tao12345666333/security-best-practices
examples/plugins/security-guidance/skills/security-best-practices/SKILL.md
Security best practices and vulnerability prevention guidelines
$ install --global
skillsauthnpx skillsauth add tao12345666333/amcp security-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 5:04 AM4.7s1 file scanned
SKILL.md
- name:
- security-best-practices
- description:
- Security best practices and vulnerability prevention guidelines
Security Best Practices Skill
When writing code, follow these security best practices to prevent common vulnerabilities.
Input Validation
Always validate and sanitize user input:
# ❌ Bad - trusting user input
user_id = request.args.get('id')
query = f"SELECT * FROM users WHERE id = {user_id}"
# ✅ Good - parameterized query
user_id = request.args.get('id')
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
Validation Checklist
- Validate type, length, format, and range
- Use allowlists over denylists
- Sanitize for the specific output context
- Never trust client-side validation alone
Authentication
Implement secure authentication:
- Use established libraries (e.g., bcrypt, argon2)
- Never store passwords in plain text
- Implement rate limiting on login attempts
- Use secure session management
- Implement proper logout handling
# ✅ Good - using bcrypt
import bcrypt
def hash_password(password: str) -> bytes:
return bcrypt.hashpw(password.encode(), bcrypt.gensalt())
def verify_password(password: str, hash: bytes) -> bool:
return bcrypt.checkpw(password.encode(), hash)
Authorization
Check permissions on every request:
# ✅ Good - checking authorization
def delete_post(post_id: int, user: User):
post = get_post(post_id)
if post.author_id != user.id and not user.is_admin:
raise PermissionError("Not authorized")
delete_post_from_db(post_id)
Secrets Management
Never hardcode secrets:
# ❌ Bad
API_KEY = "sk-1234567890abcdef"
# ✅ Good
import os
API_KEY = os.environ.get('API_KEY')
Environment Variables
- Use
.envfiles for development (in.gitignore) - Use secrets managers in production
- Rotate secrets regularly
- Use different secrets per environment
SQL Injection Prevention
Always use parameterized queries:
# ❌ Bad - string concatenation
cursor.execute(f"SELECT * FROM users WHERE name = '{name}'")
# ✅ Good - parameterized
cursor.execute("SELECT * FROM users WHERE name = ?", (name,))
# ✅ Good - ORM
User.query.filter_by(name=name).first()
XSS Prevention
Escape output and use Content Security Policy:
# ✅ Good - escaping in templates (Jinja2)
{{ user_input }} # Auto-escaped
# ✅ Good - explicit escaping
from markupsafe import escape
safe_output = escape(user_input)
// ❌ Bad
element.innerHTML = userInput;
// ✅ Good
element.textContent = userInput;
CSRF Protection
Implement CSRF tokens:
<form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
...
</form>
Secure Headers
Set security headers:
# Flask example
@app.after_request
def set_secure_headers(response):
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-XSS-Protection'] = '1; mode=block'
response.headers['Content-Security-Policy'] = "default-src 'self'"
return response
Error Handling
Don't expose sensitive information in errors:
# ❌ Bad - exposing stack trace
except Exception as e:
return {"error": str(e), "stack": traceback.format_exc()}
# ✅ Good - generic error message
except Exception as e:
logger.error(f"Error: {e}", exc_info=True)
return {"error": "An internal error occurred"}
Dependency Security
Keep dependencies updated:
# Check for vulnerabilities
pip-audit
npm audit
snyk test
File Operations
Validate file paths to prevent path traversal:
import os
# ✅ Good - validate path is within allowed directory
def safe_read(user_path: str, base_dir: str) -> str:
full_path = os.path.realpath(os.path.join(base_dir, user_path))
if not full_path.startswith(os.path.realpath(base_dir)):
raise ValueError("Path traversal attempt")
return open(full_path).read()
Logging
Log security events but not sensitive data:
# ❌ Bad - logging passwords
logger.info(f"Login attempt: user={username}, password={password}")
# ✅ Good - logging without sensitive data
logger.info(f"Login attempt: user={username}, success={success}")
Quick Reference
| Vulnerability | Prevention | |--------------|------------| | SQL Injection | Parameterized queries | | XSS | Output encoding, CSP | | CSRF | CSRF tokens | | Path Traversal | Path validation | | Command Injection | Avoid shell=True | | Hardcoded Secrets | Environment variables | | Weak Passwords | bcrypt/argon2, complexity rules |
Related Skills
tao12345666333/telegram-sender
tools
VerifiedTrustedCommunity
Send and edit Telegram messages via Bot API. Use when AMCP needs to send a message, reply to a specific message, edit an existing message, or push proactive notifications (cron results, heartbeat alerts, task status). Requires AMCP_TELEGRAM_BOT_TOKEN env var.
22SKILL.mdUpdated Apr 15, 2026
tao12345666333/skill-creator
tools
VerifiedTrustedCommunity
Create or update AMCP skills. Use when designing, structuring, or packaging skills with scripts, references, and assets. This skill should be used when users want to create a new skill (or update an existing skill) that extends AMCP's capabilities with specialized knowledge, workflows, or tool integrations.
22SKILL.mdUpdated Apr 15, 2026
tao12345666333/session-cleanup
tools
VerifiedTrustedCommunity
Backup old AMCP sessions by renaming with execution date, then clean and compact sessions and memory.
22SKILL.mdUpdated Apr 15, 2026
tao12345666333/heartbeat
testing
VerifiedTrustedCommunity
Periodic heartbeat check that reads HEARTBEAT.md from the workspace and executes any tasks listed there. Use for autonomous background monitoring, periodic maintenance, and proactive task execution. Triggered by a cron schedule.
22SKILL.mdUpdated Apr 15, 2026