akaszubski/security-patterns
plugins/autonomous-dev/skills/security-patterns/SKILL.md
Security best practices covering API key management, input validation, injection prevention, and OWASP patterns. Use when handling secrets, user input, or security-sensitive code. TRIGGER when: security, API key, secret, input validation, injection, OWASP. DO NOT TRIGGER when: non-security code, styling, documentation, test scaffolding.
$ install --global
skillsauthnpx skillsauth add akaszubski/autonomous-dev security-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 9:20 AM273.2s1 file scanned
SKILL.md
- name:
- security-patterns
- description:
- Security best practices covering API key management, input validation, injection prevention, and OWASP patterns. Use when handling secrets, user input, or security-sensitive code. TRIGGER when: security, API key, secret, input validation, injection, OWASP. DO NOT TRIGGER when: non-security code, styling, documentation, test scaffolding.
- allowed-tools:
- [Read]
Security Patterns Skill
Security best practices and patterns for secure development.
See: code-examples.md for Python implementations See: templates.md for checklists and config templates
When This Activates
- API key handling
- User input validation
- File operations
- Security-sensitive code
- Keywords: "security", "api key", "secret", "validate", "input"
API Keys & Secrets
Environment Variables (REQUIRED)
Rule: Never hardcode secrets. Always use environment variables via .env files.
# ✅ CORRECT
api_key = os.getenv("ANTHROPIC_API_KEY")
# ❌ WRONG
api_key = "sk-ant-1234567890abcdef" # NEVER!
See: code-examples.md#api-keys--secrets for full validation code
Input Validation
Path Traversal Prevention
Rule: Always validate paths are within allowed directories.
# Use is_relative_to() to prevent ../ attacks
if not file_path.is_relative_to(base_dir):
raise ValueError("Path traversal detected")
Command Injection Prevention
Rule: Never use shell=True. Pass arguments as lists.
# ✅ CORRECT
subprocess.run([command] + args, shell=False)
# ❌ WRONG
subprocess.run(f"ls {user_input}", shell=True) # Injection risk!
SQL Injection Prevention
Rule: Always use parameterized queries.
# ✅ CORRECT
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
# ❌ WRONG
cursor.execute(f"SELECT * FROM users WHERE username = '{username}'")
See: code-examples.md#input-validation for complete examples
File Operations Security
Secure Permissions
| Use Case | Permission | Octal |
|----------|------------|-------|
| Sensitive files | rw------- | 0o600 |
| Sensitive dirs | rwx------ | 0o700 |
| Public files | rw-r--r-- | 0o644 |
File Upload Validation
- Validate extensions (whitelist only)
- Check file size limits
- Reject executable files
See: code-examples.md#file-operations-security
Cryptographic Operations
Secure Random
Rule: Use secrets module for security-sensitive random values.
# ✅ CORRECT
token = secrets.token_hex(32)
# ❌ WRONG
token = str(random.randint(0, 999999)) # Not cryptographically secure!
See: code-examples.md#cryptographic-operations for password hashing
Logging Security
Rule: Never log full secrets. Mask sensitive values.
# ✅ CORRECT
masked_key = api_key[:7] + "***" + api_key[-4:]
logging.info(f"Using key {masked_key}")
# ❌ WRONG
logging.info(f"Using key {api_key}") # Exposes full key!
Dependencies Security
# Check for vulnerabilities
pip install safety && safety check
# OR
pip install pip-audit && pip-audit
Key Takeaways
- Never hardcode secrets - Use environment variables
- Validate all inputs - User data, file paths, commands
- Prevent path traversal - Use
is_relative_to() - No shell=True - Use list arguments with subprocess
- Parameterized queries - Never string interpolation
- Secure random - Use
secretsmodule - Restrict permissions - Files 0o600, dirs 0o700
- Mask secrets in logs - Show only first/last few chars
- Scan dependencies - Use safety/pip-audit
- .gitignore secrets - .env, *.key, *.pem
Related Files
- code-examples.md - Complete Python code examples
- templates.md - .env, .gitignore, and security checklists
OWASP Top 10 Quick Reference
See: templates.md#owasp-top-10-quick-reference
Related Skills
akaszubski/content-allocation
development
VerifiedTrustedCommunity
One topic, one home. Routes content to its canonical store (CLAUDE.md, PROJECT.md, MEMORY.md, docs/, memory/) and audits for duplication. TRIGGER when: auditing CLAUDE.md/PROJECT.md/MEMORY.md sizes, deduplicating docs, applying the content-allocation pattern to a new repo, running /align --content. DO NOT TRIGGER when: implementing features, writing tests, routine code edits, debugging.
28SKILL.mdUpdated May 28, 2026
akaszubski/testing-guide
development
VerifiedTrustedCommunity
GenAI-first testing with structural assertions, congruence validation, and tier-based test structure. Use when writing tests, setting up test infrastructure, or validating coverage. TRIGGER when: test, pytest, coverage, TDD, test patterns, congruence, validation. DO NOT TRIGGER when: production code implementation, documentation, config-only changes.
28SKILL.mdUpdated Apr 3, 2026
akaszubski/prompt-engineering
testing
VerifiedTrustedCommunity
Prompt engineering patterns for writing agent prompts and skill files — constraint budgets, register shifting, HARD GATE patterns, anti-personas. Use when writing or reviewing agents/*.md or skills/*/SKILL.md. TRIGGER when: agent prompt, skill file, prompt engineering, model-tier compensation, HARD GATE, prompt quality. DO NOT TRIGGER when: user-facing docs, README, CHANGELOG, config files.
21SKILL.mdUpdated Apr 15, 2026
akaszubski/planning-workflow
testing
VerifiedTrustedCommunity
7-step planning workflow for pre-implementation design. Enforced by plan_gate hook, critiqued by plan-critic agent. Use when creating plans, design documents, or architecture decisions before implementation. TRIGGER when: plan, planning, /plan, design document, architecture decision. DO NOT TRIGGER when: implementation, coding, testing.
21SKILL.mdUpdated Apr 15, 2026