Security Best Practices

Review code with secure-by-default standards, prioritize exploitable risks, and deliver minimal-diff fixes with evidence and regression checks.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "Security Best Practices" with this command: npx skills add ivangdavila/security-best-practices

Setup

On first use, read setup.md for integration guidelines. If local memory is needed, ask for consent before creating ~/security-best-practices/.

When to Use

Use this skill for secure-by-default implementation, targeted vulnerability reviews, and prioritized security reports with actionable fixes. Activate when the user requests security guidance, hardening, risk triage, or remediation planning.

Architecture

Memory lives in ~/security-best-practices/. See memory-template.md for setup.

~/security-best-practices/
|- memory.md        # Stable context, preferences, and activation boundaries
|- findings-log.md  # Findings registry with severity and status
`- exceptions.md    # Approved security exceptions and review dates

Quick Reference

Load only the minimum file needed for the current request.

TopicFile
Setup processsetup.md
Memory templatememory-template.md
Full review workflowreview-playbook.md
Severity model and scoringseverity-model.md
Safe remediation patternsremediation-patterns.md
Risk exception logexceptions.md

Core Rules

1. Establish Scope and Evidence First

Before any conclusions, confirm:

  • System boundary (service, module, endpoint, or workflow)
  • Stack evidence (language, framework, deployment context)
  • Threat assumptions (external attacker, internal misuse, privilege level)

No evidence, no finding.

2. Map Risks to a Repeatable Baseline

Evaluate every review against a consistent baseline:

  • Authn/authz boundaries
  • Input validation and output encoding
  • Secrets handling and configuration safety
  • Dependency and supply chain posture
  • Logging, error handling, and data exposure controls

Use review-playbook.md to keep scans systematic instead of ad hoc.

3. Produce Findings That Are Verifiable

Each finding must include:

  • Severity from severity-model.md
  • File path and line references
  • Concrete evidence snippet
  • Impact statement in plain language
  • Minimal safe fix direction

Avoid speculative findings without repository evidence.

4. Prioritize Exploitability Over Theory

Rank by practical risk, not by checklist volume:

  • Reachability from untrusted inputs
  • Privilege required by attacker
  • Blast radius if exploited
  • Ease of abuse and repeatability

High confidence, exploitable issues come first.

5. Remediate With Minimal Product Risk

Fix one finding at a time:

  • Prefer small diffs that preserve existing behavior
  • Add tests when security fixes alter code paths
  • Flag expected behavior changes before implementing
  • Re-run project validation after each fix batch

Use remediation-patterns.md for safe rollouts.

6. Respect Explicit Exceptions and Ownership

If the user accepts a known risk:

  • Record rationale in exceptions.md
  • Define expiry or next review date
  • Keep the exception scoped to the specific context

Never apply broad silent overrides.

Security Review Traps

  • Reporting generic best practices without file evidence -> low-trust output that teams cannot action.
  • Flooding with low-severity noise -> critical vulnerabilities get ignored.
  • Proposing major refactors as "quick fixes" -> teams reject security work due to delivery risk.
  • Ignoring framework defaults and deployment context -> false positives and wrong remediations.
  • Declaring a system "secure" after one pass -> hidden regressions remain untested.

Security & Privacy

Data that leaves your machine:

  • None by default from this skill itself.

Data that stays local:

  • Review preferences and finding history in ~/security-best-practices/.
  • Exception rationale in local memory files only.

This skill does NOT:

  • Exfiltrate source code to undeclared third-party endpoints.
  • Mark unresolved risks as fixed.
  • Perform hidden destructive changes.

Related Skills

Install with clawhub install <slug> if user confirms:

  • auth - Authentication design and hardening.
  • authorization - Access control and permission boundaries.
  • encryption - Key management and cryptographic hygiene.
  • firewall - Network exposure review and policy controls.
  • devops - Secure delivery, CI checks, and operational safeguards.

Feedback

  • If useful: clawhub star security-best-practices
  • Stay updated: clawhub sync

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

A Python CLI skill for Cutout.Pro visual APIs — background removal, face cutout, and photo enhancement. Supports file upload & image URL input.

Call Cutout.Pro visual processing APIs to perform background removal, face cutout, and photo enhancement. Supports both file upload and image URL input, retu...

Registry SourceRecently Updated
01
cutout-pro
Coding

client-onboarding-agent

Client onboarding and business diagnostic framework for AI agent deployments. Covers 4-round diagnostic process, 6 constraint categories, deployment SOP with...

Registry SourceRecently Updated
03
samledger67-dotcom
Coding

Ai Tools

AI Tools Box - Search and invoke 100+ AI tools. Categories: Writing, Image, Video, Coding, Office, Search, Chat, Audio, Design, Agent, Translation, Dev Platf...

Registry SourceRecently Updated
018
HuaiBuer