aiskillstore/security-gate
skills/danielpodolsky/security-gate/SKILL.md
Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace security-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 1, 2026, 2:56 AM63.7s2 files scanned
SKILL.md
- name:
- security-gate
- description:
- Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.
Gate 2: Security Review
"Security isn't a feature you add later. It's a foundation you build on."
Purpose
This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS.
Gate Status
- PASS — No security issues found
- WARNING — Issues found that should be fixed before production
- CRITICAL WARNING — Severe issues that really should block
Gate Questions
Question 1: Input Entry Points
"Where does user input enter this feature?"
Looking for:
- Awareness of all input sources (forms, URLs, headers, etc.)
- Understanding that ALL input is untrusted
- Identification of data flow
Follow-up if input exists:
"How is that input validated before it's used?"
Question 2: Data Access
"What data does this feature access? Who should be able to access it?"
Looking for:
- Understanding of data sensitivity
- Awareness of authorization requirements
- Knowledge of who can see what
Follow-up:
"How do you verify the requesting user is allowed to access this data?"
Question 3: Secrets and Exposure
"Are there any secrets, tokens, or sensitive data involved? Where are they stored?"
Looking for:
- Secrets in environment variables, not code
- No sensitive data in logs
- No tokens in URLs or client-side storage (unless necessary)
Security Checklist
Review the code for these common issues:
Input Handling
- [ ] All user input validated server-side
- [ ] Input length limits enforced
- [ ] Special characters handled (SQL, HTML, shell)
- [ ] File uploads validated (type, size, content)
Authentication & Authorization
- [ ] Protected routes require authentication
- [ ] Users can only access their own data
- [ ] Admin routes check admin role
- [ ] Tokens have reasonable expiration
Data Exposure
- [ ] API responses don't include unnecessary fields
- [ ] Errors don't expose internal details
- [ ] Logs don't contain passwords/tokens
- [ ] No sensitive data in URLs
Common Vulnerabilities
- [ ] No SQL string concatenation
- [ ] No
eval()ornew Function()with user input - [ ] No
innerHTMLwith unsanitized user input - [ ] No hardcoded secrets in code
Response Templates
If PASS
✅ SECURITY GATE: PASSED
Security considerations addressed:
- Input validation: ✓
- Authorization checks: ✓
- No exposed secrets: ✓
Moving to the next gate...
If WARNING
⚠️ SECURITY GATE: WARNING
I found [X] security considerations to address:
**Issue 1: [Title]**
Location: `file.ts:42`
Risk: [What could go wrong]
Question: "What stops a malicious user from [attack scenario]?"
**Issue 2: [Title]**
Location: `file.ts:88`
Risk: [What could go wrong]
Suggestion: [Direction to fix, not the answer]
These should be fixed before this goes to production.
Would you like to address them now?
If CRITICAL WARNING
🚨 SECURITY GATE: CRITICAL WARNING
This needs attention before proceeding:
**CRITICAL: [Issue]**
Location: `file.ts:42`
Risk: [Severity explanation - data breach, account takeover, etc.]
This is the kind of vulnerability that makes news headlines.
Let's fix this before anything else.
Common Vulnerabilities to Check
SQL Injection
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
Cross-Site Scripting (XSS)
❌ element.innerHTML = userInput;
✅ element.textContent = userInput;
Insecure Direct Object Reference (IDOR)
❌ // Anyone can access any user's data
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
✅ // Check ownership
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
if (user.id !== req.user.id) throw new ForbiddenError();
res.json(user);
});
Hardcoded Secrets
❌ const apiKey = 'sk-live-abc123';
✅ const apiKey = process.env.API_KEY;
Socratic Security Questions
Instead of pointing out the fix, ask:
- "What stops user A from accessing user B's data by changing the ID?"
- "If I send
<script>alert('XSS')</script>as my name, what happens?" - "What if someone sends 10MB of data to this endpoint?"
- "If I cloned this repo, what secrets would I see?"
- "What happens if someone guesses another user's token?"
Risk Level Guide
| Issue | Risk Level | Action | |-------|------------|--------| | SQL injection possible | CRITICAL | Must fix | | No rate limiting on auth | HIGH | Should fix | | Missing authorization check | HIGH | Should fix | | XSS possible | HIGH | Should fix | | Verbose error messages | MEDIUM | Recommend fix | | Missing input validation | MEDIUM | Recommend fix | | No CSRF protection | MEDIUM | Recommend fix | | CORS too permissive | LOW | Note for review |
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026