Initial commit

.claude-plugin/plugin.json

@@ -0,0 +1,12 @@
+{
+  "name": "airbot-security",
+  "description": "Security checklist and guidance for AIRBot reviews.",
+  "version": "0.1.0",
+  "author": {
+    "name": "AIRBot Team",
+    "email": "zhongweili@tubi.tv"
+  },
+  "skills": [
+    "./skills"
+  ]
+}

README.md

@@ -0,0 +1,3 @@
+# airbot-security
+
+Security checklist and guidance for AIRBot reviews.

plugin.lock.json

@@ -0,0 +1,45 @@
+{
+  "$schema": "internal://schemas/plugin.lock.v1.json",
+  "pluginId": "gh:sids/airbot:plugins/airbot-security",
+  "normalized": {
+    "repo": null,
+    "ref": "refs/tags/v20251128.0",
+    "commit": "8186b9e64de8bc9c6434d8d5ccc786e57b8f41a6",
+    "treeHash": "0156e195f83555a779cf3af2bf0a57780c4666d55ebd2a0d253875e29ffba4c1",
+    "generatedAt": "2025-11-28T10:28:20.747407Z",
+    "toolVersion": "publish_plugins.py@0.2.0"
+  },
+  "origin": {
+    "remote": "git@github.com:zhongweili/42plugin-data.git",
+    "branch": "master",
+    "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
+    "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
+  },
+  "manifest": {
+    "name": "airbot-security",
+    "description": "Security checklist and guidance for AIRBot reviews.",
+    "version": "0.1.0"
+  },
+  "content": {
+    "files": [
+      {
+        "path": "README.md",
+        "sha256": "dc24c9bce594a52db8ab40bd6aced72a5ee373e4158172f02e81bd4d7c59dcb6"
+      },
+      {
+        "path": ".claude-plugin/plugin.json",
+        "sha256": "eaea33f9e2db19850224dc148f633b3b5a3bf1b7cf3838b88022776f9b0aaeff"
+      },
+      {
+        "path": "skills/security-checklist/SKILL.md",
+        "sha256": "e79a6bf15eb36cfff017781aebaa41917b193a4137048452db224c722905a6ef"
+      }
+    ],
+    "dirSha256": "0156e195f83555a779cf3af2bf0a57780c4666d55ebd2a0d253875e29ffba4c1"
+  },
+  "security": {
+    "scannedAt": null,
+    "scannerVersion": null,
+    "flags": []
+  }
+}

skills/security-checklist/SKILL.md

@@ -0,0 +1,33 @@
+---
+name: security-checklist
+description: Security review guardrails for AIRBot
+license: MIT
+---
+
+## Mission
+- Detect vulnerabilities, data leaks, and insecure defaults in Node.js/TypeScript services and tooling.
+- Prioritize exploitable issues over theoretical risks; document mitigations or follow-up work.
+
+## High-Priority Findings
+- Exposed secrets: `.env`, tokens, keys, or credentials added to source or logs.
+- Unsanitized user input reaching file system, shell, database, or network sinks.
+- Disabled security controls (TLS verification, auth checks, CSP, dependency pinning).
+- Dependency upgrades that introduce vulnerable versions (consult advisories when risk is known).
+
+## Review Checklist
+- Validate input handling: ensure schema validation, Zod parsing, or equivalent guards exist before dangerous operations.
+- Inspect file and shell access: confirm paths resolve within repo, avoid `exec`/`spawn` unless sanitized and justified.
+- Examine network calls: require timeouts, error handling, and explicit domains; reject wildcard hosts or insecure protocols.
+- Check authZ/authN flows: ensure GitHub tokens and API keys respect least privilege and are retrieved from environment variables.
+- Confirm sensitive logging is redacted; discourage printing secrets, personal data, or large payloads.
+- Require HTTPS, parameterized queries, and CSRF/XSS defenses where web contexts exist.
+
+## Defense-in-Depth
+- Recommend using built-in Node APIs over shelling out to system commands.
+- Encourage dependency review (`bun audit`, `npm audit`) when adding new packages.
+- Promote feature flags or kill switches for risky rollouts.
+
+## Tooling Tips
+- Use `Glob` to locate `*.env`, `config`, or `scripts` directories.
+- `Grep` for dangerous APIs like `child_process`, `eval`, `Function`, `fetch(`, or `axios(` without validation.
+- `Read` diffs around auth flows, credential handling, and new integration points.