Review Python, JS/TS, and Go code for security best practices.
This is an open-source, prompt-only security review skill with no indicated need for secrets, network access, or local code execution. Given its GitHub source and strong community adoption, the overall risk is low, with only routine attention needed for content freshness and maintenance.
The materials explicitly state that no keys or environment variables are required, and the README does not request any API token, account credential, or sensitive environment variable. No clear credential leakage or abuse surface is shown.
The system flags this as prompt-only and lists no remote host endpoints; the documentation does not declare any fixed external service connection. The README's note that one may 'try to search online' when unsure reads more like behavioral guidance than an integrated egress path, so no definite data exfiltration design is shown.
This skill is essentially guidance and review logic for security best practices, and it does not describe starting local processes, running scripts, installing dependencies, or invoking system commands. Based on the provided materials, it does not appear to have additional code-execution privileges.
The README mentions inspecting the current context, project scope, and the skill's references directory to identify languages/frameworks and consult documentation. This is prompt-level reading guidance and does not declare direct read/write access to arbitrary local files, databases, or other sensitive resources, nor does it request excessive permissions.
The source is the GitHub repository openai/skills, and the system marks it as open-source with roughly 22k stars, making the code auditable and the source relatively trustworthy. The license and maintenance status are not clearly stated and are worth monitoring, but they do not justify a higher risk level based on the current materials.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-best-practices" skill from askskill: 1. Download https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-best-practices/SKILL.md 2. Save it as ~/.claude/skills/security-best-practices/SKILL.md 3. Reload skills and tell me it's ready
This skill provides a description of how to identify the language and frameworks used by the current context, and then to load information from this skill's references directory about the security best practices for this language and or frameworks.
This information, if present, can be used to write new secure by default code, or to passively detect major issues within existing code, or (if requested by the user) provide a vulnerability report and suggest fixes.
The initial step for this skill is to identify ALL languages and ALL frameworks which you are being asked to use or already exist in the scope of the project you are working in. Focus on the primary core frameworks. Often you will want to identify both frontend and backend languages and frameworks.
Then check this skill's references directory to see if there are any relevant documentation for the language and or frameworks. Make sure you read ALL reference files which relate to the specific framework or language. The format of the filenames is <language>-<framework>-<stack>-security.md. You should also check if there is a <language>-general-<stack>-security.md which is agnostic to the framework you may be using.
If working on a web application which includes a frontend and a backend, make sure you have checked for reference documents for BOTH the frontend and backend!
If you are asked to make a web app which will include both a frontend and backend, but the frontend framework is not specified, also check out javascript-general-web-frontend-security.md. It is important that you understand how to secure both the frontend and backend.
If no relevant information is available in the skill's references directory, think a little bit about what you know about the language, the framework, and all well known security best practices for it. If you are unsure you can try to search online for documentation on security best practices.
From there it can operate in a few ways.
The primary mode is to just use the information to write secure by default code from this point forward. This is useful for starting a new project or when writing new code.
The secondary mode is to passively detect vulnerabilities while working in the project and writing code for the user. Critical or very important vulnerabilities or major issues going against security guidance can be flagged and the user can be told about them. This passive mode should focus on the largest impact vulnerabilities and secure defaults.
The user can ask for a security report or to improve the security of the codebase. In this case a full report should be produced describe anyways the project fails to follow security best practices guidance. The report should be prioritized and have clear sections of severity and urgency. Then offer to start working on fixes for these issues. See #fixes below.
references/, load only the relevant files and follow their instructions.…
Prepare agendas, pre-reads, and meeting materials using Notion context and research.
Build, review, refactor, and architect modern ASP.NET Core web applications.
Capture full-screen, window, or region screenshots at the operating system level.
Analyze a codebase for threats, abuse paths, and mitigations in Markdown.
Interact with persistent browsers and Electron apps for fast iterative UI debugging.
Deploy, publish, and host apps and infrastructure on Cloudflare services.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Review architecture or code for security risks, vulnerabilities, and compliance issues.
Review and improve code security with current OWASP best practices
Review code deeply across correctness, tests, security, performance, and product quality.
Run an end-to-end Power Pages security review with a consolidated HTML report.
Review repositories in natural language for security, performance, and code quality issues