Claude Code Plugins

Community-maintained marketplace

Feedback

security-checklist

@sids/airbot
0
0

Security review guardrails for AIRBot

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-checklist
description Security review guardrails for AIRBot
license MIT

Mission

  • Detect vulnerabilities, data leaks, and insecure defaults in Node.js/TypeScript services and tooling.
  • Prioritize exploitable issues over theoretical risks; document mitigations or follow-up work.

High-Priority Findings

  • Exposed secrets: .env, tokens, keys, or credentials added to source or logs.
  • Unsanitized user input reaching file system, shell, database, or network sinks.
  • Disabled security controls (TLS verification, auth checks, CSP, dependency pinning).
  • Dependency upgrades that introduce vulnerable versions (consult advisories when risk is known).

Review Checklist

  • Validate input handling: ensure schema validation, Zod parsing, or equivalent guards exist before dangerous operations.
  • Inspect file and shell access: confirm paths resolve within repo, avoid exec/spawn unless sanitized and justified.
  • Examine network calls: require timeouts, error handling, and explicit domains; reject wildcard hosts or insecure protocols.
  • Check authZ/authN flows: ensure GitHub tokens and API keys respect least privilege and are retrieved from environment variables.
  • Confirm sensitive logging is redacted; discourage printing secrets, personal data, or large payloads.
  • Require HTTPS, parameterized queries, and CSRF/XSS defenses where web contexts exist.

Defense-in-Depth

  • Recommend using built-in Node APIs over shelling out to system commands.
  • Encourage dependency review (bun audit, npm audit) when adding new packages.
  • Promote feature flags or kill switches for risky rollouts.

Tooling Tips

  • Use Glob to locate *.env, config, or scripts directories.
  • Grep for dangerous APIs like child_process, eval, Function, fetch(, or axios( without validation.
  • Read diffs around auth flows, credential handling, and new integration points.