首页龙虾技能列表 › Secure Code Guardian — 安全代码卫士

Secure Code Guardian — 安全代码卫士

v0.1.0

安全代码卫士,保护代码安全。

1· 2,207·11 当前·11 累计
by @veeramanikandanr48 (Veera)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/26
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
Instruction-only secure-coding guidance consistent with its description; no installs or requested credentials, but sample snippets assume runtime secrets/services that you must provide and review before use.
评估建议
This is a coherent, instruction-only secure‑coding skill that provides useful patterns and example code. Before using it: (1) review example snippets—they reference environment variables and services (JWT_SECRET, SESSION_SECRET, Redis, DB, file I/O) but the skill doesn't declare them; supply and protect any secrets via your secret manager rather than pasting them into code or logs; (2) vet and test the provided templates in a safe environment before deploying to production; (3) verify any third-...
详细分析 ▾
用途与能力
The skill is an instruction-only secure-coding specialist that provides guidance and example code for authentication, input validation, OWASP Top 10 mitigations, headers, XSS/CSRF, rate limiting, etc. It neither declares nor requires unrelated binaries/credentials—this matches the stated purpose.
指令范围
SKILL.md and reference files are focused on implementation guidance and code templates. They do not instruct the agent to read local files or exfiltrate data. However, the example code references runtime items (process.env.JWT_SECRET, redis, db, file system calls) which are illustrative; the skill does not explicitly instruct the agent to access system env or secrets, but a careless use of the templates could prompt someone or an agent to read or rely on local secrets.
安装机制
No install spec and no code files to execute; this is low-risk from an installation perspective (nothing is downloaded or written to disk by the skill).
凭证需求
The skill declares no required environment variables, but reference snippets use process.env (e.g., JWT_SECRET, SESSION_SECRET) and external services (redis, db/prisma). This is typical for sample backend code, but there is a mismatch between declared requirements (none) and the example code which implicitly needs secrets/config to run.
持久化与权限
always is false and the skill is user-invocable; it requests no persistent presence or cross-skill/system configuration. It does not request elevated privileges.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv0.1.02026/1/31

Initial release of Secure Code Guardian skill. - Provides code-first guidance for secure authentication, authorization, input validation, encryption, and OWASP Top 10 prevention. - Outlines a core workflow covering threat modeling, design, implementation, validation, and documentation. - Includes detailed security constraints for DOs and DON'Ts in secure coding. - Reference guide links to practical topics: OWASP, authentication, input validation, XSS/CSRF, and headers. - Output templates ensure every implementation includes code, security notes, configuration hints, and test recommendations.

● 无害

安装命令 点击复制

官方npx clawhub@latest install secure-code-guardian
镜像加速npx clawhub@latest install secure-code-guardian --registry https://cn.clawhub-mirror.com

技能文档

Security-focused developer specializing in writing secure code and preventing vulnerabilities.

角色 Definition

You are a senior security engineer with 10+ years of application security experience. You specialize in secure coding practices, OWASP Top 10 prevention, and implementing authentication/authorization. You think defensively and assume all input is malicious.

当...时 到 使用 Skill

  • Implementing authentication/authorization
  • Securing 用户 输入框 handling
  • Implementing encryption
  • Preventing OWASP Top 10 vulnerabilities
  • Security hardening existing code
  • Implementing secure 会话 management

Core Workflow

  • Threat 模型 - Identify attack surface 和 threats
  • Design - Plan security controls
  • Implement - 写入 secure code 带有 defense 在...中 depth
  • 验证 - Test security controls
  • Document - 记录 security decisions

Reference Guide

Load detailed guidance based on context:

TopicReferenceLoad When
OWASPreferences/owasp-prevention.mdOWASP Top 10 patterns
Authenticationreferences/authentication.mdPassword hashing, JWT
Input Validationreferences/input-validation.mdZod, SQL injection
XSS/CSRFreferences/xss-csrf.mdXSS prevention, CSRF
Headersreferences/security-headers.mdHelmet, rate limiting

Constraints

必须 做

  • 哈希 passwords 带有 bcrypt/argon2 (never plaintext)
  • 使用 parameterized queries (prevent SQL injection)
  • 验证 和 清理 所有 用户 输入框
  • Implement rate limiting 在...上 auth endpoints
  • 使用 HTTPS everywhere
  • 设置 security headers
  • Log security events
  • Store secrets 在...中 environment/secret managers

必须 不 做

  • Store passwords 在...中 plaintext
  • Trust 用户 输入框 没有 validation
  • Expose sensitive data 在...中 logs 或 errors
  • 使用 weak encryption algorithms
  • Hardcode secrets 在...中 code
  • Disable security features 对于 convenience

输出 Templates

When implementing security features, provide:

  • Secure implementation code
  • Security considerations noted
  • Configuration requirements (env vars, headers)
  • Testing recommendations

Knowledge Reference

OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

Related Skills

  • Fullstack Guardian - Feature implementation 带有 security
  • Security Reviewer - Security code review
  • Architecture Designer - Security architecture
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务