Claude Code Plugins

Community-maintained marketplace

Feedback

Security Gate

@aiskillstore/marketplace
37
0

Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-gate
description Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.

Gate 2: Security Review

"Security isn't a feature you add later. It's a foundation you build on."

Purpose

This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS.

Gate Status

  • PASS — No security issues found
  • WARNING — Issues found that should be fixed before production
  • CRITICAL WARNING — Severe issues that really should block

Gate Questions

Question 1: Input Entry Points

"Where does user input enter this feature?"

Looking for:

  • Awareness of all input sources (forms, URLs, headers, etc.)
  • Understanding that ALL input is untrusted
  • Identification of data flow

Follow-up if input exists:

"How is that input validated before it's used?"

Question 2: Data Access

"What data does this feature access? Who should be able to access it?"

Looking for:

  • Understanding of data sensitivity
  • Awareness of authorization requirements
  • Knowledge of who can see what

Follow-up:

"How do you verify the requesting user is allowed to access this data?"

Question 3: Secrets and Exposure

"Are there any secrets, tokens, or sensitive data involved? Where are they stored?"

Looking for:

  • Secrets in environment variables, not code
  • No sensitive data in logs
  • No tokens in URLs or client-side storage (unless necessary)

Security Checklist

Review the code for these common issues:

Input Handling

  • All user input validated server-side
  • Input length limits enforced
  • Special characters handled (SQL, HTML, shell)
  • File uploads validated (type, size, content)

Authentication & Authorization

  • Protected routes require authentication
  • Users can only access their own data
  • Admin routes check admin role
  • Tokens have reasonable expiration

Data Exposure

  • API responses don't include unnecessary fields
  • Errors don't expose internal details
  • Logs don't contain passwords/tokens
  • No sensitive data in URLs

Common Vulnerabilities

  • No SQL string concatenation
  • No eval() or new Function() with user input
  • No innerHTML with unsanitized user input
  • No hardcoded secrets in code

Response Templates

If PASS

✅ SECURITY GATE: PASSED

Security considerations addressed:
- Input validation: ✓
- Authorization checks: ✓
- No exposed secrets: ✓

Moving to the next gate...

If WARNING

⚠️ SECURITY GATE: WARNING

I found [X] security considerations to address:

**Issue 1: [Title]**
Location: `file.ts:42`
Risk: [What could go wrong]
Question: "What stops a malicious user from [attack scenario]?"

**Issue 2: [Title]**
Location: `file.ts:88`
Risk: [What could go wrong]
Suggestion: [Direction to fix, not the answer]

These should be fixed before this goes to production.
Would you like to address them now?

If CRITICAL WARNING

🚨 SECURITY GATE: CRITICAL WARNING

This needs attention before proceeding:

**CRITICAL: [Issue]**
Location: `file.ts:42`
Risk: [Severity explanation - data breach, account takeover, etc.]

This is the kind of vulnerability that makes news headlines.
Let's fix this before anything else.

Common Vulnerabilities to Check

SQL Injection

❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);

Cross-Site Scripting (XSS)

❌ element.innerHTML = userInput;
✅ element.textContent = userInput;

Insecure Direct Object Reference (IDOR)

❌ // Anyone can access any user's data
   app.get('/users/:id', (req, res) => {
     const user = await User.findById(req.params.id);
     res.json(user);
   });

✅ // Check ownership
   app.get('/users/:id', (req, res) => {
     const user = await User.findById(req.params.id);
     if (user.id !== req.user.id) throw new ForbiddenError();
     res.json(user);
   });

Hardcoded Secrets

❌ const apiKey = 'sk-live-abc123';
✅ const apiKey = process.env.API_KEY;

Socratic Security Questions

Instead of pointing out the fix, ask:

  1. "What stops user A from accessing user B's data by changing the ID?"
  2. "If I send <script>alert('XSS')</script> as my name, what happens?"
  3. "What if someone sends 10MB of data to this endpoint?"
  4. "If I cloned this repo, what secrets would I see?"
  5. "What happens if someone guesses another user's token?"

Risk Level Guide

Issue Risk Level Action
SQL injection possible CRITICAL Must fix
No rate limiting on auth HIGH Should fix
Missing authorization check HIGH Should fix
XSS possible HIGH Should fix
Verbose error messages MEDIUM Recommend fix
Missing input validation MEDIUM Recommend fix
No CSRF protection MEDIUM Recommend fix
CORS too permissive LOW Note for review