Skill Wiki
security
Domain plugin for application-security corpora derived from the OWASP Cheat Sheet Series. Covers input validation, authentication, session management, cryptography, injection prevention, XSS, CSRF, secrets management, and core security principles.
Atom counts by kind
| Kind | Count |
|---|---|
| rule | 14 |
| anti-pattern | 13 |
| check | 13 |
| principle | 12 |
| pattern | 5 |
| value | 1 |
Tag vocabulary
Words a brief might contain that signal this domain.
Retrieval axes
Domain-specific dimensions used by Prime's retrieval scoring.
risk-class · 10 matches
The class of vulnerability or risk addressed (OWASP Top-10 family).
attack-surface · 11 matches
Where the control applies — request boundary, persistence layer, transport, browser surface, secrets store, identity provider.
severity · 5 matches
Risk rating of the issue this atom addresses, modelled on CVSS bands.
Sample atoms
Eval User Input
Passing user-controlled strings directly to dynamic code evaluators — JavaScript eval(), Function constructor, Python exec()/eval(), Ruby eval/instance_eval, PHP eval() — resulting in arbitrary code execution.
Md5 For Passwords
Using general-purpose cryptographic hash functions (MD5, SHA-1, SHA-256, SHA-512) to hash passwords — even with a salt — rather than password-specific slow hashing algorithms designed to resist GPU-accelerated cracking.
Open Redirect
Accepting a redirect destination URL from user-controlled query parameters (?next=, ?redirect=, ?return_to=, ?url=) without validating it against an allowlist of permitted destinations.
Sql String Concat
Building SQL queries by concatenating or interpolating user-controlled strings directly into query text — the classic SQL injection (SQLi) vulnerability, #1 on OWASP for over a decade.
Trusting Client Validation
Relying on browser-side validation (HTML5 required/pattern attributes, JavaScript form checks) as the security boundary, with no equivalent validation on the server — trivially bypassed with curl, Postman, or DevTools.
Check Content Security Policy
CSP header must be present on HTML responses, must not contain 'unsafe-inline' or 'unsafe-eval' in script-src, and must not use wildcard (*) as the sole source in script-src or default-src.
Check Cookie Secure Flags
Session and auth cookies must carry Secure, HttpOnly, and SameSite=Strict (or Lax for OAuth flows).…
Check Dependency Audit
All project dependencies must pass a vulnerability audit with zero high/critical severity findings. Checks must run in CI on every PR and on a scheduled daily basis against the production manifest.
Check Https Everywhere
Every HTTP response must include an HSTS header with max-age ≥ 31536000 (1 year), includeSubDomains, and preload. No http:// links must appear in HTML output.
Check No Credentials Client
Scans client-bundled JS and HTML for hardcoded API keys, secrets, JWTs, and credentials (OpenAI, Anthropic, AWS, GitHub, Stripe, Google), and detects sensitive env vars exposed via NEXT_PUBLIC_/VITE_/REACT_APP_ prefixes.
Check Secrets Not In Git
No secrets (API keys, passwords, tokens, private keys, connection strings) must exist in any git commit — past or present. A pre-commit hook and CI scan must enforce this automatically.
Csp Strict
A Content-Security-Policy header that allowlists ONLY the origins your app actually loads — blocks XSS by refusing inline scripts and unauthorized origins.