DiscordSign up
SKILLS.SH

secure-code-guardian

Custom security implementations for authentication, authorization, input validation, and OWASP Top 10 vulnerability prevention. Covers password hashing (bcrypt/argon2), parameterized SQL queries, JWT validation, and rate limiting with explicit code examples Includes validation checkpoints for authentication (brute-force, session fixation, token expiration), authorization (privilege escalation), input handling (SQL injection, XSS), and security headers Enforces must-do constraints: hashed passwords, parameterized queries, input sanitization, security headers (CSP, HSTS), and environment-based secret storage Provides reference guides for OWASP patterns, authentication flows, input validation with Zod, XSS/CSRF prevention, and Helmet configuration

INSTALLATION
npx skills add https://github.com/jeffallan/claude-skills --skill secure-code-guardian
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2c

Reference Guide

Load detailed guidance based on context:

Topic

Reference

Load When

OWASP

references/owasp-prevention.md

OWASP Top 10 patterns

Authentication

references/authentication.md

Password hashing, JWT

Input Validation

references/input-validation.md

Zod, SQL injection

XSS/CSRF

references/xss-csrf.md

XSS prevention, CSRF

Headers

references/security-headers.md

Helmet, rate limiting

Constraints

MUST DO

  • Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)
  • Use parameterized queries (never string-interpolated SQL)
  • Validate and sanitize all user input before use
  • Implement rate limiting on auth endpoints
  • Set security headers (CSP, HSTS, X-Frame-Options)
  • Log security events (failed auth, privilege escalation attempts)
  • Store secrets in environment variables or secret managers (never in source code)

MUST NOT DO

  • Store passwords in plaintext or reversibly encrypted form
  • Trust user input without validation
  • Expose sensitive data in logs or error responses
  • Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)
  • Hardcode secrets or credentials in code

Code Examples

Password Hashing (bcrypt)

import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance

export async function hashPassword(plaintext: string): Promise<string> {

  return bcrypt.hash(plaintext, SALT_ROUNDS);

}

export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {

  return bcrypt.compare(plaintext, hash);

}

Parameterized SQL Query (Node.js / pg)

// NEVER: `SELECT * FROM users WHERE email = '${email}'`

// ALWAYS: use positional parameters

import { Pool } from 'pg';

const pool = new Pool();

export async function getUserByEmail(email: string) {

  const { rows } = await pool.query(

    'SELECT id, email, role FROM users WHERE email = $1',

    [email]  // value passed separately — never interpolated

  );

  return rows[0] ?? null;

}

Input Validation with Zod

import { z } from 'zod';

const LoginSchema = z.object({

  email: z.string().email().max(254),

  password: z.string().min(8).max(128),

});

export function validateLoginInput(raw: unknown) {

  const result = LoginSchema.safeParse(raw);

  if (!result.success) {

    // Return generic error — never echo raw input back

    throw new Error('Invalid credentials format');

  }

  return result.data;

}

JWT Validation

import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode

export function verifyToken(token: string): jwt.JwtPayload {

  // Throws if expired, tampered, or wrong algorithm

  const payload = jwt.verify(token, JWT_SECRET, {

    algorithms: ['HS256'],   // explicitly allowlist algorithm

    issuer: 'your-app',

    audience: 'your-app',

  });

  if (typeof payload === 'string') throw new Error('Invalid token payload');

  return payload;

}

Securing an Endpoint — Full Flow

import express from 'express';

import rateLimit from 'express-rate-limit';

import helmet from 'helmet';

const app = express();

app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.

app.use(express.json({ limit: '10kb' })); // limit payload size

const authLimiter = rateLimit({

  windowMs: 15 * 60 * 1000, // 15 minutes

  max: 10,                   // 10 attempts per window per IP

  standardHeaders: true,

  legacyHeaders: false,

});

app.post('/api/login', authLimiter, async (req, res) => {

  // 1. Validate input

  const { email, password } = validateLoginInput(req.body);

  // 2. Authenticate — parameterized query, constant-time compare

  const user = await getUserByEmail(email);

  if (!user || !(await verifyPassword(password, user.passwordHash))) {

    // Generic message — do not reveal whether email exists

    return res.status(401).json({ error: 'Invalid credentials' });

  }

  // 3. Authorize — issue scoped, short-lived token

  const token = jwt.sign(

    { sub: user.id, role: user.role },

    JWT_SECRET,

    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }

  );

  // 4. Secure response — token in httpOnly cookie, not body

  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });

  return res.json({ message: 'Authenticated' });

});

Output Templates

When implementing security features, provide:

  • Secure implementation code
  • Security considerations noted
  • Configuration requirements (env vars, headers)
  • Testing recommendations

Knowledge Reference

OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

Documentation

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card