一键导入
plugin-api-server-security
Security review for plugin API endpoints (SimpleAPI, WebSocket) - authentication and authorization when your plugin is the SERVER
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Security review for plugin API endpoints (SimpleAPI, WebSocket) - authentication and authorization when your plugin is the SERVER
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | plugin-api-server-security |
| description | Security review for plugin API endpoints (SimpleAPI, WebSocket) - authentication and authorization when your plugin is the SERVER |
This skill provides security review guidelines for Canvas plugins that expose API endpoints. Use it to audit SimpleAPI and WebSocket handlers for proper authentication and authorization when your plugin is the SERVER receiving requests.
Use this skill when:
Always prefer the built-in authentication mixins over manual authenticate() implementations.
The Canvas SDK provides mixins that handle authentication correctly:
StaffSessionMixin - For staff-only endpointsPatientSessionMixin - For patient-only endpointsAPIKeyAuthMixin - For API key authenticationThese mixins are documented at: handlers-simple-api-http/#staff-session
Using mixins:
During security review, flag any manual authenticate() implementations and recommend using the appropriate mixin instead.
Reference the security_context.txt file for detailed security patterns and common vulnerabilities.
Canvas SDK reference and documentation. Use whenever a question, claim, or piece of code touches Canvas SDK capabilities, API usage, implementation patterns, or testing — including quick conversational questions ("how do I ingest ADTs?", "what's the import for X?", "does Canvas support Y?"). The bundled docs are the source of truth; do not answer Canvas SDK questions from memory.
FHIR API reference and documentation for Canvas plugins that need to read or write data via FHIR endpoints
This skill should be used when the user asks to "write tests", "create tests", "generate tests", "unit tests", "pytest", "test guidelines", "testing rules", "test standards", "how to test", "test this code", "add tests", "validate tests", "check tests", "improve tests", or when working with Python test files. Provides comprehensive guidelines for creating pytest unit tests with 100% coverage following strict naming conventions, mock patterns, and parametrization standards.
Custom Data anti-patterns and corrections for Canvas plugins - unnecessary compatibility checks, misuse of AttributeHubs vs CustomModels
Database query optimization for Canvas plugins - N+1 detection, prefetch_related, select_related
Security review for plugins acting as FHIR API clients - token management, scope validation, and patient-scoped authorization