Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aiskillstore/pitfalls-security

Name: pitfalls-security
Author: aiskillstore

skills/barissozen/pitfalls-security/SKILL.md

npx skillsauth add aiskillstore/marketplace pitfalls-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Pitfalls

Common pitfalls and correct patterns for security.

When to Use

Implementing session key management
Caching data (especially sensitive)
Setting up structured logging
Handling environment variables
Reviewing security-sensitive code

Workflow

Step 1: Check Key Storage

Verify no private keys stored in plaintext.

Step 2: Verify Cache Safety

Ensure sensitive data not cached inappropriately.

Step 3: Check Logging

Confirm no secrets in logs.

Session Key Security

// ❌ NEVER store private keys
localStorage.setItem('privateKey', key);  // CATASTROPHIC

// ✅ Use session keys with limited permissions
interface SessionKey {
  address: Address;
  permissions: Permission[];
  expiresAt: Date;
  maxPerTrade: bigint;
}

// ✅ AES-256-GCM for any stored credentials
import { createCipheriv, randomBytes } from 'crypto';
const iv = randomBytes(16);
const cipher = createCipheriv('aes-256-gcm', key, iv);

// ✅ Audit logging for all key operations
await auditLog.create({
  action: 'SESSION_KEY_CREATED',
  userId,
  metadata: { permissions, expiresAt },
});

Environment Variables

// Frontend (Vite)
const apiUrl = import.meta.env.VITE_API_URL;  // ✅ VITE_ prefix required
// ❌ process.env.API_URL won't work in frontend

// Backend
const dbUrl = process.env.DATABASE_URL;

// ❌ NEVER log secrets
console.log('Config:', config);  // May contain secrets!
// ✅ Log safely
console.log('Config loaded for:', config.environment);

Caching Strategies

// ✅ Server-side cache for expensive computations
const priceCache = new Map<string, { value: number; expires: number }>();

function getCachedPrice(token: string): number | null {
  const cached = priceCache.get(token);
  if (cached && cached.expires > Date.now()) {
    return cached.value;
  }
  return null;
}

// ✅ TTL based on data freshness needs
const CACHE_TTL = {
  tokenPrice: 10_000,      // 10s - prices change fast
  poolReserves: 5_000,     // 5s - critical for swaps
  gasPrice: 15_000,        // 15s
  userBalance: 30_000,     // 30s
  tokenMetadata: 3600_000, // 1 hour - rarely changes
};

// ❌ Never cache user-specific sensitive data
cache.set(`user:${userId}:privateKey`, key);  // NEVER!

Structured Logging

// ✅ Structured logging (JSON format)
const logger = {
  info: (message: string, context?: object) => {
    console.log(JSON.stringify({
      level: 'info',
      message,
      timestamp: new Date().toISOString(),
      ...context,
    }));
  },
  error: (message: string, error: Error, context?: object) => {
    console.error(JSON.stringify({
      level: 'error',
      message,
      error: error.message,
      stack: error.stack,
      timestamp: new Date().toISOString(),
      ...context,
    }));
  },
};

// ✅ Include context
logger.info('Trade executed', {
  userId: 'user123',
  txHash: '0x...',
  chain: 'ethereum',
  profit: '12.34',
});

// ❌ NEVER log secrets
logger.info('Config', { apiKey: process.env.API_KEY });  // NEVER!

Audit Logging

// ✅ Audit logging for sensitive operations
await auditLog.create({
  action: 'TRADE_EXECUTED',
  userId,
  before: previousState,
  after: newState,
  timestamp: new Date(),
  metadata: { txHash, chain },
});

Quick Checklist

[ ] No private keys in localStorage
[ ] Session keys have expiry and limits
[ ] AES-256-GCM for stored credentials
[ ] Audit logging for sensitive operations
[ ] No secrets in console.log
[ ] Sensitive data not cached inappropriately
[ ] VITE_ prefix for frontend env vars

aiskillstore/pitfalls-security

skills/barissozen/pitfalls-security/SKILL.md

Security patterns for session keys, caching, logging, and environment variables. Use when implementing authentication, caching sensitive data, or setting up logging. Triggers on: session key, private key, cache, logging, secrets, environment variable.

230 stars

testing

Updated Mar 28, 2026

$ install --global

skillsauth

npx skillsauth add aiskillstore/marketplace pitfalls-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 31, 2026, 1:21 AM63.7s2 files scanned

SKILL.md

name:: pitfalls-security
description:: Security patterns for session keys, caching, logging, and environment variables. Use when implementing authentication, caching sensitive data, or setting up logging. Triggers on: session key, private key, cache, logging, secrets, environment variable.

Security Pitfalls

Common pitfalls and correct patterns for security.

When to Use

Implementing session key management
Caching data (especially sensitive)
Setting up structured logging
Handling environment variables
Reviewing security-sensitive code

Workflow

Step 1: Check Key Storage

Verify no private keys stored in plaintext.

Step 2: Verify Cache Safety

Ensure sensitive data not cached inappropriately.

Step 3: Check Logging

Confirm no secrets in logs.

Session Key Security

// ❌ NEVER store private keys
localStorage.setItem('privateKey', key);  // CATASTROPHIC

// ✅ Use session keys with limited permissions
interface SessionKey {
  address: Address;
  permissions: Permission[];
  expiresAt: Date;
  maxPerTrade: bigint;
}

// ✅ AES-256-GCM for any stored credentials
import { createCipheriv, randomBytes } from 'crypto';
const iv = randomBytes(16);
const cipher = createCipheriv('aes-256-gcm', key, iv);

// ✅ Audit logging for all key operations
await auditLog.create({
  action: 'SESSION_KEY_CREATED',
  userId,
  metadata: { permissions, expiresAt },
});

Environment Variables

// Frontend (Vite)
const apiUrl = import.meta.env.VITE_API_URL;  // ✅ VITE_ prefix required
// ❌ process.env.API_URL won't work in frontend

// Backend
const dbUrl = process.env.DATABASE_URL;

// ❌ NEVER log secrets
console.log('Config:', config);  // May contain secrets!
// ✅ Log safely
console.log('Config loaded for:', config.environment);

Caching Strategies

// ✅ Server-side cache for expensive computations
const priceCache = new Map<string, { value: number; expires: number }>();

function getCachedPrice(token: string): number | null {
  const cached = priceCache.get(token);
  if (cached && cached.expires > Date.now()) {
    return cached.value;
  }
  return null;
}

// ✅ TTL based on data freshness needs
const CACHE_TTL = {
  tokenPrice: 10_000,      // 10s - prices change fast
  poolReserves: 5_000,     // 5s - critical for swaps
  gasPrice: 15_000,        // 15s
  userBalance: 30_000,     // 30s
  tokenMetadata: 3600_000, // 1 hour - rarely changes
};

// ❌ Never cache user-specific sensitive data
cache.set(`user:${userId}:privateKey`, key);  // NEVER!

Structured Logging

// ✅ Structured logging (JSON format)
const logger = {
  info: (message: string, context?: object) => {
    console.log(JSON.stringify({
      level: 'info',
      message,
      timestamp: new Date().toISOString(),
      ...context,
    }));
  },
  error: (message: string, error: Error, context?: object) => {
    console.error(JSON.stringify({
      level: 'error',
      message,
      error: error.message,
      stack: error.stack,
      timestamp: new Date().toISOString(),
      ...context,
    }));
  },
};

// ✅ Include context
logger.info('Trade executed', {
  userId: 'user123',
  txHash: '0x...',
  chain: 'ethereum',
  profit: '12.34',
});

// ❌ NEVER log secrets
logger.info('Config', { apiKey: process.env.API_KEY });  // NEVER!

Audit Logging

// ✅ Audit logging for sensitive operations
await auditLog.create({
  action: 'TRADE_EXECUTED',
  userId,
  before: previousState,
  after: newState,
  timestamp: new Date(),
  metadata: { txHash, chain },
});

Quick Checklist

[ ] No private keys in localStorage
[ ] Session keys have expiry and limits
[ ] AES-256-GCM for stored credentials
[ ] Audit logging for sensitive operations
[ ] No secrets in console.log
[ ] Sensitive data not cached inappropriately
[ ] VITE_ prefix for frontend env vars

Related Skills

aiskillstore/hig-components-content

development

VerifiedTrustedCommunity

Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.

244SKILL.mdUpdated Apr 10, 2026

aiskillstore/hig-components-content

aiskillstore/helpdesk-automation

tools

VerifiedTrustedCommunity

Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.

244SKILL.mdUpdated Apr 10, 2026

aiskillstore/helpdesk-automation

aiskillstore/haskell-pro

testing

VerifiedTrustedCommunity

Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.

244SKILL.mdUpdated Apr 10, 2026

aiskillstore/haskell-pro

aiskillstore/graphql

tools

VerifiedTrustedCommunity

GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.

244SKILL.mdUpdated Apr 10, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aiskillstore/marketplace.git

# Copy into Claude Code skills folder (global)
cp -r marketplace/skills/barissozen/pitfalls-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aiskillstore/marketplace

230 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT