security_skill

This skill helps enforce secure handling of secrets, auth data, and PII in Flutter apps by guiding storage, testing, and threat mitigation.
  • Shell

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yelmuratoff/agent_sync --skill security

  • SKILL.md2.4 KB

Overview

This skill provides concrete security and privacy guidance for AI agent projects that handle secrets, authentication, or any user-identifiable data. It focuses on classification, secure storage, testability, and transport safety to reduce risk and ensure consistent, auditable decisions. The recommendations are practical for Flutter/Dart agents and related infrastructure changes.

How this skill works

The skill inspects code paths that store or transmit sensitive data and prescribes controls: classify data first, apply OWASP baselines, and centralize secret storage using a secure storage interface. It enforces testable patterns with fakes for secure storage and recommends least-privilege data flows so UI layers never hold more than necessary. It also includes guidance for dependency and transport verification.

When to use it

  • When storing or reading tokens, API keys, session IDs, or credentials.
  • When logging user actions, errors, request context, or any PII.
  • When persisting user-identifiable data (emails, phones, addresses).
  • When implementing authentication flows, token refresh, or "remember me" features.
  • When adding new storage, network, or third-party dependencies that affect privacy.

Best practices

  • Classify data as secrets, PII, or payloads before changing storage or logs.
  • Use a secure storage abstraction (e.g., flutter_secure_storage) injected via a dependency container.
  • Keep auth/storage logic inside repositories/datasources; avoid passing tokens through UI/widget trees.
  • Provide fakes or in-memory secure storage for unit and integration tests to verify behavior.
  • Validate design and implementation against OWASP Mobile Top 10 and MASVS checklists.
  • Screen new dependencies for vulnerabilities and enforce HTTPS/TLS for production traffic.

Example use cases

  • Implementing token storage for an agent that calls external APIs: use injected secure storage and never write tokens to SharedPreferences.
  • Adding request logging: redact or omit PII and tokens, and document assumptions and mitigations in PR notes.
  • Building authentication flows: centralize refresh logic in a repository and test with in-memory secure storage.
  • Evaluating a new SDK: review maintenance, CVEs, and ensure transport uses TLS before adoption.
  • Refactoring UI: limit data selectors so views only read the fields needed, not raw tokens or full profiles.

FAQ

Avoid it. Even in development, use the same secure storage abstraction or a test-only fake to prevent accidental leakage and make behavior consistent.

How do I verify I met OWASP recommendations?

Document threat assumptions, map features to OWASP/MASVS controls, and include verification notes in PRs or security docs; run dependency and static analysis scans.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security skill by yelmuratoff/agent_sync | VeilStrat