>_SkillsHub

> android-legacy-security

Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)

fetch
$curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/android-legacy-security?format=md"
SKILL.mdandroid-legacy-security

Android Legacy Security Standards

Priority: P0

1. Secure Intents and Components

  • Set android:exported="false" for all internal Activities/Services unless needed for deep links.
  • Verify resolveActivity before starting implicit intents.
  • Treat all incoming Intent extras as untrusted — validate all schema/data types.

See hardening examples for manifest and component restrictions.

2. Lock Down WebViews

  • Default to javaScriptEnabled = false. Use WebViewClient and WebChromeClient to restrict navigation.
  • Disable allowFileAccess and allowFileAccessFromFileURLs to prevent local file theft via XSS.
  • If using @JavascriptInterface (API 17+), strictly limit the exposed API surface.

See hardening examples for WebView lockdown patterns.

3. Protect Storage and Files

  • NEVER expose file:// URIs. Use FileProvider to generate content:// URIs with temporary permissions.
  • Use EncryptedSharedPreferences for auth tokens and PII. Never use MODE_WORLD_READABLE.
  • Use NetworkSecurityConfig to disable cleartextTrafficPermitted and implement certificate pinning.

Anti-Patterns

  • No Implicit Intents Internally: Use explicit intents with the component class name.
  • No MODE_WORLD_READABLE: Never use for SharedPreferences or files.

References

> related_skills --same-repo

> common-store-changelog

Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve

> golang-tooling

Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)

> common-ui-design

Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)

> common-owasp

OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)

┌ stats

installs/wk0
░░░░░░░░░░
github stars452
██████████
first seenMar 17, 2026
└────────────

┌ repo

HoangNguyen0403/agent-skills-standard
by HoangNguyen0403
└────────────

┌ tags

#android#javascript#security
└────────────