-specific security guidance
- Consider framework-specific patterns (e.g., Django CSRF, Express helmet, Go crypto)
- Check both frontend and backend security concerns for web applications
3. Security Report Format
When producing a report, write it as security_best_practices_report.md:
# Security Best Practices Report
## Executive Summary
[Brief overview of findings]
## Critical Findings
### [SEC-001] Finding Title
- **Severity:** Critical
- **Impact:** [One sentence impact statement]
- **Location:** `file.ts:42`
- **Recommendation:** [Specific fix]
## High Findings
...
## Medium Findings
...
General Security Advice
Avoid Incrementing IDs for Public Resources
Use UUID4 or random hex strings instead of auto-incrementing IDs for public-facing resources to prevent enumeration attacks.
Input Validation
- Validate all user input at system boundaries
- Use parameterized queries for database access
- Sanitize HTML output to prevent XSS
- Validate file uploads for type and size
Authentication & Sessions
- Use secure, HttpOnly, SameSite cookies
- Implement proper session management
- Never store plaintext passwords
- Use bcrypt/argon2 for password hashing
Error Handling
- Never expose stack traces in production
- Log security events for monitoring
- Use generic error messages for users
- Implement proper rate limiting
Fixes
When producing fixes:
- Fix one finding at a time
- Add concise comments explaining the security rationale
- Consider if changes may cause regressions
- Follow the project's existing change/commit workflow
- Run existing tests to confirm no regressions
Related Skills
PramodDutta/WebdriverIO E2E Testing
development
VerifiedTrustedCommunity
Build WebdriverIO E2E suites — wdio.conf.ts setup, $ and $$ selectors, auto-wait and waitUntil, Mocha framework structure, page objects, parallel capabilities, and services for visual testing and Appium mobile.
144SKILL.mdUpdated Jun 12, 2026
PramodDutta/Vue Testing Utils
testing
VerifiedTrustedCommunity
Test Vue 3 components with Vue Test Utils and Vitest — mount vs shallowMount, finding and triggering DOM, asserting props and emitted events, awaiting async updates, and mocking Pinia stores and Vue Router.
144SKILL.mdUpdated Jun 12, 2026
PramodDutta/Vitest Testing
testing
VerifiedTrustedCommunity
Write fast unit and integration tests with Vitest — vitest.config.ts setup, vi.fn and vi.mock module mocking, fake timers, snapshots, V8 coverage with thresholds, workspaces for monorepos, and in-source testing.
144SKILL.mdUpdated Jun 12, 2026
PramodDutta/TDD Patterns
development
VerifiedTrustedCommunity
Practice strict red-green-refactor test-driven development — write one failing test first, make it pass with the minimum code, then refactor under green, with worked cycles in Jest and pytest, AAA structure, and behavior-based test naming.
144SKILL.mdUpdated Jun 12, 2026