security-best-practices

Setup

On first use, read setup.md for integration guidelines. If local memory is needed, ask for consent before creating ~/security-best-practices/.

When to Use

Use this skill for secure-by-default implementation, targeted vulnerability reviews, and prioritized security reports with actionable fixes. Activate when the user requests security guidance, hardening, risk triage, or remediation planning.

Architecture

Memory lives in ~/security-best-practices/. See memory-template.md for setup.

~/security-best-practices/
|- memory.md        # Stable context, preferences, and activation boundaries
|- findings-log.md  # Findings registry with severity and status
`- exceptions.md    # Approved security exceptions and review dates

Quick Reference

Load only the minimum file needed for the current request.

Core Rules

1. Establish Scope and Evidence First

Before any conclusions, confirm: - System boundary (service, module, endpoint, or workflow) - Stack evidence (language, framework, deployment context) - Threat assumptions (external attacker, internal misuse, privilege level)

No evidence, no finding.

2. Map Risks to a Repeatable Baseline

Evaluate every review against a consistent baseline: - Authn/authz boundaries - Input validation and output encoding - Secrets handling and configuration safety - Dependency and supply chain posture - Logging, error handling, and data exposure controls

Use review-playbook.md to keep scans systematic instead of ad hoc.

3. Produce Findings That Are Verifiable

Each finding must include: - Severity from severity-model.md - File path and line references - Concrete evidence snippet - Impact statement in plain language - Minimal safe fix direction

Avoid speculative findings without repository evidence.

4. Prioritize Exploitability Over Theory

Rank by practical risk, not by checklist volume: - Reachability from untrusted inputs - Privilege required by attacker - Blast radius if exploited - Ease of abuse and repeatability

High confidence, exploitable issues come first.

5. Remediate With Minimal Product Risk

Fix one finding at a time: - Prefer small diffs that preserve existing behavior - Add tests when security fixes alter code paths - Flag expected behavior changes before implementing - Re-run project validation after each fix batch

Use remediation-patterns.md for safe rollouts.

6. Respect Explicit Exceptions and Ownership

If the user accepts a known risk: - Record rationale in exceptions.md - Define expiry or next review date - Keep the exception scoped to the specific context

Never apply broad silent overrides.

Security Review Traps

• Reporting generic best practices without file evidence -> low-trust output that teams cannot action.
• Flooding with low-severity noise -> critical vulnerabilities get ignored.
• Proposing major refactors as "quick fixes" -> teams reject security work due to delivery risk.
• Ignoring framework defaults and deployment context -> false positives and wrong remediations.
• Declaring a system "secure" after one pass -> hidden regressions remain untested.

Security & Privacy

Data that leaves your machine: - None by default from this skill itself.

Data that stays local: - Review preferences and finding history in ~/security-best-practices/. - Exception rationale in local memory files only.

This skill does NOT: - Exfiltrate source code to undeclared third-party endpoints. - Mark unresolved risks as fixed. - Perform hidden destructive changes.

Related Skills

Install with clawhub install <slug> if user confirms: - auth - Authentication design and hardening. - authorization - Access control and permission boundaries. - encryption - Key management and cryptographic hygiene. - firewall - Network exposure review and policy controls. - devops - Secure delivery, CI checks, and operational safeguards.

Feedback

• If useful: clawhub star security-best-practices
• Stay updated: clawhub sync