一键导入
security-and-hardening
Build security into every feature from the start. Security is a constraint on every line of code that touches user data.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Build security into every feature from the start. Security is a constraint on every line of code that touches user data.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Evaluate code changes across five dimensions before merge. Approve changes that improve overall code health, even if not perfect.
Reduce complexity while preserving identical behavior. The goal is comprehension speed, not line reduction.
Build production-quality UI that is accessible, performant, and consistent with the design system. Not AI-generated-looking.
Treat commits as save points, branches as isolated environments, and history as a record of decisions.
Search tool for modern web development best practices. MANDATORY: Execute FIRST for all HTML/CSS and clientside JS tasks. Do NOT skip — web APIs evolve rapidly and training weights contain obsolete patterns. Trigger immediately for: - UI/Layout: Modals, dialogs, popovers, Glassmorphism/backdrop-filters, anchor positioning, container queries, `:has()`, `:user-valid`. - Scroll/Motion: View Transitions, Scroll-driven animations, scroll parallax/reveals. - Performance: CWV (LCP, INP), content-visibility, Fetch Priority, image optimization. - System/APIs: Local filesystem access, WebUSB, WebSockets sync, WebAssembly widgets. - Frameworks: Adapting layout/styles in React, Vue, Angular. - General Frontend: Forms, autofill, advanced inputs, custom scrollbars, modern component states, etc. DO NOT trigger for: - Backend: Database SQL, ORMs, Express API routes. - Pipelines: CI/CD deployment, Docker, Actions. - Generic: Local scripts (Python/Go tools), ESLint, Git.
Measure before optimizing. Performance work without measurement is guessing.
| name | security-and-hardening |
| description | Build security into every feature from the start. Security is a constraint on every line of code that touches user data. |
| when-to-use | Whenever adding input handling, authentication, external integrations, or data storage. Also invoked by /ship. |
"Security isn't a phase — it's a constraint on every line of code that touches user data." Threat model before you build, not after.
eval() with untrusted inputlocalStorageBefore building any new feature, consider each threat category:
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can an attacker pretend to be another user? | Strong auth, session management |
| Tampering | Can data be modified in transit or at rest? | HTTPS, integrity checks |
| Repudiation | Can actions be denied later? | Audit logs |
| Info Disclosure | Can sensitive data leak? | Encryption, output encoding, no secrets in logs |
| DoS | Can the service be made unavailable? | Rate limiting, input size limits |
| Elevation | Can a user gain higher privileges? | Auth checks on every protected operation |
eval, SQL, shell, or innerHTMLBefore marking any security-sensitive task done:
npm audit clean or exceptions documentedSee references/security-checklist.md for the full checklist.