Design layered validation across data flows to prevent bugs and security issues.
The material indicates a prompt/documentation-style skill with no required secrets, no remote endpoints, and no declared execution or data exfiltration capability, so the overall risk is low. Caution mainly comes from limited supply-chain trust signals: no declared license, zero stars, and unknown maintenance, though no concrete red flags are present.
The material explicitly states that no keys or environment variables are required; the README also does not request login, tokens, or credential inputs, and no credential collection, storage, or misuse path is evident.
No remote endpoints are declared, and the content is a validation pattern with illustrative code snippets; it does not describe any network calls, API requests, or transmission of user data to third parties.
This skill is objectively marked as prompt-only; while the README includes illustrative examples such as git init and file checks, they are explanatory snippets and do not show that the skill itself executes processes or code on the local machine.
It does not declare any need to read or write local files, directories, databases, or other resources; the document only discusses layered validation concepts, with no sign of actual data-access permissions or overbroad authorization.
The source is on GitHub and open-source, which is a positive auditability signal; however, the repository has no declared license, zero stars, and unknown maintenance status, so community trust and maintenance signals are weak and warrant caution.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "Defense-in-Depth Validation" skill from askskill: 1. Download https://raw.githubusercontent.com/obra/clank/main/skills/debugging/defense-in-depth/SKILL.md 2. Save it as ~/.claude/skills/defense-in-depth/SKILL.md 3. Reload skills and tell me it's ready
Design a defense-in-depth validation plan for a user registration API across four layers: frontend form, API gateway, backend service, and database. List which fields each layer should validate, the rules, error handling, and how to avoid duplication and gaps.
A layered validation blueprint with responsibilities, rules, and error-handling guidance for each layer.
We currently validate parameters only in the backend. Audit an order creation flow for missing validation points across the frontend, API layer, service layer, and database layer. Rank them by risk and suggest improvements.
A risk-ranked report of validation gaps with actionable recommendations to strengthen them.
Using a defense-in-depth validation approach, generate test cases for a payment request covering valid inputs, boundary values, malicious inputs, type errors, duplicate requests, and database constraint conflicts. Explain how each layer should respond.
A test suite covering multilayer validation scenarios, including expected responses and failure handling.
When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.
Core principle: Validate at EVERY layer data passes through. Make the bug structurally impossible.
Single validation: "We fixed the bug" Multiple layers: "We made the bug impossible"
Different layers catch different cases:
Purpose: Reject obviously invalid input at API boundary
function createProject(name: string, workingDirectory: string) {
if (!workingDirectory || workingDirectory.trim() === '') {
throw new Error('workingDirectory cannot be empty');
}
if (!existsSync(workingDirectory)) {
throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
}
if (!statSync(workingDirectory).isDirectory()) {
throw new Error(`workingDirectory is not a directory: ${workingDirectory}`);
}
// ... proceed
}
Purpose: Ensure data makes sense for this operation
function initializeWorkspace(projectDir: string, sessionId: string) {
if (!projectDir) {
throw new Error('projectDir required for workspace initialization');
}
// ... proceed
}
Purpose: Prevent dangerous operations in specific contexts
async function gitInit(directory: string) {
// In tests, refuse git init outside temp directories
if (process.env.NODE_ENV === 'test') {
const normalized = normalize(resolve(directory));
const tmpDir = normalize(resolve(tmpdir()));
if (!normalized.startsWith(tmpDir)) {
throw new Error(
`Refusing git init outside temp dir during tests: ${directory}`
);
}
}
// ... proceed
}
Purpose: Capture context for forensics
async function gitInit(directory: string) {
const stack = new Error().stack;
logger.debug('About to git init', {
directory,
cwd: process.cwd(),
stack,
});
// ... proceed
}
When you find a bug:
Bug: Empty projectDir caused git init in source code
Data flow:
Project.create(name, '')WorkspaceManager.createWorkspace('')git init runs in process.cwd()Four layers added:
Project.create() validates not empty/exists/writableWorkspaceManager validates projectDir not emptyWorktreeManager refuses git init outside tmpdir in testsResult: All 1847 tests passed, bug impossible to reproduce
All four layers were necessary. During testing, each layer caught bugs the others missed:
Don't stop at one validation point. Add checks at every layer.
Compare 2-3 approaches before execution to choose a stronger solution.
Write evergreen comments focused on what and why, not historical context.
Search past Claude Code chats to recover facts, decisions, and context.
Design systems by hiding implementation details behind domain-level interfaces.
Plan with pseudocode first, refine approaches, then translate into working code.
Helps developers keep class abstractions cohesive and free of unrelated responsibilities.
Validate external inputs to prevent errors, failures, and security issues.
Validate router and switch configs before deployment to catch security and network risks.
Validate Azure deployment readiness across config, infrastructure, identities, and permissions.
Review an analysis for methodology, accuracy, bias, and evidence support.
Automatically profile data, infer validation rules, and generate health scores.
Validate, transform, and deduplicate data in one chained command.