| name | security-checklist |
| description | When reviewing or writing code, use this security checklist to identify common vulnerabilities and unsafe patterns. Invoke for security-focused code review, audit, or before finishing a feature. |
| license | MIT |
| compatibility | opencode |
What I do
Provide a structured security checklist covering input validation, authentication, data protection, error handling, dependencies, logging, business logic, and framework-specific concerns.
When to use me
- Before marking a feature as complete
- During code review or security audit
- When handling user input, authentication, cryptography, or external dependencies
- When the issue involves security, privacy, or compliance requirements
How to use me
Apply the checklist by category. Do not treat it as a pass/fail gate; use it to surface risks and decide whether to fix, document, or escalate.
Input validation
Authentication & authorization
Data protection
Error handling
Dependencies & configuration
Logging & monitoring
Business logic
Framework / language specific
- Web: [ ] CSRF token, [ ] SameSite cookie, [ ] HttpOnly cookie
- SQL: [ ] Parameterization (see Input validation), [ ] Prefer ORM
- Containers: [ ] Non-root user, [ ] Minimal base image, [ ] Image scanning
- Kubernetes: [ ] RBAC, [ ] NetworkPolicy, [ ] Pod Security Standards
- AI/LLM: [ ] Input sanitization (prevents prompt injection), [ ] Output filtering (prevents info leakage), [ ] Token limits
Output format
For each checklist item, provide a verdict:
- ✅ Pass: Clear evidence that it is implemented
- ⚠️ Needs verification: Requires more information or context
- ❌ Fail: Clear vulnerability or anti-pattern found – must be fixed or escalated
- ⏭️ Not applicable: Current changes do not involve this area
When you find ❌ or ⚠️, use the inline-comments skill to leave traceable notes at the relevant code or documentation locations.