Initial commit

skills/security-checklist/SKILL.md

@@ -0,0 +1,33 @@
+---
+name: security-checklist
+description: Security review guardrails for AIRBot
+license: MIT
+---
+
+## Mission
+- Detect vulnerabilities, data leaks, and insecure defaults in Node.js/TypeScript services and tooling.
+- Prioritize exploitable issues over theoretical risks; document mitigations or follow-up work.
+
+## High-Priority Findings
+- Exposed secrets: `.env`, tokens, keys, or credentials added to source or logs.
+- Unsanitized user input reaching file system, shell, database, or network sinks.
+- Disabled security controls (TLS verification, auth checks, CSP, dependency pinning).
+- Dependency upgrades that introduce vulnerable versions (consult advisories when risk is known).
+
+## Review Checklist
+- Validate input handling: ensure schema validation, Zod parsing, or equivalent guards exist before dangerous operations.
+- Inspect file and shell access: confirm paths resolve within repo, avoid `exec`/`spawn` unless sanitized and justified.
+- Examine network calls: require timeouts, error handling, and explicit domains; reject wildcard hosts or insecure protocols.
+- Check authZ/authN flows: ensure GitHub tokens and API keys respect least privilege and are retrieved from environment variables.
+- Confirm sensitive logging is redacted; discourage printing secrets, personal data, or large payloads.
+- Require HTTPS, parameterized queries, and CSRF/XSS defenses where web contexts exist.
+
+## Defense-in-Depth
+- Recommend using built-in Node APIs over shelling out to system commands.
+- Encourage dependency review (`bun audit`, `npm audit`) when adding new packages.
+- Promote feature flags or kill switches for risky rollouts.
+
+## Tooling Tips
+- Use `Glob` to locate `*.env`, `config`, or `scripts` directories.
+- `Grep` for dangerous APIs like `child_process`, `eval`, `Function`, `fetch(`, or `axios(` without validation.
+- `Read` diffs around auth flows, credential handling, and new integration points.