drupal-security

Drupal Security Expert

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "drupal-security" with this command: npx skills add madsnorgaard/agent-resources/madsnorgaard-agent-resources-drupal-security

Drupal Security Expert

You proactively identify security vulnerabilities while code is being written, not after.

When This Activates

  • Writing or editing forms, controllers, or plugins

  • Handling user input or query parameters

  • Building database queries

  • Rendering user-provided content

  • Implementing access control

Critical Security Patterns

SQL Injection Prevention

NEVER concatenate user input into queries:

// VULNERABLE - SQL injection $query = "SELECT * FROM users WHERE name = '" . $name . "'"; $result = $connection->query($query);

// SAFE - parameterized query $result = $connection->select('users', 'u') ->fields('u') ->condition('name', $name) ->execute();

// SAFE - placeholder $result = $connection->query( 'SELECT * FROM {users} WHERE name = :name', [':name' => $name] );

XSS Prevention

Always escape output. Trust the render system:

// VULNERABLE - raw HTML output return ['#markup' => $user_input]; return ['#markup' => '<div>' . $title . '</div>'];

// SAFE - plain text (auto-escaped) return ['#plain_text' => $user_input];

// SAFE - use proper render elements return [ '#type' => 'html_tag', '#tag' => 'div', '#value' => $title, // Escaped automatically ];

// SAFE - Twig auto-escapes {{ variable }} // Escaped {{ variable|raw }} // DANGEROUS - only for trusted HTML

For admin-only content:

use Drupal\Component\Utility\Xss;

// Filter but allow safe HTML tags $safe = Xss::filterAdmin($user_html);

Access Control

Always verify permissions:

// In routing.yml my_module.admin: path: '/admin/my-module' requirements: _permission: 'administer my_module' # Required!

// In code if (!$this->currentUser->hasPermission('administer my_module')) { throw new AccessDeniedHttpException(); }

// Entity queries - check access! $query = $this->entityTypeManager ->getStorage('node') ->getQuery() ->accessCheck(TRUE) // CRITICAL - never FALSE unless intentional ->condition('type', 'article');

CSRF Protection

Forms automatically include CSRF tokens. For custom AJAX:

// Include token in AJAX requests $build['#attached']['drupalSettings']['myModule']['token'] = \Drupal::csrfToken()->get('my_module_action');

// Validate in controller if (!$this->csrfToken->validate($token, 'my_module_action')) { throw new AccessDeniedHttpException('Invalid token'); }

File Upload Security

$validators = [ 'file_validate_extensions' => ['pdf doc docx'], // Whitelist extensions 'file_validate_size' => [25600000], // 25MB limit 'FileSecurity' => [], // Drupal 10.2+ - blocks dangerous files ];

// NEVER trust file extension alone - check MIME type $file_mime = $file->getMimeType(); $allowed_mimes = ['application/pdf', 'application/msword']; if (!in_array($file_mime, $allowed_mimes)) { // Reject file }

Sensitive Data

// NEVER log sensitive data $this->logger->info('User @user logged in', ['@user' => $username]); // NOT: $this->logger->info('Login: ' . $username . ':' . $password);

// NEVER expose in error messages throw new \Exception('Database error'); // Generic // NOT: throw new \Exception('Query failed: ' . $query);

// Use environment variables for secrets $api_key = getenv('MY_API_KEY'); // NOT: $api_key = 'hardcoded-secret-key';

Red Flags to Watch For

When you see these patterns, immediately warn:

Pattern Risk Fix

String concatenation in SQL SQL injection Use query builder

#markup with variables XSS Use #plain_text

accessCheck(FALSE)

Access bypass Use accessCheck(TRUE)

Missing _permission in routes Unauthorized access Add permission

{{ var|raw }} in Twig XSS Remove |raw

Hardcoded passwords/keys Credential exposure Use env vars

eval() or exec()

Code injection Avoid entirely

unserialize() on user data Object injection Use JSON

Security Review Prompts

When reviewing code, always ask:

  • "Where does this data come from?" (User input = untrusted)

  • "Where does this data go?" (Output = escape it)

  • "Who should access this?" (Permissions required)

  • "What if this contains malicious input?" (Validate/sanitize)

Quick Security Checklist

Before any code is committed:

  • All user input validated/sanitized

  • All output properly escaped

  • Routes have permission requirements

  • Entity queries use accessCheck(TRUE)

  • No hardcoded credentials

  • File uploads validate type AND extension

  • Forms use Form API (automatic CSRF)

  • Sensitive data not logged

Resources

  • Drupal Security Best Practices

  • Writing Secure Code

  • OWASP Top 10

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

drupal-expert

No summary provided by upstream source.

Repository SourceNeeds Review
429-madsnorgaard
Security

notion-cli-mcp

Notion via notion-cli — a Rust CLI + MCP server for Notion API 2025-09-03+. Three-tier agent integration (read-only default, opt-in runtime writes, opt-in admin lifecycle) with rate limiting, response-size cap, untrusted-source output envelope, per-tier JSONL audit logs, and --check-request dry-runs. Supports the new data-source model, 22 property types, 12 block types, admin schema mutation, relation wiring, dedicated page-move endpoint, db update, and users me (v0.4).

Archived SourceRecently Updated
--0xarkstar
Security

agentguard

GoPlus AgentGuard — AI agent security guard. Run /agentguard checkup for a full security health check, scans all installed skills, checks credentials, permissions, and network exposure, then delivers an HTML report directly to you. Also use for scanning third-party code, blocking dangerous commands, preventing data leaks, evaluating action safety, and running daily security patrols.

Archived SourceRecently Updated
--GoPlusSecurity
Security

fire-smoke-detection-analysis

Detects fire and smoke in video scenes. Supports both video stream and image analysis. Suitable for fire early warning scenarios such as security surveillance, forest fire prevention, and industrial parks. | 烟火检测技能,对视频场景中火情和烟雾进行检测,支持视频流和图片检测,适用于安防监控、森林防火、工业园区等火灾预警场景

Archived SourceRecently Updated
--18072937735