> common-llm-security
OWASP LLM Top 10 (2025) audit checklist for AI applications, agent tools, RAG pipelines, and prompt construction. Load during any security review touching LLM client code, prompt templates, agent tools, or vector stores. (triggers: LLM security, prompt injection, agent security, RAG security, AI security, openai, anthropic, langchain, LLM review)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/common-llm-security?format=md"OWASP LLM Top 10 Security Checklist (2025)
Priority: P0 (CRITICAL)
Implementation Guidelines
- Check LLM01 first: Prompt injection is the #1 LLM finding — any user input concatenated directly into a prompt string is an immediate P0.
- Check LLM06 next: Agent tools with write/delete/execute capabilities without confirmation are P0.
- Mark each item: ✅ not affected | ⚠️ needs review | 🔴 confirmed finding.
- P0 finding caps Security score at 40/100 — do not skip any item.
- See references/owasp-llm.md for full detection signals.
OWASP LLM Top 10 (2025)
| ID | Risk | Key Detection Signal |
|---|---|---|
| LLM01 | Prompt Injection | User input string-concatenated into prompt. Retrieved docs inserted into system turn. |
| LLM02 | Sensitive Information Disclosure | PII or credentials passed into prompt context. LLM response logged without redaction. |
| LLM03 | Supply Chain | Unverified model weights or plugins. Third-party agent added without trust review. |
| LLM04 | Data & Model Poisoning | User-controlled data written to training sets or embedding stores without validation. |
| LLM05 | Improper Output Handling | LLM output used directly in DOM sink, SQL query, shell command, or redirect URL. |
| LLM06 | Excessive Agency | Agent tool with write/delete/network access — no human-in-the-loop confirmation. |
| LLM07 | System Prompt Leakage | System prompt content returned via tool output, error message, or API response. |
| LLM08 | Vector & Embedding Weaknesses | User text injected into vector store without sanitization. No tenant namespace isolation. |
| LLM09 | Misinformation | LLM output used for critical decisions (medical, financial, legal) without verification. |
| LLM10 | Unbounded Consumption | No max_tokens on LLM call. No rate limit on invocations. Agent loop without depth cap. |
Anti-Patterns
- No prompt concat: Pass user input as a separate
userturn, never interpolated into system prompts. - No raw LLM output in sinks: Sanitize LLM responses before writing to DOM, queries, or shell.
- No uncapped agent loops: Every agentic recursion must enforce a max iteration/depth limit.
References
- OWASP LLM — Full Detection Signals — load when auditing any LLM client code
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)