aiskillstore/security-fundamentals
skills/danielpodolsky/security-fundamentals/SKILL.md
Auto-invoke when reviewing authentication, authorization, input handling, data exposure, or any user-facing code. Enforces OWASP top 10 awareness and security-first thinking.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace security-fundamentalsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 2:55 AM57.0s2 files scanned
SKILL.md
- name:
- security-fundamentals
- description:
- Auto-invoke when reviewing authentication, authorization, input handling, data exposure, or any user-facing code. Enforces OWASP top 10 awareness and security-first thinking.
Security Fundamentals Review
"Security is not a feature. It's a foundation. Build on sand, and the house falls."
When to Apply
Activate this skill when reviewing:
- Authentication/login flows
- Authorization checks
- User input handling
- Database queries
- File uploads
- API endpoints
- Data exposure in responses
Review Checklist
Input Validation (NEVER Trust the Client)
- [ ] All inputs validated: Is every user input checked before use?
- [ ] Server-side validation: Is validation done on the server, not just client?
- [ ] Type checking: Are expected types enforced?
- [ ] Length limits: Are string lengths bounded?
- [ ] Whitelist over blacklist: Are allowed values explicitly defined?
Authentication
- [ ] Password hashing: Are passwords hashed (bcrypt, argon2), not encrypted?
- [ ] No plaintext secrets: Are secrets in env vars, not code?
- [ ] Token expiry: Do JWTs/sessions have reasonable expiration?
- [ ] Secure transmission: Is HTTPS enforced?
Authorization
- [ ] Ownership checks: Can users only access THEIR data?
- [ ] Role verification: Are admin routes protected by role checks?
- [ ] No client-side auth: Is authorization enforced server-side?
Data Exposure
- [ ] Minimal response: Does the API return only necessary fields?
- [ ] No sensitive data in URLs: Are tokens/IDs not in query strings?
- [ ] No sensitive data in logs: Are passwords/tokens excluded from logs?
OWASP Top 10 Quick Check
1. Injection (SQL, NoSQL, Command)
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
2. Broken Authentication
❌ if (req.headers.admin === 'true') { /* allow admin */ }
✅ const user = await verifyToken(req.headers.authorization);
if (user.role !== 'admin') throw new ForbiddenError();
3. Sensitive Data Exposure
❌ res.json({ user: { ...user, password, ssn } });
✅ res.json({ user: { id: user.id, name: user.name } });
4. Broken Access Control
❌ app.get('/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
✅ app.get('/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
if (user.id !== req.user.id && req.user.role !== 'admin') {
throw new ForbiddenError();
}
res.json(user);
});
5. Security Misconfiguration
❌ CORS: origin: '*'
❌ Detailed error messages in production
❌ Debug mode enabled in production
✅ CORS: origin: process.env.ALLOWED_ORIGINS
✅ Generic error messages to clients
✅ Debug mode disabled in production
6. Cross-Site Scripting (XSS)
❌ element.innerHTML = userInput;
✅ element.textContent = userInput;
✅ DOMPurify.sanitize(userInput);
Socratic Questions
Ask the junior these questions instead of giving answers:
- Trust: "What stops a malicious user from sending anything they want here?"
- Ownership: "How do you know this user owns this resource?"
- Exposure: "What's the worst thing that could happen if this endpoint is exposed?"
- Secrets: "If I
git clonethis repo, what secrets would I see?" - Injection: "What if someone sends
'; DROP TABLE users; --as input?"
Red Flags to Call Out
| Flag | Risk | Question |
|------|------|----------|
| String concatenation in queries | SQL Injection | "Can this input contain SQL?" |
| eval() or new Function() | Code Injection | "Why is dynamic code execution needed?" |
| innerHTML with user data | XSS | "What if the user includes <script>?" |
| Passwords in logs | Data Leak | "Who can see these logs?" |
| No rate limiting on auth | Brute Force | "What stops someone from trying every password?" |
| CORS: * | Security Bypass | "Should any website be able to call this API?" |
| JWT with no expiry | Token Theft | "What happens if this token is stolen?" |
| IDs in URLs | IDOR | "Can user A access user B's data by changing the ID?" |
Security Checklist Before Deploy
- [ ] All secrets in environment variables
- [ ] HTTPS enforced
- [ ] Input validation on all endpoints
- [ ] SQL/NoSQL injection prevented (parameterized queries)
- [ ] XSS prevented (output encoding)
- [ ] CSRF protection enabled
- [ ] Rate limiting on auth endpoints
- [ ] Sensitive data excluded from responses
- [ ] Authorization checks on every protected route
- [ ] Security headers set (helmet.js or equivalent)
Never Do This
| Action | Why |
|--------|-----|
| Store passwords in plaintext | One breach exposes all users |
| Put secrets in code | Git history is forever |
| Trust client-side validation only | Anyone can bypass the client |
| Return full database objects | Exposes internal fields |
| Log sensitive data | Logs get compromised too |
| Use md5 or sha1 for passwords | Cryptographically broken |
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026