- Home
- Skills
- Yelmuratoff
- Agent Sync
- Security
security_skill
- Shell
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
3 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yelmuratoff/agent_sync --skill security- SKILL.md2.4 KB
Overview
This skill provides concrete security and privacy guidance for AI agent projects that handle secrets, authentication, or any user-identifiable data. It focuses on classification, secure storage, testability, and transport safety to reduce risk and ensure consistent, auditable decisions. The recommendations are practical for Flutter/Dart agents and related infrastructure changes.
How this skill works
The skill inspects code paths that store or transmit sensitive data and prescribes controls: classify data first, apply OWASP baselines, and centralize secret storage using a secure storage interface. It enforces testable patterns with fakes for secure storage and recommends least-privilege data flows so UI layers never hold more than necessary. It also includes guidance for dependency and transport verification.
When to use it
- When storing or reading tokens, API keys, session IDs, or credentials.
- When logging user actions, errors, request context, or any PII.
- When persisting user-identifiable data (emails, phones, addresses).
- When implementing authentication flows, token refresh, or "remember me" features.
- When adding new storage, network, or third-party dependencies that affect privacy.
Best practices
- Classify data as secrets, PII, or payloads before changing storage or logs.
- Use a secure storage abstraction (e.g., flutter_secure_storage) injected via a dependency container.
- Keep auth/storage logic inside repositories/datasources; avoid passing tokens through UI/widget trees.
- Provide fakes or in-memory secure storage for unit and integration tests to verify behavior.
- Validate design and implementation against OWASP Mobile Top 10 and MASVS checklists.
- Screen new dependencies for vulnerabilities and enforce HTTPS/TLS for production traffic.
Example use cases
- Implementing token storage for an agent that calls external APIs: use injected secure storage and never write tokens to SharedPreferences.
- Adding request logging: redact or omit PII and tokens, and document assumptions and mitigations in PR notes.
- Building authentication flows: centralize refresh logic in a repository and test with in-memory secure storage.
- Evaluating a new SDK: review maintenance, CVEs, and ensure transport uses TLS before adoption.
- Refactoring UI: limit data selectors so views only read the fields needed, not raw tokens or full profiles.
FAQ
Avoid it. Even in development, use the same secure storage abstraction or a test-only fake to prevent accidental leakage and make behavior consistent.
How do I verify I met OWASP recommendations?
Document threat assumptions, map features to OWASP/MASVS controls, and include verification notes in PRs or security docs; run dependency and static analysis scans.