#601

Globales Ranking · von 601 Skills

application-security AI Agent Skill

Quellcode ansehen: oakoss/agent-skills

Safe

Installation

npx skills add oakoss/agent-skills --skill application-security

53

Installationen

Security

Security is built-in, not bolted-on. Every feature, endpoint, and data flow must consider security implications.

OWASP Top 10 (2025)

# Vulnerability Prevention
1 Broken Access Control Verify permissions server-side, default deny
2 Security Misconfiguration Secure defaults, remove unused features
3 Software Supply Chain Failures SBOM, dependency scanning, signed builds
4 Cryptographic Failures Use TLS, hash passwords (argon2id), encrypt PII
5 Injection Parameterized queries, input validation
6 Insecure Design Threat modeling, security requirements
7 Authentication Failures Strong passwords, MFA, secure session mgmt
8 Software or Data Integrity Verify dependencies, sign releases
9 Logging and Alerting Failures Log security events, set up alerts
10 Mishandling Exceptional Conditions Fail securely, generic errors to clients

Security Principles

Principle Rule
Defense in Depth Multiple layers: firewall, auth, authz, encryption, audit
Least Privilege Minimum permissions needed, nothing more
Zero Trust Never trust, always verify. Assume breach.
Secure by Default HTTPS, strict passwords, secure cookies out of the box
Fail Securely Access denied on error, no internal details to users
Validate on Server Client validation is UX, server validation is security

Pre-Deployment Checklist

Area Requirements
Passwords Hashed with argon2id (preferred) or bcrypt (12+ rounds)
Tokens JWT with EdDSA/ES256, 15min access / 7d refresh, httpOnly cookies
Sessions HttpOnly, Secure, SameSite=Strict cookies
Rate Limiting Auth endpoints: 5 attempts/15min
Authorization All routes check auth server-side, default deny
Input Validated with schema (Zod), parameterized SQL
Uploads Whitelist types, enforce size limits
Secrets No secrets in code or VCS
Headers CSP (with nonces), HSTS, Permissions-Policy, X-Content-Type-Options
CORS Configured restrictively
Encryption PII encrypted at rest (AES-256) and in transit (TLS 1.3)
Logging Audit logging for security events
Dependencies SBOM generated, npm audit clean, Dependabot enabled

Threat Modeling (STRIDE)

Threat Category Key Mitigations
Spoofing Authentication MFA, strong passwords, JWT with short expiry
Tampering Integrity Input validation, HTTPS/TLS, signed tokens
Repudiation Accountability Audit logging, digital signatures
Info Disclosure Confidentiality Encryption, least privilege, secret management
Denial of Service Availability Rate limiting, input validation, CDN/DDoS protection
Elevation of Privilege Authorization Authz checks on every request, ABAC, permission audits

Risk Levels

Level Action
Critical Immediate action required
High Address before launch
Medium Address post-launch
Low Monitor, may accept risk

Compliance Overview

Framework Scope Key Requirements
GDPR EU data subjects Consent, data subject rights, breach notification (72h), DPIA
HIPAA US healthcare data PHI encryption, RBAC, audit logs, BAA with providers
SOC 2 SaaS customer data Security policies, MFA, encryption, incident response
PCI-DSS Credit card data Use payment processor (Stripe), tokenization, network segmentation

Anti-Patterns

Anti-Pattern Fix
Security as afterthought Integrate from design phase
Client-side authorization Always verify permissions server-side
Trusting client data (e.g., userId from body) Get user ID from authenticated session
Rolling your own crypto Use proven libraries (argon2, bcrypt, libsodium)
Compliance = security Compliance is the minimum; security is ongoing
Verbose error responses Generic messages to clients, details server-side

Common Mistakes

Mistake Correct Pattern
Performing authorization checks only on the client side Always verify permissions server-side; client checks are UX only
Trusting user-supplied IDs from request body (e.g., userId) Derive user identity from the authenticated session or token
Rolling custom cryptography instead of using proven libraries Use argon2id, bcrypt, or libsodium for all cryptographic operations
Treating compliance certification as equivalent to security Compliance is the minimum bar; security requires ongoing review
Returning verbose error messages with stack traces to clients Show generic messages to clients; log details server-side only

Delegation

  • Scan codebase for OWASP Top 10 vulnerabilities and insecure patterns: Use Explore agent to search for SQL injection, XSS, and hardcoded secrets
  • Implement authentication, authorization, and security headers end-to-end: Use Task agent to configure JWT, RBAC, CSP, HSTS, and rate limiting
  • Design a threat model and security architecture for new features: Use Plan agent to apply STRIDE methodology and map trust boundaries

For database-layer security (RLS policies, Postgres/Supabase hardening, audit trails), use the database-security skill. For AI/LLM security (prompt injection defense, agentic zero-trust, MCP tool hardening), use the secure-ai skill.

References

  • Threat Modeling — STRIDE methodology, risk assessment process, trust boundaries
  • Authentication and Authorization — JWT, session-based, OAuth, RBAC, ABAC, IDOR protection
  • API Security — OWASP API Security Top 10, object-level authorization, rate limiting, SSRF prevention, security testing
  • Input Validation — SQL injection, XSS, command injection, path traversal, Zod validation, file upload security
  • Data Protection — Password hashing (argon2id/bcrypt), AES-256-GCM encryption, secrets management
  • Secure Configuration — Security headers, CORS, Express hardening, rate limiting
  • Supply Chain Security — SBOM generation, dependency scanning, CI/CD hardening, artifact signing
  • Monitoring and Compliance — Audit logging, error handling, GDPR/HIPAA/SOC2/PCI-DSS, troubleshooting

Installationen

Installationen 53
Globales Ranking #601 von 601

Sicherheitsprüfung

ath Safe
socket Safe
Warnungen: 0 Bewertung: 90
snyk Low
EU EU-Hosted Inference API

Power your AI Agents with the best open-source models.

Drop-in OpenAI-compatible API. No data leaves Europe.

Explore Inference API

GLM

GLM 5

$1.00 / $3.20

per M tokens

Kimi

Kimi K2.5

$0.60 / $2.80

per M tokens

MiniMax

MiniMax M2.5

$0.30 / $1.20

per M tokens

Qwen

Qwen3.5 122B

$0.40 / $3.00

per M tokens

So verwenden Sie diesen Skill

1

Install application-security by running npx skills add oakoss/agent-skills --skill application-security in your project directory. Führen Sie den obigen Installationsbefehl in Ihrem Projektverzeichnis aus. Die Skill-Datei wird von GitHub heruntergeladen und in Ihrem Projekt platziert.

2

Keine Konfiguration erforderlich. Ihr KI-Agent (Claude Code, Cursor, Windsurf usw.) erkennt installierte Skills automatisch und nutzt sie als Kontext bei der Code-Generierung.

3

Der Skill verbessert das Verständnis Ihres Agenten für application-security, und hilft ihm, etablierte Muster zu befolgen, häufige Fehler zu vermeiden und produktionsreifen Code zu erzeugen.

Was Sie erhalten

Skills sind Klartext-Anweisungsdateien — kein ausführbarer Code. Sie kodieren Expertenwissen über Frameworks, Sprachen oder Tools, das Ihr KI-Agent liest, um seine Ausgabe zu verbessern. Das bedeutet null Laufzeit-Overhead, keine Abhängigkeitskonflikte und volle Transparenz: Sie können jede Anweisung vor der Installation lesen und prüfen.

Kompatibilität

Dieser Skill funktioniert mit jedem KI-Coding-Agenten, der das skills.sh-Format unterstützt, einschließlich Claude Code (Anthropic), Cursor, Windsurf, Cline, Aider und anderen Tools, die projektbezogene Kontextdateien lesen. Skills sind auf Transportebene framework-agnostisch — der Inhalt bestimmt, für welche Sprache oder welches Framework er gilt.

Data sourced from the skills.sh registry and GitHub. Install counts and security audits are updated regularly.

EU Made in Europe

Chat with 100+ AI Models in one App.

Use Claude, ChatGPT, Gemini alongside with EU-Hosted Models like Deepseek, GLM-5, Kimi K2.5 and many more.

Start for free View pricing
Kundensupport