lidge-jun/security-best-practices
security-best-practices/SKILL.md
Perform language and framework specific security best-practice reviews and suggest improvements. Trigger only when the user explicitly requests security best practices guidance, a security review/report, or secure-by-default coding help. Trigger only for supported languages (python, javascript/typescript, go). Do not trigger for general code review, debugging, or non-security tasks.
$ install --global
skillsauthnpx skillsauth add lidge-jun/cli-jaw-skills security-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 3, 2026, 5:54 AM351.1s12 files scanned
SKILL.md
- name:
- security-best-practices
- description:
- Perform language and framework specific security best-practice reviews and suggest improvements. Trigger only when the user explicitly requests security best practices guidance, a security review/report, or secure-by-default coding help. Trigger only for supported languages (python, javascript/typescript, go). Do not trigger for general code review, debugging, or non-security tasks.
Security Best Practices
Workflow
- Identify languages and frameworks in scope — inspect the repo if unclear. Cover both frontend and backend for web apps.
- Load matching references from
references/. Filename format:<language>-<framework>-<stack>-security.md. Also check<language>-general-<stack>-security.md. For unspecified web frontends, checkjavascript-general-web-frontend-security.md. - If no references match, apply well-known security practices for the detected stack. When generating a report, note that concrete guidance is unavailable.
Modes
- Secure-by-default coding — apply guidance to all new code going forward
- Passive detection — flag critical vulnerabilities encountered while working; focus on highest-impact issues
- Security report — produce a prioritized report (see Report Format below), then offer to fix findings
Overrides
Project docs or prompt files may override specific practices. Respect these overrides — suggest documenting the rationale so future work stays consistent.
Report Format
Write to security_best_practices_report.md (or user-specified path).
- Executive summary at top
- Sections grouped by severity (critical → low)
- Each finding has a numeric ID, file path with line numbers, and (for critical) a one-sentence impact statement
- After writing, summarize findings to the user and note the file location
Fixes
- Fix one finding at a time with clear comments explaining the security rationale
- Consider regression risk — insecure code is often depended on elsewhere. A careful, project-aware fix is better than a quick one
- Follow the project's commit and testing workflows; use clear commit messages referencing the finding
- Ask the user before applying fixes from a report; notify and ask for critical passive findings
General Security Advice
- Public resource IDs: use UUID4 or random hex instead of auto-incrementing integers — prevents enumeration and ID guessing
- TLS/HSTS: avoid flagging missing TLS in dev environments. Set
Securecookies only when the app runs over TLS (provide an env flag to toggle). Avoid recommending HSTS — misconfiguration causes lasting outages and user lockout
Related Skills
lidge-jun/goal
development
VerifiedTrustedCommunity
Goal execution guidelines with PABCD integration, verification tiers, documentation workflow, and AI-driven planning
4SKILL.mdUpdated Jun 5, 2026
lidge-jun/xurl
tools
VerifiedTrustedCommunity
A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
4SKILL.mdUpdated May 7, 2026
lidge-jun/xlsx_original
development
VerifiedTrustedCommunity
Use this skill any time a spreadsheet file is the primary input or output (.xlsx, .xlsm, .csv, .tsv). This includes: creating, reading, editing, analyzing, or formatting spreadsheets; cleaning messy tabular data; converting between formats; and data visualization with charts. Also use for pandas-based data analysis when the deliverable is a spreadsheet. Do NOT trigger when the primary deliverable is a Word document, HTML report, standalone Python script, database pipeline, or Google Sheets API integration.
4SKILL.mdUpdated May 6, 2026
lidge-jun/officecli-financial-model
tools
VerifiedTrustedCommunity
Use this skill when the user wants to build a financial model, 3-statement model, DCF valuation, cap table, scenario analysis, or financial projections in Excel. Trigger on: 'financial model', '3-statement model', 'DCF', 'cap table', 'pro forma', 'projections', 'sensitivity analysis', 'waterfall', 'debt schedule', 'break-even', 'discounted cash flow', 'capitalization table', 'fundraising model', 'WACC calculation', 'scenario analysis model'. Input is a text prompt with assumptions. Output is a single .xlsx file with formula-driven, interconnected statement sheets.
4SKILL.mdUpdated May 6, 2026