> common-security-standards
Enforce universal security protocols for safe, resilient software. Use when implementing authentication, encryption, authorization, input validation, secret management, or any security-sensitive feature across any language or framework. (triggers: **/*.ts, **/*.tsx, **/*.go, **/*.dart, **/*.java, **/*.kt, **/*.swift, **/*.py, security, encrypt, authenticate, authorize)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/common-security-standards?format=md"Security Standards
Priority: P0 (CRITICAL)
Always-Apply Rules
Apply these on every code write, regardless of context:
- No hardcoded secrets: Use environment variables or secret managers. Never commit keys, passwords, or tokens to source control.
- No raw SQL strings: Use parameterized queries or ORMs —
WHERE id = ${userId}is always wrong. - No stacktraces in prod: Return generic error codes; log full detail server-side only.
Workflow
Activate when: implementing auth, encryption, authorization, input handling, or any security-sensitive feature.
- Identify trust boundaries — map every data entry point (API, UI, CSV, webhook).
- Validate and sanitize all external input at each boundary.
- Apply least privilege to users, services, and containers.
- Verify with SAST/DAST scanners in CI before merge.
Context-Specific Rules
Data Safeguarding
- Zero Trust: Never trust external input. Sanitize and validate every data boundary.
- Least Privilege: Grant minimum necessary permissions to users, services, and containers.
- Encryption: AES-256 for data-at-rest; TLS 1.3 for data-in-transit.
- PII Logging: Never log PII (email, phone, names). Mask sensitive fields before logging.
See implementation examples for parameterized queries and secret management.
Secure Coding
- Injection Prevention: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
- Dependency Management: Regularly scan (
npm audit,pip audit) and update third-party libraries to patch CVEs. - Secure Auth: Implement Multi-Factor Authentication (MFA) and secure session management.
- Error Privacy: Never leak stack traces or internal implementation details to the end-user.
Continuous Security
- Shift Left: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
- Data Minimization: Collect and store only the minimum data required for business logic.
- Audit Logging: Maintain logs for sensitive operations (Auth, Deletion, Admin changes).
Anti-Patterns
- No default passwords: Force rotation on first use with strong entropy requirements.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)