sergiodxa/agent-skills
Overview
This skill provides concise security audit guidelines for web applications and REST APIs based on OWASP Top 10 and common web security best practices. It organizes 20 practical rules across authentication, data protection, input/output safety, configuration, and API monitoring to guide code reviews and pre-production checks. Use it to prioritize fixes, produce clear findings, and recommend concrete remediations.
How this skill works
Identify the application type (web app, SPA, SSR, REST API) and scan rules by priority: CRITICAL, HIGH, then MEDIUM. For each finding record severity, category, file/line, impact, and a specific fix including code examples where appropriate. Focus on authentication/authorization, cryptography and secrets, input/output validation, security headers/configuration, and API/monitoring controls.
When to use it
- During a security-focused code review or pull request review
- Before production deployment or after a major feature release
- When auditing authentication, authorization, or session logic
- When evaluating REST API endpoints for mass assignment, rate limits, and input validation
- When checking configuration: headers, CORS, CSRF, and cookie flags
Best practices
- Start with CRITICAL issues (auth, crypto, injection) and remediate before others
- Report each issue with severity, exact location, impact, and a minimal reproducible fix
- Prefer secure defaults: parameterized queries, strong password policies, and least privilege
- Never log secrets or return sensitive fields in responses; log safe metadata instead
- Enforce security headers, strict cookie flags, and validated CORS origins
Example use cases
- Scan a new API endpoint for IDOR, mass assignment, and missing auth checks
- Audit file upload handlers for mime/type validation and path traversal protections
- Review deployment configs for exposed debug output, missing HSTS/CSP, or permissive CORS
- Assess authentication flows for weak passwords, missing MFA, and session cookie issues
- Check dependency lists for outdated packages and run automated vulnerability audits
FAQ
Fix CRITICAL issues immediately (injection, broken auth, secrets). Address HIGH issues next (CSRF, headers, session management). Treat MEDIUM/LOW based on exposure and attack surface.
What minimal information should a report include?
Severity, category/rule, file path and line, a short description of the issue, impact, and a concrete remediation with a code example if possible.
7 skills
This skill performs OWASP-aligned security audits for web apps and REST APIs, identifying vulnerabilities and guiding concrete remediation before production.
This skill helps you write and review AI agent skills by enforcing structure, content, and style guidelines for consistent quality.
This skill helps you apply Basecamp's Ruby on Rails best practices to structure models, controllers, jobs, and concerns for maintainable code.
This skill helps you optimize React components and bundles by applying best-practice guidelines for performance, memoization, and reusable architectures.
This skill helps you implement accessibility best practices in React components, improving semantic structure, keyboard support, and screen reader experience.
This skill helps you implement front-end testing best practices, prioritizing end-to-end tests, minimal mocks, and behavior-focused validation across the UI.
This skill helps optimize React Router data loading, forms, and route organization by applying best practices for loaders, actions, and UI data usage.