playbooks

home / skills / d-oit / do-novelist-ai / security-specialist

security-specialist skill

/.opencode/skill/security-specialist

This skill helps implement authentication, authorization, and data protection with secure practices across endpoints and data handling.

npx playbooks add skill d-oit/do-novelist-ai --skill security-specialist

Review the files below or copy the command above to add this skill to your agents.

Files (5)
SKILL.md
2.6 KB
---
name: security-specialist
description:
  Implement authentication, authorization, data protection, vulnerability
  checks, and security best practices. Use when adding authentication,
  protecting API endpoints, handling user data, or implementing security
  features.
---

# Security Specialist

Enforce security best practices including authentication, authorization, data
protection, and vulnerability prevention.

## Quick Reference

- **[Authentication](authentication.md)** - User authentication flows
- **[Authorization](authorization.md)** - Access control and permissions
- **[Data Protection](data-protection.md)** - Sensitive data handling
- **[Vulnerability Checks](vulnerability-checks.md)** - Security audits and
  scanning

## When to Use

- Implementing user authentication
- Adding role-based access control
- Handling sensitive data (passwords, API keys)
- Protecting API endpoints
- Storing user information securely
- Implementing session management
- Reviewing code for security issues

## Core Methodology

Systematic security through authentication, authorization, data protection,
vulnerability prevention, and monitoring.

**Key Principles**:

1. Never trust user input
2. Validate and sanitize all inputs
3. Use strong encryption and hashing
4. Implement proper access control
5. Monitor for security incidents
6. Stay updated on security best practices

**Quality Gates**:

- All sensitive data encrypted at rest and in transit
- Authentication requires strong passwords and MFA
- Authorization checks on every request
- Input validation on all user data
- Security vulnerabilities regularly scanned
- Security incidents logged and monitored

## Integration

- **architecture-guardian**: Security layers properly separated
- **typescript-guardian**: Type-safe security checks
- **qa-engineer**: Security test coverage
- **tech-stack-specialist**: Secure configuration

## Best Practices

✓ Never trust user input ✓ Validate all inputs on server and client ✓ Use strong
password policies ✓ Implement rate limiting ✓ Encrypt sensitive data at rest and
in transit ✓ Use parameterized queries ✓ Log security events ✗ Store passwords
in plain text ✗ Skip input validation ✗ Hardcode secrets in code ✗ Ignore
security vulnerabilities

---

## Content Modules

See detailed modules:

- **[Authentication](authentication.md)** - Passwords, tokens, sessions
- **[Authorization](authorization.md)** - RBAC, access control
- **[Data Protection](data-protection.md)** - Encryption, validation,
  sanitization
- **[Vulnerability Checks](vulnerability-checks.md)** - Scanning, auditing,
  testing

Overview

This skill implements practical security measures for TypeScript projects, covering authentication, authorization, data protection, and vulnerability checks. It helps teams add secure authentication flows, enforce access control, and protect sensitive data while integrating automated vulnerability scanning. Use it to harden APIs, manage sessions, and ensure consistent security practices across services.

How this skill works

The skill inspects code and configuration to identify missing or weak security controls and offers concrete fixes: password hashing, token handling, session management, and MFA options. It validates input handling, recommends encryption for data at rest and in transit, and integrates vulnerability scans and security logging. Actionable suggestions map to code-level changes, configuration updates, and testing checkpoints.

When to use it

  • Adding or updating user authentication flows (passwords, tokens, sessions)
  • Protecting API endpoints and implementing access control
  • Handling or storing sensitive data like passwords, API keys, or PII
  • Performing security reviews, audits, or automated vulnerability scans
  • Implementing rate limiting, logging, or incident monitoring

Best practices

  • Never trust user input — validate and sanitize on both client and server
  • Use strong, salted hashing for passwords and rotate keys regularly
  • Enforce least privilege with RBAC or attribute-based access control
  • Encrypt sensitive data in transit (TLS) and at rest (AES/GCM or equivalent)
  • Use parameterized queries to prevent SQL injection and implement rate limiting
  • Log security events and monitor for anomalies; maintain incident response playbooks

Example use cases

  • Add JWT-based authentication with refresh tokens and secure cookie storage
  • Introduce role-based access control for admin and user endpoints
  • Migrate plaintext secrets to environment-managed encrypted stores and rotate keys
  • Run automated vulnerability scans and fix high-severity findings before deployment
  • Add input validation and parameterized queries to eliminate injection risks

FAQ

Does the skill enforce specific libraries or frameworks?

No. It recommends well-supported libraries and patterns for the project language and framework, and provides code-level guidance to integrate them safely.

How does it handle secrets and key management?

It recommends storing secrets in dedicated, encrypted secret stores or environment management, avoiding hardcoded values, and rotating keys regularly. It also suggests access controls for who can read secrets.