@securityreviewai/secure-coding-skill

A Claude Code agent skill that teaches Claude language- and framework-specific secure-coding practices across 15 popular stacks. Install it once and Claude will apply the right guidance every time you write, review, or refactor code in any of these.

Covered:

Web frameworks

• Java Spring / Spring Boot
• Python Django
• Python Flask
• Python FastAPI
• Ruby on Rails
• React (incl. Next.js)
• Vue (incl. Nuxt)
• Angular
• Go (net/http, Gin, Echo, Fiber, Chi)
• ASP.NET (Core, MVC, Web API, Razor, Blazor)

Languages

• C (C99–C23, systems / embedded / kernel-adjacent)
• C++ (C++17/20/23)
• TypeScript (Node/Express/NestJS/Fastify/Deno/Bun + shared frontend)
• C# language (non-web: console, services, desktop, libraries)

Infrastructure as Code

• Terraform / OpenTofu (AWS, Azure, GCP)

Install

Recommended — via skills CLI (vercel-labs/skills)

The skills CLI is the open agent-skills package manager. It works with Claude Code, Cursor, Codex, OpenCode, and 40+ other agents, handles updates, and supports symlinks so one canonical copy is reused across agents.

# Global (to ~/.claude/skills)
npx skills add securityreviewai/secure-coding-skill -g

# Project-local (to ./.claude/skills, committable)
npx skills add securityreviewai/secure-coding-skill

# Target specific agents
npx skills add securityreviewai/secure-coding-skill -a claude-code
npx skills add securityreviewai/secure-coding-skill -a claude-code -a cursor -a codex

# Non-interactive (CI-friendly)
npx skills add securityreviewai/secure-coding-skill -g -a claude-code -y

Update and remove:

npx skills update secure-coding
npx skills remove secure-coding

Alternative — standalone installer via npx

If you don't want the skills CLI, this package also ships a self-contained installer:

# Per-user (to ~/.claude/skills/secure-coding)
npx @securityreviewai/secure-coding-skill

# Per-project (to ./.claude/skills/secure-coding)
npx @securityreviewai/secure-coding-skill --project

# Custom location
npx @securityreviewai/secure-coding-skill --dest /path/to/skills

# Uninstall
npx @securityreviewai/secure-coding-skill --uninstall
npx @securityreviewai/secure-coding-skill --uninstall --project

# Dry-run (prints actions, writes nothing)
npx @securityreviewai/secure-coding-skill --dry-run

After install (either method), restart Claude Code (or reload your project) so the skill is picked up.

What it does

Once installed, Claude consults the skill whenever you:

• add a new endpoint, form handler, or route (web frameworks)
• handle user input, query a database, or render user-controlled content
• configure auth, session cookies, CORS, or security headers
• process file uploads or fetch URLs on behalf of the user (SSRF surface)
• deserialize data, call eval/Function/vm, or run a subprocess with user input
• write systems code in C/C++ that allocates memory, copies buffers, parses untrusted bytes, or calls system/exec
• tighten tsconfig.json or validate inputs at a TypeScript trust boundary (Zod / class-validator / Valibot)
• work with crypto APIs, secrets, HMAC comparisons, or random number generation in any language
• define cloud resources, IAM policies, security groups, or state backends in Terraform / OpenTofu
• review a PR in any of the covered stacks

The skill directs Claude to load the right reference (e.g., references/python-django.md, references/cpp.md, references/terraform.md) and apply concrete, idiomatic patterns — not generic OWASP advice.

Structure

skills/secure-coding/
├── SKILL.md                              # triggers + reference selection
└── references/
    ├── java-spring.md                    # Spring / Spring Boot
    ├── python-django.md                  # Django
    ├── python-flask.md                   # Flask
    ├── python-fastapi.md                 # FastAPI
    ├── ruby-on-rails.md                  # Rails
    ├── react.md                          # React (incl. Next.js)
    ├── vue.md                            # Vue (incl. Nuxt)
    ├── angular.md                        # Angular
    ├── go.md                             # Go (net/http, Gin, Echo, Fiber, Chi)
    ├── aspnet.md                         # ASP.NET (Core, MVC, Web API, Razor, Blazor)
    ├── c.md                              # C (C99–C23)
    ├── cpp.md                            # C++ (C++17/20/23)
    ├── typescript.md                     # TypeScript (Node + shared frontend)
    ├── csharp.md                         # C# language (non-web)
    └── terraform.md                      # Terraform / OpenTofu (AWS / Azure / GCP)

Web-framework references (Spring, Django, Flask, FastAPI, Rails, React, Vue, Angular, Go, ASP.NET) cover the same categories — injection, authn/authz, CSRF, XSS, CORS, secrets, crypto, file upload, deserialization, SSRF, security headers, logging, dependencies, framework-specific footguns — tailored to each framework's APIs and defaults.

Language references (C, C++, TypeScript, C#) focus on issues that transcend frameworks: memory safety (buffer overflows, UAF, integer overflow, format strings), type safety at trust boundaries, crypto API usage, subprocess execution, compiler/linker hardening, and language-specific footguns like C++ slicing, TypeScript as-casts that lie, or C# BinaryFormatter / Newtonsoft.Json TypeNameHandling RCE surfaces.

The Terraform reference focuses on IaC-specific concerns: secrets in .tf/state, public-resource misconfigurations (S3, security groups, firewalls), IAM wildcards and trust-policy Condition blocks, encryption-at-rest/in-transit defaults, provider/module pinning, dangerous provisioners, and policy-as-code in CI (tfsec, checkov, trivy config).

When multiple stacks apply (e.g., a React+TypeScript frontend with a Django backend deployed via Terraform), Claude loads each relevant reference rather than picking just one.

Requirements

• Claude Code (or any Claude client that loads agent skills from ~/.claude/skills/ or ./.claude/skills/)
• Node.js ≥ 14 (only for npx install; the skill itself is plain Markdown)

License

MIT