Stats
Actions
Tags
From cc-best
Conducts security reviews using checklists and patterns for authentication, user input, secrets, API endpoints, SQL injection, XSS/CSRF, and rate limiting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cc-best:securityThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
> 关联 Agent: `security-reviewer`(安全审查主力)、`code-reviewer`(代码审查中的安全维度)
关联 Agent:
security-reviewer(安全审查主力)、code-reviewer(代码审查中的安全维度)
本技能确保所有代码遵循安全最佳实践,识别潜在漏洞。
| 类别 | 核心规则 | 检查项 |
|---|---|---|
| 密钥管理 | 环境变量,不硬编码 | .env.local 在 .gitignore,Git 历史无密钥 |
| 输入验证 | Schema 验证(zod/pydantic),白名单 | 文件上传限制(大小/类型/扩展名) |
| SQL 注入 | 参数化查询,不拼接 SQL | ORM 正确使用 |
| 认证授权 | httpOnly cookies,RBAC | Token 不放 localStorage |
| XSS | DOMPurify 净化,CSP 头 | 无未验证的动态渲染 |
| CSRF | CSRF Token,SameSite=Strict | 状态变更操作有保护 |
| 速率限制 | 所有 API 有限制 | 昂贵操作更严格 |
| 敏感数据 | 日志脱敏,通用错误消息 | 堆栈跟踪不暴露 |
| 依赖 | npm audit clean,Lock 已提交 | 启用 Dependabot |
| 命令注入 | execFile 非 exec,shell=False | 不拼接用户输入 |
| 路径遍历 | os.path.basename 过滤 | 不直接拼接路径 |
| 文件 | 内容 |
|---|---|
| owasp-patterns.md | OWASP Top 10 详细防护模式和代码示例 |
| verify-checklist.md | 安全测试示例 + 部署前安全检查清单 |
| cloud-security.md | IAM、密钥管理、CI/CD、网络安全 |
| config-audit.md | 配置审计清单 |
记住:安全不是可选项。一个漏洞可能危及整个平台。有疑问时,选择更安全的方案。
npx claudepluginhub xiaobei930/cc-best --plugin cc-bestProvides security checklists and patterns for authentication, input validation, secrets management, SQL injection prevention, and authorization.
Audits code security using OWASP Top 10 checklists for input validation, auth/authz, API security, data protection, and logging. Use for secure implementations and vulnerability reviews.
Enforces security best practices and vulnerability prevention: input validation, authentication, secrets management, OWASP top 10. Activated by security, auth, vulnerability, injection, XSS, CSRF, rate-limit keywords.