一键在 Manus 中运行任何 Skill

$pwd:

eng-security-safety

Name: Eng Security Safety
Author: tjboudreaux

// Apply proactive threat modeling, least-privilege design, and safety guardrails before delivering any code or infrastructure change.

在 Manus 中运行

$ git log --oneline --stat

stars:1

forks:0

updated:2026年2月6日 04:08

SKILL.md

readonly

name	eng-security-safety
description	Apply proactive threat modeling, least-privilege design, and safety guardrails before delivering any code or infrastructure change.

Security and Safety Mindset

Intent

Treat every change as a potential attack surface or failure amplifier.
Ensure data classification, secret handling, and permission scopes stay compliant.
Bake safety checks (rate limits, input validation, monitoring) into the design, not after.

Baseline Checklist

Threat model quickly: Who could abuse this surface? What capabilities do they need? What happens if they succeed?
Data stewardship: Classify data touched (PII, payments, assets) and enforce encryption, retention, and locality rules.
Access + identity: Validate authn/authz paths, key rotation, wallet signatures, and privilege escalation barriers.
Dependency hygiene: Pin versions, verify licenses, review changelogs, and prefer audited libraries/contracts.
Secrets + config: Never log secrets; store them in the project’s approved secret manager. Guard env var usage.

Workflow

Enumerate entry points (mobile UI, API, smart contract, admin tools) and list unchecked inputs.
Define validation layers: schema-level, business-level, and environment-level (e.g., chain ID, platform version).
Ensure every state change is reversible or compensatable (feature flags, contract pausing, migration guards).
Instrument detection: structured logs, metrics, or on-chain events that can surface abuse or regressions fast.
Document explicit “never do” actions (e.g., disable signature checks, bypass paywalls) inside the PR/issue notes.

Verification

Run the project’s security/static analysis tooling (linters, contract analyzers, mobile scanners) and fix findings.
Peer review the threat model summary; confirm secrets and keys are absent from diffs/logs.
Validate abuse cases end-to-end (invalid payloads, replayed signatures, abusive traffic) before shipping.

related-skills.json

同仓库

eng-holistic-systems.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Model the end-to-end system, constraints, and failure modes before touching code; use whenever a change spans multiple layers or unclear requirements.

2026-02-061

eng-iterative-delivery.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Decompose work into safe, observable increments with feature flags, rollbacks, and communication baked in.

2026-02-061

eng-observability.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Design every change with traceability, diagnostics, and fast incident triage in mind across mobile, web, and web3 stacks.

2026-02-061

eng-performance.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Guard latency, memory, battery, bandwidth, and gas/compute budgets by measuring before and after every change.

2026-02-061

eng-quality-handoff.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Deliver changes with clear communication, reviewer-ready context, and follow-up accountability.

2026-02-061

eng-rigorous-validation.md

from "tjboudreaux/cc-plugin-engineering-excellence"

Enforce reproducible testing, automated verification, and evidence-driven sign-off before merging any change.

2026-02-061

package.json

"author": "tjboudreaux"

"repository": "tjboudreaux/cc-plugin-engineering-excellence"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	eng-security-safety
description	Apply proactive threat modeling, least-privilege design, and safety guardrails before delivering any code or infrastructure change.

Security and Safety Mindset

Intent

Treat every change as a potential attack surface or failure amplifier.
Ensure data classification, secret handling, and permission scopes stay compliant.
Bake safety checks (rate limits, input validation, monitoring) into the design, not after.

Baseline Checklist

Threat model quickly: Who could abuse this surface? What capabilities do they need? What happens if they succeed?
Data stewardship: Classify data touched (PII, payments, assets) and enforce encryption, retention, and locality rules.
Access + identity: Validate authn/authz paths, key rotation, wallet signatures, and privilege escalation barriers.
Dependency hygiene: Pin versions, verify licenses, review changelogs, and prefer audited libraries/contracts.
Secrets + config: Never log secrets; store them in the project’s approved secret manager. Guard env var usage.

Workflow

Enumerate entry points (mobile UI, API, smart contract, admin tools) and list unchecked inputs.
Define validation layers: schema-level, business-level, and environment-level (e.g., chain ID, platform version).
Ensure every state change is reversible or compensatable (feature flags, contract pausing, migration guards).
Instrument detection: structured logs, metrics, or on-chain events that can surface abuse or regressions fast.
Document explicit “never do” actions (e.g., disable signature checks, bypass paywalls) inside the PR/issue notes.

Verification

Run the project’s security/static analysis tooling (linters, contract analyzers, mobile scanners) and fix findings.
Peer review the threat model summary; confirm secrets and keys are absent from diffs/logs.
Validate abuse cases end-to-end (invalid payloads, replayed signatures, abusive traffic) before shipping.

eng-security-safety

Security and Safety Mindset

Intent

Baseline Checklist

Workflow

Verification

同仓库更多 Skills

同仓库更多 Skills

Security and Safety Mindset

Intent

Baseline Checklist

Workflow

Verification