n4m3z/SecurityBestPractices
skills/SecurityBestPractices/SKILL.md
Language and framework specific security reviews for python, javascript/typescript, and go. USE WHEN the user requests a security review, secure-by-default coding help, or a vulnerability report. Not for general code review or debugging.
$ install --global
skillsauthnpx skillsauth add n4m3z/forge-core SecurityBestPracticesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 6:04 AM158.3s1 file scanned
SKILL.md
- name:
- SecurityBestPractices
- description:
- Language and framework specific security reviews for python, javascript/typescript, and go. USE WHEN the user requests a security review, secure-by-default coding help, or a vulnerability report. Not for general code review or debugging.
- version:
- 0.1.0
- allowed-tools:
- Read, Grep, Glob, Write
- upstream:
- https://github.com/davila7/claude-code-templates/blob/main/cli-tool/components/skills/security/security-best-practices/SKILL.md
SecurityBestPractices
Language and framework specific security best practices — secure-by-default coding, passive detection, or a full vulnerability report.
Scope
Triggers only for python, javascript/typescript, and go. For other languages, rely on general knowledge and flag that concrete guidance is not available.
Workflow
- Identify the languages and frameworks in use — frontend and backend separately for web apps. Focus on the primary core frameworks.
- Load guidance — if this skill's
references/directory contains<language>-<framework>-<stack>-security.mdor a general<language>-general-<stack>-security.md, read all matching files. Web apps need both frontend and backend references. - Operate in one of three modes:
| Mode | Trigger | Behavior |
| ----------------------- | ------------------------------------------- | ----------------------------------------------------------------- |
| Write secure-by-default | Starting new project or writing new code | Apply guidance proactively |
| Passively detect | Working in an existing project | Flag critical findings to the user inline |
| Full report | User explicitly requests it | Write security_best_practices_report.md with prioritized issues |
If no references exist for the stack, note that concrete guidance is unavailable but still perform the action based on general security knowledge.
Overrides
Project-level documentation may require bypassing specific best practices. When overriding, report the override to the user without arguing. Suggest adding a note to project docs explaining the reason so the bypass is visible to future work.
Report Format
- Write to
security_best_practices_report.mdunless the user specifies another path - Short executive summary at top
- Delineated sections by severity; focus on critical findings
- Number findings with a numeric ID for cross-reference
- For critical findings, include a one-sentence impact statement
- When referencing code, include file paths and line numbers
- After writing the file, summarize findings and point to the report location
Fixes
Apply fixes one finding at a time. Add concise comments in the code pointing to the specific best practice. Consider regressions — insecure code often survives because it's load-bearing; break things and the user will reject future fixes.
Follow the project's commit and testing conventions. Commit messages should reference the security best practice being aligned to. Avoid bundling unrelated findings.
General Advice
Avoid incrementing IDs for publicly exposed resources
Use UUID4 or random hex strings instead of small auto-incrementing integers. Prevents enumeration attacks and resource-count inference.
TLS and secure cookies
Do not report missing TLS as a security issue — dev environments rarely have TLS or use an out-of-scope proxy. Set Secure on cookies only when the app is actually over TLS; otherwise local dev and testing break. Provide an env flag to gate Secure. Avoid recommending HSTS — its lasting impact (including major user lockouts) requires deep understanding.
Constraints
- Trigger only on explicit security-review requests, never on generic code review or debugging
- Do not argue with project-level overrides; document them instead
- Report dev-only TLS gaps as best-practice notes, not vulnerabilities
Related Skills
n4m3z/Wtf
development
VerifiedTrustedCommunity
Reactive correction and root-cause fix. USE WHEN something went wrong, user is frustrated, demands a correction, says wtf, what the hell, why did you, that's wrong, this is broken, no not that, stop. Executes the immediate fix, then hunts the upstream artifact that caused it and creates a corrective change.
4SKILL.mdUpdated May 28, 2026
n4m3z/ResearchTopic
development
VerifiedTrustedCommunity
Decompose a research question into sub-queries, spawn parallel WebResearcher agents per angle, synthesize findings with citations and explicit confidence. USE WHEN the user asks to research, investigate, look online, look up, dig into, find sources, gather evidence, or survey what's known about a topic. Single-pass; for multi-round adversarial research use ResearchCouncil in forge-council.
4SKILL.mdUpdated May 27, 2026
n4m3z/WriteDocs
tools
VerifiedTrustedCommunity
Author project documentation that future humans (and AI sessions) actually read. Covers TLDRs for tools, READMEs, runbooks, journals. USE WHEN write documentation, create tldr, tool one-pager, document a cli, write readme, runbook, journal entry, capture knowledge about a tool, distill a session into reusable notes.
4SKILL.mdUpdated May 25, 2026
n4m3z/StagedReview
development
VerifiedTrustedCommunity
Review your own staged changes via a code-review TUI before triggering a commit. USE WHEN about to commit, walking through your own staged diff, self-reviewing before approval, tuicr, revdiff, git diff cached.
4SKILL.mdUpdated May 25, 2026