← ClaudeAtlas

security-reviewlisted

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
arabicapp/everything-claude-code · ★ 38 · AI & Automation · score 83
Install: claude install-skill arabicapp/everything-claude-code
# Security Review Skill This skill ensures all code follows security best practices and identifies potential vulnerabilities. ## When to Activate - Implementing authentication or authorization - Handling user input or file uploads - Creating new API endpoints - Working with secrets or credentials - Implementing payment features - Storing or transmitting sensitive data - Integrating third-party APIs ## Security Checklist ### 1. Secrets Management #### ❌ NEVER Do This ```typescript const apiKey = "sk-proj-xxxxx" // Hardcoded secret const dbPassword = "password123" // In source code ``` #### ✅ ALWAYS Do This ```typescript const apiKey = process.env.OPENAI_API_KEY const dbUrl = process.env.DATABASE_URL // Verify secrets exist if (!apiKey) { throw new Error('OPENAI_API_KEY not configured') } ``` #### Verification Steps - [ ] No hardcoded API keys, tokens, or passwords - [ ] All secrets in environment variables - [ ] `.env.local` in .gitignore - [ ] No secrets in git history - [ ] Production secrets in hosting platform (Vercel, Railway) ### 2. Input Validation #### Always Validate User Input ```typescript import { z } from 'zod' // Define validation schema const CreateUserSchema = z.object({ email: z.string().email(), name: z.string().min(1).max(100), age: z.number().int().min(0).max(150) }) // Validate before processing export async function createUser(input: unknown) { try { const validated = CreateUserSchema.parse(input) return await db.users.crea