Showing 28 verified skills. 284 preview entries are hidden until we confirm a real source. Show preview skills · Why?
Catch security vulnerabilities before they reach production
claude install anthropics/claude-code/security-guidanceProactive security monitoring that flags dangerous patterns before they reach production. OWASP-aware with actionable fix suggestions.
This is the actual SKILL.md file that powers this skill. Copy it to install.
---
name: security-guidance
description: |
Always active. Monitors code for 9 security patterns: command injection,
XSS, eval, dangerouslySetInnerHTML, SQL injection, pickle, hardcoded
secrets, path traversal, and unsafe deserialization.
allowed-tools:
- Read
- Grep
- Glob
---
# Security Guidance
Proactive security monitoring that flags dangerous patterns before they
reach production. OWASP-aware with actionable fix suggestions.
## Monitored Patterns
1. **Command injection** - `exec()`, `spawn()`, `system()` with user input
2. **XSS** - Unescaped user input in HTML/JSX output
3. **eval()** - Dynamic code execution from untrusted sources
4. **dangerouslySetInnerHTML** - Raw HTML injection in React
5. **SQL injection** - String concatenation in SQL queries
6. **Pickle deserialization** - `pickle.loads()` on untrusted data
7. **Hardcoded secrets** - API keys, tokens, passwords in source
8. **Path traversal** - Unsanitized file paths from user input
9. **Unsafe deserialization** - `JSON.parse()` without validation, YAML.load()
## Steps
1. After every code edit, scan the changed file for the 9 patterns above.
2. When a pattern is detected:
- Flag with a clear warning explaining the risk
- Provide the specific fix (not just "don't do this")
- Rate severity: CRITICAL / HIGH / MEDIUM
3. **Fix examples:**
- Command injection: use `execFile()` with args array instead of `exec()`
- SQL injection: use parameterized queries (`$1`, `?` placeholders)
- XSS: use framework escaping, never raw string interpolation in HTML
- Secrets: move to environment variables, add to .gitignore
- Path traversal: use `path.resolve()` and validate against base directory
4. Never suppress a CRITICAL finding. Always report it even if the user
seems to want to proceed.
mkdir -p ~/.claude/skills/security-guidance~/.claude/skills/security-guidance/SKILL.mdResulting file structure:
~/.claude/
skills/
security-guidance/
SKILL.md <-- skill definitionSkills are loaded automatically by Claude Code when you start a new session. The skill name and description in the frontmatter determine when Claude triggers it.
Recommended from shared domain, career, and tool overlap with Security Guidance
Inspect Redis keys, TTLs, and cache hit rates from your AI editor
Both used by Software Engineer, DevOps Engineer
Query Sentry errors and analyze stack traces from your AI editor
Both used by Software Engineer, DevOps Engineer
Turn one prompt into a parallel pipeline across Claude, Codex, Gemini, and Cursor agents -- then get a unified result back
Both used by Software Engineer, DevOps Engineer
Create custom tool integrations that extend any AI assistant
Both used by Software Engineer, DevOps Engineer
Give your AI assistant safe, sandboxed access to your filesystem
Both used by Software Engineer, DevOps Engineer
Set up Git branching, hooks, and release processes in one go
Both used by Software Engineer, DevOps Engineer
Security Guidance