eng-security-safety
Installation
SKILL.md
Security and Safety Mindset
Intent
- Treat every change as a potential attack surface or failure amplifier.
- Ensure data classification, secret handling, and permission scopes stay compliant.
- Bake safety checks (rate limits, input validation, monitoring) into the design, not after.
Baseline Checklist
- Threat model quickly: Who could abuse this surface? What capabilities do they need? What happens if they succeed?
- Data stewardship: Classify data touched (PII, payments, assets) and enforce encryption, retention, and locality rules.
- Access + identity: Validate authn/authz paths, key rotation, wallet signatures, and privilege escalation barriers.
- Dependency hygiene: Pin versions, verify licenses, review changelogs, and prefer audited libraries/contracts.
- Secrets + config: Never log secrets; store them in the project’s approved secret manager. Guard env var usage.