Security is not a feature. It's a constraint on all features.
Never trust user input. Never hardcode secrets. Defense in depth.
45% of AI-generated code contains known security flaws - verify everything.
Check for existing security patterns in codebase. Follow them.
Never bypass security checks "for now" or "temporarily."
Skill-specific: skills/security/reference/security-research.md
-
Secrets check — grep for hardcoded keys/passwords/tokens before any commit.
(gate: git grep -E "(api_key|apiKey|password|secret|token)\s*=\s*['\"][^'\"]{8,}" returns empty)
-
Input validation — all user input validated at API boundary with schema (Zod/Pydantic).
(gate: every public endpoint parses input through schema before use; see code patterns in reference)
-
SQL injection — all queries parameterized; no string concatenation with user data.
(gate: grep for template literal SQL with user variables returns empty)
-
XSS prevention — user-provided HTML sanitized (DOMPurify); CSP headers configured.
(gate: dangerouslySetInnerHTML only appears with DOMPurify wrapping)
-
Authentication — tokens in httpOnly cookies, not localStorage; auth checked per-request.
(gate: no localStorage.setItem('token'; every protected route has auth check)
-
Authorization — role/ownership check before every sensitive operation.
(gate: no delete/update/admin endpoint without requester role verification)
-
CSRF protection — tokens on state-changing requests; SameSite=Strict on session cookies.
(gate: POST/PUT/DELETE endpoints verify X-CSRF-Token or use SameSite cookie)
-
Rate limiting — enabled on all public endpoints; stricter on expensive ops.
(gate: every /api/ route has rate limit middleware)
-
Error handling — generic messages in responses; stack traces only in server logs.
(gate: no error.stack or internal paths in HTTP response bodies)
-
Dependency audit — npm audit / pip-audit clean; lockfile committed.
(gate: audit exits 0 or all findings are acknowledged with justification)
-
Supply chain — verify package existence + download counts before installing AI-suggested packages.
(gate: no packages added without explicit npm/pypi verification; see supply chain patterns in reference)
-
Prompt injection (AI-integrated features) — user text never interpolated into system prompts; LLM output validated before use.
(gate: no f-string/template system prompt with raw user input; see prompt injection patterns in reference)
-
Agent permissions — every spawned agent has explicit tool allowlist + file scope; no admin-by-default.
(gate: spawn contract lists allowed tools ≤5; sensitive scopes named explicitly)
-
Risk-based review priority — when doing a full security review pass, prioritize in order: logic changes → deleted validations → auth flows → query changes → areas with prior security incidents. Start where impact is highest. Highest-risk categories (auth, cryptography, payment flows, secrets/credential handling) require human sign-off regardless of AI review confidence — never delegate final approval to automation alone.
-
Automated coverage baseline — automated checks (ESLint + AI linters + security scanners) catch 70–80% of common issues. Wire Snyk MCP into the dev loop to let Claude scan for vulnerabilities and dependency CVEs inline, without a separate review step.
-
Deny-first permissions — configure deny rules for sensitive directories (migrations/, secrets/, .env*) BEFORE allow/ask rules in .claude/settings.json. Files invisible via deny can't be accessed even if Claude generates a path to them — stronger than a hook because it acts at the permissions layer, not the script layer.
-
AI-generated code defect rate — AI-generated PRs contain 1.7× more defects than human-only PRs. Apply proportionally stricter review to AI-generated changes: security linter + human sign-off on auth/payment/secrets paths, regardless of AI review confidence. "45% of AI-generated code contains security vulnerabilities" compounds this — never waive the security checklist for AI-authored code.
-
Difference-aware PR scanning — scan against the PR diff, not the full codebase. Scoping to changed lines produces focused, change-contextual findings rather than codebase-wide noise that reviewers learn to ignore. Pair with two-stage refutation: first pass generates candidate findings; second pass asks Claude to refute each one ("what evidence would disprove this vulnerability?"), filtering false positives before surfacing to human reviewers.
-
NIST SP 800-218A for AI-assisted development — the three essential security frameworks in 2026 are: OWASP Top 10 (traditional app vulnerabilities), OWASP Top 10 for LLM Applications (prompt injection, insecure output handling, training data poisoning), and NIST SP 800-218A (extends the NIST SSDF to the AI code generation pipeline). SP 800-218A requirements: document AI tool usage in the SBOM, apply the same secure coding standards to AI-generated code as hand-written code, and require human sign-off on AI-authored components touching safety-critical paths. Treat the AI generation pipeline as part of the supply chain — not a trusted internal tool.
<on_complete>
agentdb write-end '{"skill":"security","vectors_checked":["injection","xss","authz","secrets"],"findings":N}'
</on_complete>
