Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

adilkalam/security-basics

Name: security-basics
Author: adilkalam

skills/security-basics/SKILL.md

npx skillsauth add adilkalam/orca security-basics

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Basics

OWASP Top 10 Quick Reference

Injection - SQL, NoSQL, OS, LDAP injection
Broken Authentication - Weak session management
Sensitive Data Exposure - Missing encryption
XML External Entities (XXE) - XML parser attacks
Broken Access Control - Missing authorization
Security Misconfiguration - Default configs, verbose errors
XSS - Cross-Site Scripting
Insecure Deserialization - Untrusted data execution
Vulnerable Components - Outdated dependencies
Insufficient Logging - Missing audit trails

Input Validation

Always Validate

User input (forms, query params)
File uploads (type, size, content)
API request bodies
URL parameters

Validation Patterns

// Whitelist approach (preferred)
const allowedFields = ['name', 'email', 'age'];
const sanitized = pick(input, allowedFields);

// Schema validation
const schema = z.object({
  email: z.string().email(),
  age: z.number().min(0).max(150),
  name: z.string().min(1).max(100)
});

SQL Injection Prevention

// BAD - SQL Injection vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// GOOD - ORM
await User.findOne({ where: { id: userId } });

XSS Prevention

// BAD - Direct HTML insertion
element.innerHTML = userInput;

// GOOD - Text content
element.textContent = userInput;

// GOOD - Sanitize HTML if needed
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

// React handles this automatically
<div>{userInput}</div>  // Safe

// But not this
<div dangerouslySetInnerHTML={{__html: userInput}} />  // DANGEROUS

Authentication Checklist

[ ] Hash passwords with bcrypt/argon2 (cost factor >= 10)
[ ] Implement rate limiting on login
[ ] Use secure session tokens (random, sufficient length)
[ ] Set secure cookie flags (HttpOnly, Secure, SameSite)
[ ] Implement proper logout (invalidate session)
[ ] Consider 2FA for sensitive operations

Authorization Checklist

[ ] Check permissions on every request
[ ] Use role-based access control (RBAC)
[ ] Validate resource ownership
[ ] Don't rely on hidden fields/URLs for security
[ ] Log authorization failures

Security Headers

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

Secrets Management

Never commit secrets to version control
Use environment variables
Rotate secrets regularly
Use secrets managers (AWS Secrets Manager, Vault)
Different secrets per environment

Dependency Security

# Check for vulnerabilities
npm audit
pip-audit
bundler-audit

# Keep dependencies updated
npm update
dependabot/renovate for automation

Code Review Security Checklist

[ ] No hardcoded secrets
[ ] Input validation present
[ ] Parameterized queries used
[ ] Proper error handling (no stack traces)
[ ] Authorization checks in place
[ ] Sensitive data not logged

adilkalam/security-basics

skills/security-basics/SKILL.md

Essential security checklist and patterns for web applications. Use when reviewing code for security issues, implementing authentication, or hardening an application. Covers OWASP top 10, input validation, and secure coding practices.

2 stars

development

Updated Mar 27, 2026

$ install --global

skillsauth

npx skillsauth add adilkalam/orca security-basics

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 30, 2026, 4:37 PM58.8s1 file scanned

SKILL.md

name:: security-basics
description:: >

Security Basics

OWASP Top 10 Quick Reference

Injection - SQL, NoSQL, OS, LDAP injection
Broken Authentication - Weak session management
Sensitive Data Exposure - Missing encryption
XML External Entities (XXE) - XML parser attacks
Broken Access Control - Missing authorization
Security Misconfiguration - Default configs, verbose errors
XSS - Cross-Site Scripting
Insecure Deserialization - Untrusted data execution
Vulnerable Components - Outdated dependencies
Insufficient Logging - Missing audit trails

Input Validation

Always Validate

User input (forms, query params)
File uploads (type, size, content)
API request bodies
URL parameters

Validation Patterns

// Whitelist approach (preferred)
const allowedFields = ['name', 'email', 'age'];
const sanitized = pick(input, allowedFields);

// Schema validation
const schema = z.object({
  email: z.string().email(),
  age: z.number().min(0).max(150),
  name: z.string().min(1).max(100)
});

SQL Injection Prevention

// BAD - SQL Injection vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// GOOD - ORM
await User.findOne({ where: { id: userId } });

XSS Prevention

// BAD - Direct HTML insertion
element.innerHTML = userInput;

// GOOD - Text content
element.textContent = userInput;

// GOOD - Sanitize HTML if needed
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

// React handles this automatically
<div>{userInput}</div>  // Safe

// But not this
<div dangerouslySetInnerHTML={{__html: userInput}} />  // DANGEROUS

Authentication Checklist

[ ] Hash passwords with bcrypt/argon2 (cost factor >= 10)
[ ] Implement rate limiting on login
[ ] Use secure session tokens (random, sufficient length)
[ ] Set secure cookie flags (HttpOnly, Secure, SameSite)
[ ] Implement proper logout (invalidate session)
[ ] Consider 2FA for sensitive operations

Authorization Checklist

[ ] Check permissions on every request
[ ] Use role-based access control (RBAC)
[ ] Validate resource ownership
[ ] Don't rely on hidden fields/URLs for security
[ ] Log authorization failures

Security Headers

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

Secrets Management

Never commit secrets to version control
Use environment variables
Rotate secrets regularly
Use secrets managers (AWS Secrets Manager, Vault)
Different secrets per environment

Dependency Security

# Check for vulnerabilities
npm audit
pip-audit
bundler-audit

# Keep dependencies updated
npm update
dependabot/renovate for automation

Code Review Security Checklist

[ ] No hardcoded secrets
[ ] Input validation present
[ ] Parameterized queries used
[ ] Proper error handling (no stack traces)
[ ] Authorization checks in place
[ ] Sensitive data not logged

Related Skills

adilkalam/ui-quality-audit

testing

VerifiedTrustedCommunity

Run technical quality checks across accessibility, performance, theming, responsive design, and anti-patterns. Generates a scored report with P0-P3 severity ratings and actionable plan. Use when the user wants an accessibility check, performance audit, or technical quality review.

2SKILL.mdUpdated Jun 6, 2026

adilkalam/ui-quality-audit

adilkalam/typeset

tools

VerifiedTrustedCommunity

Improves typography by fixing font choices, hierarchy, sizing, weight, and readability so text feels intentional. Use when the user mentions fonts, type, readability, text hierarchy, sizing looks off, or wants more polished, intentional typography.

2SKILL.mdUpdated Jun 6, 2026

adilkalam/threejs-animation

tools

VerifiedTrustedCommunity

Three.js animation - keyframe animation, skeletal animation, morph targets, animation mixing. Use when animating objects, playing GLTF animations, creating procedural motion, or blending animations.

2SKILL.mdUpdated Jun 6, 2026

adilkalam/threejs-animation

adilkalam/shape

development

VerifiedTrustedCommunity

Plan the UX and UI for a feature before writing code. Runs a structured discovery interview, then produces a design brief that guides implementation. Use during the planning phase to establish design direction, constraints, and strategy before any code is written.

2SKILL.mdUpdated Jun 6, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/adilkalam/orca.git

# Copy into Claude Code skills folder (global)
cp -r orca/skills/security-basics ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

adilkalam/orca

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT