ワンクリックで
secure-coding
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Execute safe Git workflows — branching, committing, resolving conflicts, and managing PRs
Use when controlling AI spend, token budgets, model routing, or workflow efficiency before scaling usage
Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes
Use when investigating latency, throughput, resource saturation, or performance regressions before changing implementation details
Use when reviewing code, preparing a PR for review, or processing review feedback
Use when diagnosing bugs, test failures, or unexpected behavior before attempting any fix
| name | secure-coding |
| description | Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets |
Announce at start: "Following the secure-coding skill for security-sensitive work."
Before submitting security-sensitive code, verify against these categories:
All user input is untrusted. Validate everything.
| Rule | Example |
|---|---|
| Allowlist over denylist | Accept known-good patterns, reject everything else |
| Validate type, length, range | age: int, 0-150 not just age: any |
| Sanitize before use | Escape HTML before rendering, parameterize SQL |
| Validate on the server | Client-side validation is for UX, not security |
| Do | Don't |
|---|---|
| Use environment variables or secret managers | Hardcode secrets in source |
| Rotate secrets regularly | Share secrets in chat/email |
| Use different secrets per environment | Reuse production secrets in dev |
Add secret files to .gitignore | Commit .env files |
Request a security-focused review when changes touch:
| Area | Why |
|---|---|
| Authentication/authorization | Identity and access control |
| Payment processing | Financial data |
| File uploads | Path traversal, malware |
| API endpoints | Injection, rate limiting |
| Cryptography | Algorithm choice, key management |
| External service integration | Trust boundary crossing |
Always escalate to a human for:
| When | Invoke |
|---|---|
| Security code needs review | code-review |
| Need to test security controls | testing |
| Ready to submit security changes | pr-writing |
For principles, rationale, anti-patterns, and examples:
guides/secure-coding/secure-coding.mdguides/security-boundaries/security-boundaries.md