shipshitdev/security-expert
bundles/infrastructure/skills/security-expert/SKILL.md
Expert in application security, OWASP Top 10, authentication, authorization, data protection, and security best practices for React, Next.js, and NestJS applications
$ install --global
skillsauthnpx skillsauth add shipshitdev/library security-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:38 AM114.0s3 files scanned
SKILL.md
- name:
- security-expert
- description:
- Expert in application security, OWASP Top 10, authentication, authorization, data protection, and security best practices for React, Next.js, and NestJS applications
- version:
- 1.0.0
- tags:
- security, owasp, application-security
Security Expert Skill
Expert in application security for React, Next.js, and NestJS applications.
When to Use This Skill
- Implementing authentication or authorization
- Reviewing code for security vulnerabilities
- Setting up security configurations
- Handling sensitive data
- Implementing encryption or hashing
- Configuring CORS, CSP, or security headers
- Reviewing dependencies for vulnerabilities
- Implementing multi-tenancy or data isolation
Project Context Discovery
- Check
.agents/memory/for security architecture notes and project facts - Review
CLAUDE.md(repo-level and global) for security rules and "never do" constraints - Identify security patterns and tools
- Check for
[project]-security-expertskill
Core Security Principles
Authentication & Authorization
Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO
Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement
Input Validation
- DTOs with class-validator
- Sanitize user input
- Prevent NoSQL/SQL injection
- Parameterized queries
Data Protection
- Encryption at rest and in transit
- Passwords hashed (never plaintext)
- Environment variables for secrets
- No secrets in code
Security Headers
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security
- Content Security Policy
OWASP Top 10 Quick Reference
- Broken Access Control: Verify auth on all endpoints
- Cryptographic Failures: Strong encryption, proper hashing
- Injection: Parameterized queries, input validation
- Insecure Design: Security by design, threat modeling
- Security Misconfiguration: Secure defaults, remove unused features
- Vulnerable Components: Keep dependencies updated
- Authentication Failures: Strong passwords, MFA, brute force protection
- Integrity Failures: Secure CI/CD, code signing
- Logging Failures: Comprehensive logging, monitoring
- SSRF: Validate URLs, whitelist domains
Security Checklist Summary
- [ ] Passwords hashed (bcrypt/argon2)
- [ ] All endpoints protected
- [ ] Multi-tenancy enforced
- [ ] All inputs validated
- [ ] Encryption at rest/transit
- [ ] Security headers configured
- [ ] CORS properly configured
- [ ] Dependencies up to date
For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: references/full-guide.md
Related Skills
shipshitdev/execution-validator
testing
VerifiedTrustedCommunity
Use this skill when users need to validate a launch plan, assess MVP scope, or determine if they're ready to execute. Activates for "validate my plan," "am I ready to launch," "is my scope too big," or when assessing action readiness.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/execution-accelerator
testing
VerifiedTrustedCommunity
Use this skill when users are stuck on a decision, overthinking, experiencing analysis paralysis, or need to ship faster. Activates for "should I wait," "I can't decide," "I'm overthinking," or when speed is critical and perfectionism is the enemy.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/early-hiring-advisor
development
VerifiedTrustedCommunity
Use this skill when users need to make early hires, build their founding team, determine compensation/equity, decide who to hire first, or scale from founders to first employees. Activates for "who should I hire first," "early hiring," "equity for employees," or team building questions.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/constraint-eliminator
data-ai
VerifiedTrustedCommunity
Use this skill when users need to remove customer friction, improve customer success, handle objections, design guarantees, or eliminate obstacles between customers and results. Activates for customer success issues, objection handling, or "customers can't get results" problems.
24SKILL.mdUpdated Jun 4, 2026