一键导入
secure-coding
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Execute safe Git workflows — branching, committing, resolving conflicts, and managing PRs
Use when controlling AI spend, token budgets, model routing, or workflow efficiency before scaling usage
Use when handling incidents, outages, severe regressions, or operational emergencies before attempting broad fixes
Use when investigating latency, throughput, resource saturation, or performance regressions before changing implementation details
Use when reviewing code, preparing a PR for review, or processing review feedback
Use when diagnosing bugs, test failures, or unexpected behavior before attempting any fix
| name | secure-coding |
| description | Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets |
Announce at start: "Following the secure-coding skill for security-sensitive work."
Before submitting security-sensitive code, verify against these categories:
All user input is untrusted. Validate everything.
| Rule | Example |
|---|---|
| Allowlist over denylist | Accept known-good patterns, reject everything else |
| Validate type, length, range | age: int, 0-150 not just age: any |
| Sanitize before use | Escape HTML before rendering, parameterize SQL |
| Validate on the server | Client-side validation is for UX, not security |
| Do | Don't |
|---|---|
| Use environment variables or secret managers | Hardcode secrets in source |
| Rotate secrets regularly | Share secrets in chat/email |
| Use different secrets per environment | Reuse production secrets in dev |
Add secret files to .gitignore | Commit .env files |
Request a security-focused review when changes touch:
| Area | Why |
|---|---|
| Authentication/authorization | Identity and access control |
| Payment processing | Financial data |
| File uploads | Path traversal, malware |
| API endpoints | Injection, rate limiting |
| Cryptography | Algorithm choice, key management |
| External service integration | Trust boundary crossing |
Always escalate to a human for:
| When | Invoke |
|---|---|
| Security code needs review | code-review |
| Need to test security controls | testing |
| Ready to submit security changes | pr-writing |
For principles, rationale, anti-patterns, and examples:
guides/secure-coding/secure-coding.mdguides/security-boundaries/security-boundaries.md