secure-code-guardian
Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.
97
100%
Does it follow best practices?
Impact
95%
1.30xAverage score across 6 eval scenarios
Passed
No known issues
Evaluation results
100%
34%User Authentication Service
JWT authentication with password security
bcrypt library used
100%
100%
Salt rounds = 12
100%
100%
Password min length 12
0%
100%
Password complexity
100%
100%
Access token expiry 15m
100%
100%
Refresh token expiry 7d
100%
100%
JWT payload type claim
0%
100%
Auth middleware type check
0%
100%
Account lockout threshold
100%
100%
Lockout duration 15min
100%
100%
Secrets from env vars
62%
100%
Security event logging
0%
100%
No sensitive data in errors
100%
100%
93%
16%Express API Security Hardening
Express security middleware configuration
Helmet middleware used
100%
100%
CSP defaultSrc self
100%
100%
HSTS maxAge 31536000
100%
100%
HSTS includeSubDomains
100%
100%
Auth rate limit max 5
0%
0%
Auth rate limit window 15min
100%
100%
skipSuccessfulRequests true
0%
100%
API rate limit max 100
100%
100%
standardHeaders true
100%
100%
legacyHeaders false
100%
100%
CORS credentials true
100%
100%
CORS maxAge 86400
0%
100%
Cookie sameSite strict
100%
100%
Cookie httpOnly secure
100%
100%
100%
30%Content Management Platform — Input Handling Layer
Input validation and injection prevention
Zod library used
0%
100%
Email max length 255
0%
100%
Name field constraints
28%
100%
Parameterized queries
100%
100%
path.basename sanitization
0%
100%
path.resolve boundary check
70%
100%
execFile not exec
100%
100%
URL protocol check
100%
100%
URL host allowlist
100%
100%
File type allowlist
100%
100%
File size limit
100%
100%
Magic bytes verification
100%
100%
77%
14%Community Knowledge Base — Rich Text Comments
XSS prevention and CSRF protection
DOMPurify imported
0%
20%
DOMPurify ALLOWED_TAGS
0%
40%
CSRF middleware used
100%
100%
CSRF token in form/header
100%
100%
Cookie SameSite strict
100%
100%
Cookie httpOnly and secure
62%
75%
Helmet CSP defaultSrc self
100%
100%
Helmet CSP scriptSrc self
100%
100%
No innerHTML with raw user content
100%
100%
Payload size limit
44%
100%
Security event logging
0%
22%
100%
13%Project Workspace API — Multi-Tenant Document Access
Role-based access control and privilege escalation prevention
requireRole middleware
100%
100%
Server-side ownership check
100%
100%
403 for unauthorized access
100%
100%
Vertical escalation blocked
100%
100%
Horizontal escalation blocked
100%
100%
Privilege escalation logged
100%
100%
Failed auth events logged
100%
100%
JWT algorithm allowlisted
0%
100%
Secrets from env vars
62%
100%
Generic auth error messages
100%
100%
100%
22%Healthcare Patient Notes — Secure Storage Service
Sensitive data encryption and secure implementation documentation
AES-256-GCM used
100%
100%
Random IV per encryption
90%
100%
No weak algorithms
100%
100%
Encryption key from env
100%
100%
HTTPS redirect middleware
70%
100%
Security considerations documented
100%
100%
Config requirements documented
100%
100%
Testing recommendations documented
100%
100%
No sensitive data in errors
87%
100%
Security event logging
12%
100%
Helmet security headers
0%
100%
- Repository
- jeffallan/claude-skills
- Commit
5b76101
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.