playbooks

home / skills / shotaiuchi / dotclaude / feature-security

feature-security skill

/dotclaude/skills/feature-security

This skill analyzes security aspects of new features, validating authentication, input protection, data handling, and best-practice configurations.

npx playbooks add skill shotaiuchi/dotclaude --skill feature-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.8 KB
---
name: feature-security
description: >-
  Security analysis for new features. Apply when reviewing
  authentication, authorization, input validation, data protection,
  and security best practices in new feature implementations.
user-invocable: false
---

# Security Analyst Implementation

Analyze and verify security aspects of new feature implementations.

## Implementation Checklist

### Authentication & Authorization
- Verify authentication is required on all protected endpoints
- Check role-based access control enforcement
- Ensure token validation and expiration handling
- Validate session management and logout behavior
- Check for privilege escalation vulnerabilities

### Input Validation
- Verify all user inputs are validated and sanitized
- Check for SQL injection prevention (parameterized queries)
- Ensure XSS prevention in rendered user content
- Validate file upload restrictions (type, size, content)
- Check for command injection in system calls

### Data Protection
- Verify sensitive data is encrypted at rest and in transit
- Check that PII is properly masked in logs and responses
- Ensure secrets are not hardcoded or committed to source
- Validate proper use of hashing for passwords and tokens
- Check data retention and deletion compliance

### Security Configuration
- Verify CORS policy is properly configured
- Check security headers (CSP, HSTS, X-Frame-Options)
- Ensure dependency versions have no known vulnerabilities
- Validate error responses do not leak internal details
- Check rate limiting on authentication endpoints

## Output Format

Report implementation status:

| Status | Description |
|--------|-------------|
| Complete | Fully implemented and verified |
| Partial | Implementation started, needs remaining work |
| Blocked | Cannot proceed due to dependency or decision needed |
| Skipped | Not applicable to this feature |

Overview

This skill performs a targeted security analysis for new feature implementations. It focuses on authentication, authorization, input validation, data protection, and security configuration to surface gaps and actionable remediation items. The output is a clear status report per checklist item to guide developers and reviewers.

How this skill works

The skill inspects feature design and implementation artifacts—API endpoints, authentication flows, input handling, data storage, and configuration files—against a concise checklist. It verifies controls like token validation, RBAC, input sanitization, encryption, and security headers. For each checklist item the skill assigns a status (Complete, Partial, Blocked, Skipped) and provides short remediation guidance when issues are found.

When to use it

  • During design reviews for features that include user identity, permissions, or sensitive data
  • Before merging code that adds or modifies authentication or authorization logic
  • When approving file uploads, external command execution, or database changes
  • As part of release readiness checks for features handling PII or secrets
  • When verifying third-party dependencies and security-related configuration

Best practices

  • Require authentication and enforce RBAC on all protected endpoints by default
  • Validate and sanitize all inputs server-side; prefer parameterized queries to avoid SQL injection
  • Encrypt sensitive data in transit and at rest; never hardcode secrets in source
  • Mask or omit PII in logs and responses; use safe error messages that do not reveal internals
  • Apply security headers (CSP, HSTS, X-Frame-Options) and configure CORS tightly
  • Use rate limiting on auth endpoints and validate dependency versions for known vulnerabilities

Example use cases

  • Reviewing a new user registration and login flow for session handling and token expiry
  • Assessing a role-based feature toggle to prevent privilege escalation
  • Validating file upload endpoints for type, size, and malware scanning controls
  • Auditing database changes to ensure parameterized queries and proper encryption
  • Preparing a release checklist for a feature that stores or processes PII

FAQ

What artifacts should I provide for the analysis?

Provide API specs, authentication flow diagrams, code snippets for auth/input handling, config files, and a list of dependencies.

How are issues prioritized in the report?

Findings are prioritized by impact on confidentiality, integrity, and availability, with actionable remediations for high-impact items.