secure-code-review
Secure Code Review Checklist
Input Validation:
- Never trust user-supplied input; validate type, length, and format at boundaries.
- Use parameterized queries — never string-interpolate SQL.
- Sanitize before rendering HTML to prevent XSS.
Secrets & Credentials:
- No hardcoded passwords, API keys, or tokens in source code.
- Use environment variables or a secrets manager.
- Check
.gitignorebefore adding any config files.
Dependencies:
- Pin dependency versions; audit with
pip auditornpm audit. - Minimize surface area: remove unused packages.
Auth:
- Verify authorization on every protected endpoint, not just at login.
- Use short-lived tokens; implement refresh flows.
More from aiming-lab/metaclaw
structured-step-by-step-reasoning
Use this skill for any problem that involves multiple steps, tradeoffs, or non-trivial logic. Think out loud before answering to improve accuracy and transparency. Apply whenever the answer is not immediately obvious.
12codebase-navigation
Use this skill when exploring an unfamiliar codebase, tracing code paths, or answering questions about how the system works. Read before writing, and build a mental model of the architecture before making changes.
12graceful-error-recovery
Use this skill when a tool call, command, or API request fails. Diagnose the root cause systematically before retrying or changing approach. Do not retry the same failing call without first understanding why it failed.
11uncertainty-acknowledgment
Use this skill when you are not sure about a fact, have outdated knowledge, or the question is contested. Explicitly communicate the level of confidence instead of asserting uncertain things as fact.
11avoid-hallucinating-specifics
Common mistake — stating specific facts (API endpoints, library versions, config options, function signatures) with false confidence when uncertain. Always flag uncertainty rather than guessing specifics.
11plan-before-multi-step-execution
Use this skill before executing a sequence of 3 or more steps, especially when steps are irreversible or depend on each other. Write out the plan and verify it before starting execution.
9