oliver-kriska/security
plugins/elixir-phoenix/skills/security/SKILL.md
Enforce Elixir/Phoenix security — auth, OAuth, sessions, CSRF, XSS, SQL injection, input validation, secrets. Use when editing auth files, login flows, RBAC, or API keys.
$ install --global
skillsauthnpx skillsauth add oliver-kriska/claude-elixir-phoenix securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:07 PM4.4s8 files scanned
SKILL.md
- name:
- security
- description:
- Enforce Elixir/Phoenix security — auth, OAuth, sessions, CSRF, XSS, SQL injection, input validation, secrets. Use when editing auth files, login flows, RBAC, or API keys.
- effort:
- medium
- user-invocable:
- false
Elixir/Phoenix Security Reference
Quick reference for security patterns in Elixir/Phoenix.
Iron Laws — Never Violate These
- VALIDATE AT BOUNDARIES — Never trust client input. All data through changesets
- NEVER INTERPOLATE USER INPUT — Use Ecto's
^operator, never string interpolation - NO String.to_atom WITH USER INPUT — Atom exhaustion DoS. Use
to_existing_atom/1 - AUTHORIZE EVERYWHERE — Check in contexts AND re-validate in LiveView events
- ESCAPE BY DEFAULT — Never use
raw/1with untrusted content - SECRETS NEVER IN CODE — All secrets in
runtime.exsfrom env vars
Quick Patterns
Timing-Safe Authentication
def authenticate(email, password) do
user = Repo.get_by(User, email: email)
cond do
user && Argon2.verify_pass(password, user.hashed_password) ->
{:ok, user}
user ->
{:error, :invalid_credentials}
true ->
Argon2.no_user_verify() # Timing attack prevention
{:error, :invalid_credentials}
end
end
LiveView Authorization (CRITICAL)
# RE-AUTHORIZE IN EVERY EVENT HANDLER
def handle_event("delete", %{"id" => id}, socket) do
post = Blog.get_post!(id)
# Don't trust that mount authorized this action!
with :ok <- Bodyguard.permit(Blog, :delete_post, socket.assigns.current_user, post) do
Blog.delete_post(post)
{:noreply, stream_delete(socket, :posts, post)}
else
_ -> {:noreply, put_flash(socket, :error, "Unauthorized")}
end
end
SQL Injection Prevention
# ✅ SAFE: Parameterized queries
from(u in User, where: u.name == ^user_input)
# ❌ VULNERABLE: String interpolation
from(u in User, where: fragment("name = '#{user_input}'"))
Quick Decisions
What to validate?
- All user input → Ecto changesets
- File uploads → Extension + magic bytes + size
- Paths →
Path.safe_relative/2for traversal - Atoms →
String.to_existing_atom/1only
What to escape?
- HTML output → Auto-escaped by default (
<%= %>) - User HTML → HtmlSanitizeEx with scrubber
- Never →
raw/1with untrusted content
Anti-patterns
| Wrong | Right |
|-------|-------|
| "SELECT * FROM users WHERE name = '#{name}'" | from(u in User, where: u.name == ^name) |
| String.to_atom(user_input) | String.to_existing_atom(user_input) |
| <%= raw @user_comment %> | <%= @user_comment %> |
| Hardcoded secrets in config | runtime.exs from env vars |
| Auth only in mount | Re-auth in every handle_event |
References
For detailed patterns, see:
${CLAUDE_SKILL_DIR}/references/authentication.md- phx.gen.auth, MFA, sessions${CLAUDE_SKILL_DIR}/references/authorization.md- Bodyguard, scopes, LiveView auth${CLAUDE_SKILL_DIR}/references/input-validation.md- Changesets, file uploads, paths${CLAUDE_SKILL_DIR}/references/security-headers.md- CSP, CSRF, rate limiting, headers${CLAUDE_SKILL_DIR}/references/oauth-linking.md- OAuth account linking, token management${CLAUDE_SKILL_DIR}/references/rate-limiting.md- Composite key strategies, Hammer patterns${CLAUDE_SKILL_DIR}/references/advanced-patterns.md- SSRF prevention, secrets management, supply chain
Related Skills
oliver-kriska/phx:verify
development
VerifiedTrustedCommunity
Verify Elixir/Phoenix changes — compile, format, and test in one loop. Use after implementation, before PRs, or after fixing bugs.
405SKILL.mdUpdated Apr 7, 2026
oliver-kriska/elixir-idioms
development
VerifiedTrustedCommunity
OTP/BEAM patterns and Elixir idioms — GenServer, Supervisor, Task, Registry, pattern matching, with chains, pipes. Use when designing processes or debugging BEAM issues.
405SKILL.mdUpdated Apr 7, 2026
oliver-kriska/lab:autoresearch
tools
VerifiedTrustedCommunity
Self-improving loop for plugin skills. Reads program.md, proposes one mutation per iteration, evaluates against deterministic scorer, keeps improvements via git, reverts failures. Targets weakest skill+dimension. Use with /loop for overnight runs.
340SKILL.mdUpdated Apr 7, 2026
oliver-kriska/phx:audit
development
VerifiedTrustedCommunity
Project health audit and health check — architecture, performance, tests, dependencies, code quality. Use when assessing overall project health, before releases, or after refactors.
339SKILL.mdUpdated Apr 7, 2026