ReddRadar
Agent skill
security-rules
Ultra Builder Pro security rules
Install this agent skill to your Project
npx add-skill https://github.com/rocky2431/ultra-builder-pro/tree/main/skills/security-rules
SKILL.md
Security Rules
These rules are mandatory for all code review and security-related work.
Input Validation
All external input MUST be validated:
- Syntactic: correct format (email, date, UUID)
- Semantic: valid in business context (start < end, price > 0)
- Validate early, reject invalid input immediately
Forbidden Patterns
| Pattern | Risk | Alternative |
|---|---|---|
| SQL string concatenation | SQL Injection | Parameterized queries ($1, ?) |
| User input → HTML directly | XSS | textContent, sanitizer library |
| Hardcoded secrets/keys | Credential leak | Environment variables, secret manager |
| Trust client-supplied role | Privilege escalation | Derive from session/token server-side |
| Dynamic code evaluation with user input | Code injection | Use safe parsers (JSON.parse, etc.) |
| Regex with user input | ReDoS | Validate/escape regex input |
Required Practices
| Area | Rule |
|---|---|
| SQL | Parameterized queries only |
| Output | Escape/sanitize all user-derived content |
| Auth | Use established auth libraries |
| Secrets | Environment variables or secret manager |
| Sessions | Secure, HttpOnly, SameSite cookies |
| CORS | Explicit allowlist, never wildcard in production |
| File upload | Validate type, size, sanitize filename |
Error Handling Security
- Never expose stack traces to end users
- Never include sensitive data in error messages
- Log security events with sufficient context for investigation
- Use typed errors, not generic messages
Review Checklist
When reviewing code, check for:
- SQL injection vectors (string concatenation in queries)
- XSS vectors (unescaped user input in HTML/templates)
- Hardcoded credentials, API keys, or secrets
- Missing authentication/authorization checks
- Missing input validation on external boundaries
- Insecure direct object references (IDOR)
- Missing rate limiting on sensitive endpoints
- Sensitive data in logs or error messages
- Missing CSRF protection on state-changing operations
- Insecure deserialization
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
rocky2431/ultra-builder-pro
vercel-composition-patterns
React composition patterns that scale. Use when refactoring components with boolean prop proliferation, building flexible component libraries, or designing reusable APIs. Triggers on tasks involving compound components, render props, context providers, or component architecture. Includes React 19 API changes.
rocky2431/ultra-builder-pro
recall
Search and manage cross-session memory. Query past sessions by keyword, semantic similarity, or hybrid search. Save summaries and tags for future recall.
rocky2431/ultra-builder-pro
code-review-expert
Structured code review checklists: SOLID, security, performance, boundary conditions, removal planning. Injected into code-reviewer agent.
rocky2431/ultra-builder-pro
use-railway
Operate Railway infrastructure: create projects, provision services and databases, deploy code, configure environments and variables, manage domains, troubleshoot failures, check status and metrics, and query Railway docs. Use this skill whenever the user mentions Railway, deployments, services, environments, build failures, or infrastructure operations, even if they don't say "Railway" explicitly.
rocky2431/ultra-builder-pro
ai-collab-base
Shared collaboration protocol, modes, and prompt templates for AI collab skills. Consumed by gemini-collab, codex-collab, and ultra-verify as a shared foundation.
rocky2431/ultra-builder-pro
gemini-collab
This skill should be used when the user asks to 'ask Gemini', 'Gemini review', 'let Gemini check', 'Gemini analysis', 'dual AI', or mentions 'gemini' in any collaborative context for code review, project analysis, architecture opinions, or comparative verification.
Didn't find tool you were looking for?