Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

michaelsvanbeek/security

Name: security
Author: michaelsvanbeek

skills/security/SKILL.md

npx skillsauth add michaelsvanbeek/personal-agent-skills security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Security Standards

When to Use

Reviewing code for security vulnerabilities
Implementing authentication or authorization
Configuring CORS, CSP, or security headers
Managing secrets and credentials
Auditing dependencies for known vulnerabilities
Auditing an existing application for OWASP top 10 vulnerabilities
Hardening an existing deployment (missing headers, overly permissive CORS, exposed secrets)
Designing IAM policies or access controls

OWASP Top 10 Checklist

Apply these checks to every service:

1. Broken Access Control

Enforce authorization on every endpoint, not just the UI.
Default to deny. Explicitly grant access, never implicitly allow.
Verify resource ownership: user A cannot access user B's resources even if they guess the ID.
Use middleware/decorators for authorization checks, not ad-hoc conditionals in route handlers.

2. Cryptographic Failures

Never store passwords in plaintext. Use bcrypt or argon2 with appropriate work factors.
Use TLS (HTTPS) for all communication. No exceptions.
Never commit secrets, tokens, or keys to version control.
Use strong random generation (secrets module in Python, crypto.randomUUID() in JS) for tokens and IDs.

3. Injection

SQL injection: Use parameterized queries or ORM methods. Never concatenate user input into SQL strings.
XSS: Sanitize and escape all user-provided content rendered in HTML. React's JSX escapes by default — never use dangerouslySetInnerHTML with untrusted data.
Command injection: Never pass user input to shell commands. Use subprocess with argument lists, not shell=True.
Template injection: Use auto-escaping template engines.

4. Insecure Design

Implement rate limiting on authentication endpoints.
Use CAPTCHA or progressive delays after repeated failed attempts.
Design multi-tenant systems with strict data isolation from the start.

5. Security Misconfiguration

Disable debug mode and stack traces in production.
Remove default credentials and sample pages.
Set security headers on all responses (see below).
Keep error messages generic in production — never leak internal details.

6. Vulnerable Components

Run dependency audits regularly:

pip-audit              # Python
npm audit              # Node.js

Pin dependency versions. Update dependencies on a regular cadence.
Subscribe to security advisories for critical dependencies.

7. Authentication Failures

Use established libraries for auth (Passport.js, python-jose, authlib). Never hand-roll JWT validation.
Enforce strong password policies or prefer OAuth2/OIDC.
Invalidate sessions on password change.
Use short-lived access tokens with refresh token rotation.

8. Data Integrity Failures

Verify signatures on JWTs. Never trust unverified tokens.
Validate webhook payloads using HMAC signatures.
Use checksums for file uploads and downloads.

9. Logging and Monitoring Failures

Log authentication attempts (success and failure).
Log authorization failures.
Never log secrets, tokens, or PII (see logging-metrics skill).
Alert on anomalous patterns (spike in 401s, unusual access patterns).

10. SSRF (Server-Side Request Forgery)

Validate and allowlist URLs before making server-side HTTP requests.
Never let user input directly control the destination of a server-side request.
Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.169.254).

Security Headers

Set these on all HTTP responses:

# FastAPI middleware example
@app.middleware("http")
async def security_headers(request, call_next):
    response = await call_next(request)
    response.headers["X-Content-Type-Options"] = "nosniff"
    response.headers["X-Frame-Options"] = "DENY"
    response.headers["X-XSS-Protection"] = "0"  # deprecated, but set to 0
    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
    response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
    response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
    return response

Content Security Policy (CSP)

Set a restrictive CSP and relax only as needed:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'

Start strict. Add exceptions only when a specific feature requires it.
Never use unsafe-eval in script-src.
Report violations: report-uri /csp-report or report-to directive.

Secrets Management

Never hardcode secrets in source code, config files, or environment variable defaults.
Store secrets in:
- AWS SSM Parameter Store (SecureString) for Lambda/serverless
- AWS Secrets Manager for rotation-capable secrets
- .env files for local development only (listed in .gitignore)
Rotate secrets on a regular schedule. Design systems to handle rotation gracefully.
Use separate secrets per environment (dev/staging/prod). Never share prod secrets with dev.

CORS

Never use Access-Control-Allow-Origin: * in production.
Allowlist specific origins. Configure per environment.
Restrict methods and headers to what the API actually uses.

app.add_middleware(
    CORSMiddleware,
    allow_origins=settings.cors_origins,  # ["https://app.example.com"]
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["Authorization", "Content-Type"],
    allow_credentials=True,
)

Input Validation

Validate all external input at the system boundary: API request bodies, query params, headers, file uploads.
Use schema validation (Pydantic, Zod, JSON Schema). Reject anything that doesn't match the schema.
Validate and constrain: max lengths, allowed characters, numeric ranges, enum values.
Sanitize file names. Strip path components. Validate MIME types.
Reject unexpectedly large payloads early (set max_body_size).

IAM Best Practices (AWS)

Least privilege: Each Lambda/service gets only the permissions it needs.
Define per-function IAM statements: specific actions on specific resources.
Never use Effect: Allow, Action: *, Resource: *.
Use conditions to scope permissions: aws:SourceArn, aws:RequestedRegion.
Use IAM roles, not long-lived access keys.
Audit IAM policies regularly. Remove unused permissions.

For secrets storage, rotation, and lifecycle management, see the secrets-management skill. For dependency vulnerability auditing and supply chain security, see the dependency-management skill.

michaelsvanbeek/security

skills/security/SKILL.md

Application security standards and hardening practices. Use when: reviewing code for vulnerabilities, implementing authentication, configuring CORS, adding input validation, managing secrets, scanning dependencies, setting CSP headers, reviewing IAM policies, auditing an existing application for OWASP top 10 vulnerabilities, or hardening an existing deployment. Covers OWASP top 10, secrets management, dependency auditing, and security headers.

1 stars

development

Updated Apr 20, 2026

$ install --global

skillsauth

npx skillsauth add michaelsvanbeek/personal-agent-skills security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 20, 2026, 9:30 AM44.6s1 file scanned

SKILL.md

name:: security
description:: Application security standards and hardening practices. Use when: reviewing code for vulnerabilities, implementing authentication, configuring CORS, adding input validation, managing secrets, scanning dependencies, setting CSP headers, reviewing IAM policies, auditing an existing application for OWASP top 10 vulnerabilities, or hardening an existing deployment. Covers OWASP top 10, secrets management, dependency auditing, and security headers.

Security Standards

When to Use

Reviewing code for security vulnerabilities
Implementing authentication or authorization
Configuring CORS, CSP, or security headers
Managing secrets and credentials
Auditing dependencies for known vulnerabilities
Auditing an existing application for OWASP top 10 vulnerabilities
Hardening an existing deployment (missing headers, overly permissive CORS, exposed secrets)
Designing IAM policies or access controls

OWASP Top 10 Checklist

Apply these checks to every service:

1. Broken Access Control

Enforce authorization on every endpoint, not just the UI.
Default to deny. Explicitly grant access, never implicitly allow.
Verify resource ownership: user A cannot access user B's resources even if they guess the ID.
Use middleware/decorators for authorization checks, not ad-hoc conditionals in route handlers.

2. Cryptographic Failures

Never store passwords in plaintext. Use bcrypt or argon2 with appropriate work factors.
Use TLS (HTTPS) for all communication. No exceptions.
Never commit secrets, tokens, or keys to version control.
Use strong random generation (secrets module in Python, crypto.randomUUID() in JS) for tokens and IDs.

3. Injection

SQL injection: Use parameterized queries or ORM methods. Never concatenate user input into SQL strings.
XSS: Sanitize and escape all user-provided content rendered in HTML. React's JSX escapes by default — never use dangerouslySetInnerHTML with untrusted data.
Command injection: Never pass user input to shell commands. Use subprocess with argument lists, not shell=True.
Template injection: Use auto-escaping template engines.

4. Insecure Design

Implement rate limiting on authentication endpoints.
Use CAPTCHA or progressive delays after repeated failed attempts.
Design multi-tenant systems with strict data isolation from the start.

5. Security Misconfiguration

Disable debug mode and stack traces in production.
Remove default credentials and sample pages.
Set security headers on all responses (see below).
Keep error messages generic in production — never leak internal details.

6. Vulnerable Components

Run dependency audits regularly:

pip-audit              # Python
npm audit              # Node.js

Pin dependency versions. Update dependencies on a regular cadence.
Subscribe to security advisories for critical dependencies.

7. Authentication Failures

Use established libraries for auth (Passport.js, python-jose, authlib). Never hand-roll JWT validation.
Enforce strong password policies or prefer OAuth2/OIDC.
Invalidate sessions on password change.
Use short-lived access tokens with refresh token rotation.

8. Data Integrity Failures

Verify signatures on JWTs. Never trust unverified tokens.
Validate webhook payloads using HMAC signatures.
Use checksums for file uploads and downloads.

9. Logging and Monitoring Failures

Log authentication attempts (success and failure).
Log authorization failures.
Never log secrets, tokens, or PII (see logging-metrics skill).
Alert on anomalous patterns (spike in 401s, unusual access patterns).

10. SSRF (Server-Side Request Forgery)

Validate and allowlist URLs before making server-side HTTP requests.
Never let user input directly control the destination of a server-side request.
Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.169.254).

Security Headers

Set these on all HTTP responses:

# FastAPI middleware example
@app.middleware("http")
async def security_headers(request, call_next):
    response = await call_next(request)
    response.headers["X-Content-Type-Options"] = "nosniff"
    response.headers["X-Frame-Options"] = "DENY"
    response.headers["X-XSS-Protection"] = "0"  # deprecated, but set to 0
    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
    response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
    response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
    return response

Content Security Policy (CSP)

Set a restrictive CSP and relax only as needed:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'

Start strict. Add exceptions only when a specific feature requires it.
Never use unsafe-eval in script-src.
Report violations: report-uri /csp-report or report-to directive.

Secrets Management

Never hardcode secrets in source code, config files, or environment variable defaults.
Store secrets in:
- AWS SSM Parameter Store (SecureString) for Lambda/serverless
- AWS Secrets Manager for rotation-capable secrets
- .env files for local development only (listed in .gitignore)
Rotate secrets on a regular schedule. Design systems to handle rotation gracefully.
Use separate secrets per environment (dev/staging/prod). Never share prod secrets with dev.

CORS

Never use Access-Control-Allow-Origin: * in production.
Allowlist specific origins. Configure per environment.
Restrict methods and headers to what the API actually uses.

app.add_middleware(
    CORSMiddleware,
    allow_origins=settings.cors_origins,  # ["https://app.example.com"]
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["Authorization", "Content-Type"],
    allow_credentials=True,
)

Input Validation

Validate all external input at the system boundary: API request bodies, query params, headers, file uploads.
Use schema validation (Pydantic, Zod, JSON Schema). Reject anything that doesn't match the schema.
Validate and constrain: max lengths, allowed characters, numeric ranges, enum values.
Sanitize file names. Strip path components. Validate MIME types.
Reject unexpectedly large payloads early (set max_body_size).

IAM Best Practices (AWS)

Least privilege: Each Lambda/service gets only the permissions it needs.
Define per-function IAM statements: specific actions on specific resources.
Never use Effect: Allow, Action: *, Resource: *.
Use conditions to scope permissions: aws:SourceArn, aws:RequestedRegion.
Use IAM roles, not long-lived access keys.
Audit IAM policies regularly. Remove unused permissions.

Related Skills

michaelsvanbeek/typescript

development

VerifiedTrustedCommunity

TypeScript coding standards and type safety conventions. Use when: creating TypeScript files, defining interfaces and types, writing type-safe code, reviewing TypeScript for type correctness, auditing a codebase for type safety gaps, eliminating any or ts-ignore usage, or improving strict-mode compliance. Covers strict typing, avoiding any and ts-ignore, discriminated unions, Zod runtime validation, immutability patterns, and proper type definitions.

1SKILL.mdUpdated Apr 20, 2026

michaelsvanbeek/typescript

michaelsvanbeek/ticket-writing

testing

VerifiedTrustedCommunity

Writing clear, actionable tickets in any issue tracker (Jira, Linear, GitHub Issues, ServiceNow, etc.). Use when: creating epics, stories, tasks, bugs, or spikes; writing acceptance criteria; decomposing work for a sprint; linking dependencies between tickets; auditing backlog items for clarity; or coaching a team on ticket quality. Covers title conventions, description templates, acceptance criteria, decomposition rules, dependency linking, and org-specific pluggable configuration.

1SKILL.mdUpdated Apr 20, 2026

michaelsvanbeek/ticket-writing

michaelsvanbeek/testing

development

VerifiedTrustedCommunity

Testing strategy, patterns, and evaluation for software and LLM/AI systems. Use when: writing tests, choosing test boundaries, designing test data, structuring test suites, evaluating LLM outputs, building evaluation pipelines, setting coverage thresholds, auditing test coverage gaps in existing projects, or improving test quality and structure.

1SKILL.mdUpdated Apr 20, 2026

michaelsvanbeek/testing

michaelsvanbeek/status-updates

development

VerifiedTrustedCommunity

Writing effective status updates for different audiences and cadences. Use when: writing a weekly status update, preparing a monthly summary, drafting a quarterly review, sending updates to leadership, sharing progress with stakeholders, or improving the clarity and impact of team communications. Covers weekly, monthly, and quarterly formats tailored for upward, lateral, and downward communication.

1SKILL.mdUpdated Apr 20, 2026

michaelsvanbeek/status-updates

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/michaelsvanbeek/personal-agent-skills.git

# Copy into Claude Code skills folder (global)
cp -r personal-agent-skills/skills/security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

michaelsvanbeek/personal-agent-skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT