{ "schemaVersion": "1.0", "item": { "slug": "security-best-practices", "name": "Security Best Practices", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/ivangdavila/security-best-practices", "canonicalUrl": "https://clawhub.ai/ivangdavila/security-best-practices", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/security-best-practices", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-best-practices", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "exceptions.md", "memory-template.md", "remediation-patterns.md", "review-playbook.md", "setup.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/security-best-practices" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/security-best-practices", "agentPageUrl": "https://openagent3.xyz/skills/security-best-practices/agent", "manifestUrl": "https://openagent3.xyz/skills/security-best-practices/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-best-practices/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Setup", "body": "On first use, read setup.md for integration guidelines.\nIf local memory is needed, ask for consent before creating ~/security-best-practices/." }, { "title": "When to Use", "body": "Use this skill for secure-by-default implementation, targeted vulnerability reviews, and prioritized security reports with actionable fixes. Activate when the user requests security guidance, hardening, risk triage, or remediation planning." }, { "title": "Architecture", "body": "Memory lives in ~/security-best-practices/. See memory-template.md for setup.\n\n~/security-best-practices/\n|- memory.md # Stable context, preferences, and activation boundaries\n|- findings-log.md # Findings registry with severity and status\n`- exceptions.md # Approved security exceptions and review dates" }, { "title": "Quick Reference", "body": "Load only the minimum file needed for the current request.\n\nTopicFileSetup processsetup.mdMemory templatememory-template.mdFull review workflowreview-playbook.mdSeverity model and scoringseverity-model.mdSafe remediation patternsremediation-patterns.mdRisk exception logexceptions.md" }, { "title": "1. Establish Scope and Evidence First", "body": "Before any conclusions, confirm:\n\nSystem boundary (service, module, endpoint, or workflow)\nStack evidence (language, framework, deployment context)\nThreat assumptions (external attacker, internal misuse, privilege level)\n\nNo evidence, no finding." }, { "title": "2. Map Risks to a Repeatable Baseline", "body": "Evaluate every review against a consistent baseline:\n\nAuthn/authz boundaries\nInput validation and output encoding\nSecrets handling and configuration safety\nDependency and supply chain posture\nLogging, error handling, and data exposure controls\n\nUse review-playbook.md to keep scans systematic instead of ad hoc." }, { "title": "3. Produce Findings That Are Verifiable", "body": "Each finding must include:\n\nSeverity from severity-model.md\nFile path and line references\nConcrete evidence snippet\nImpact statement in plain language\nMinimal safe fix direction\n\nAvoid speculative findings without repository evidence." }, { "title": "4. Prioritize Exploitability Over Theory", "body": "Rank by practical risk, not by checklist volume:\n\nReachability from untrusted inputs\nPrivilege required by attacker\nBlast radius if exploited\nEase of abuse and repeatability\n\nHigh confidence, exploitable issues come first." }, { "title": "5. Remediate With Minimal Product Risk", "body": "Fix one finding at a time:\n\nPrefer small diffs that preserve existing behavior\nAdd tests when security fixes alter code paths\nFlag expected behavior changes before implementing\nRe-run project validation after each fix batch\n\nUse remediation-patterns.md for safe rollouts." }, { "title": "6. Respect Explicit Exceptions and Ownership", "body": "If the user accepts a known risk:\n\nRecord rationale in exceptions.md\nDefine expiry or next review date\nKeep the exception scoped to the specific context\n\nNever apply broad silent overrides." }, { "title": "Security Review Traps", "body": "Reporting generic best practices without file evidence -> low-trust output that teams cannot action.\nFlooding with low-severity noise -> critical vulnerabilities get ignored.\nProposing major refactors as \"quick fixes\" -> teams reject security work due to delivery risk.\nIgnoring framework defaults and deployment context -> false positives and wrong remediations.\nDeclaring a system \"secure\" after one pass -> hidden regressions remain untested." }, { "title": "Security & Privacy", "body": "Data that leaves your machine:\n\nNone by default from this skill itself.\n\nData that stays local:\n\nReview preferences and finding history in ~/security-best-practices/.\nException rationale in local memory files only.\n\nThis skill does NOT:\n\nExfiltrate source code to undeclared third-party endpoints.\nMark unresolved risks as fixed.\nPerform hidden destructive changes." }, { "title": "Related Skills", "body": "Install with clawhub install if user confirms:\n\nauth - Authentication design and hardening.\nauthorization - Access control and permission boundaries.\nencryption - Key management and cryptographic hygiene.\nfirewall - Network exposure review and policy controls.\ndevops - Secure delivery, CI checks, and operational safeguards." }, { "title": "Feedback", "body": "If useful: clawhub star security-best-practices\nStay updated: clawhub sync" } ], "body": "Setup\n\nOn first use, read setup.md for integration guidelines. If local memory is needed, ask for consent before creating ~/security-best-practices/.\n\nWhen to Use\n\nUse this skill for secure-by-default implementation, targeted vulnerability reviews, and prioritized security reports with actionable fixes. Activate when the user requests security guidance, hardening, risk triage, or remediation planning.\n\nArchitecture\n\nMemory lives in ~/security-best-practices/. See memory-template.md for setup.\n\n~/security-best-practices/\n|- memory.md # Stable context, preferences, and activation boundaries\n|- findings-log.md # Findings registry with severity and status\n`- exceptions.md # Approved security exceptions and review dates\n\nQuick Reference\n\nLoad only the minimum file needed for the current request.\n\nTopic\tFile\nSetup process\tsetup.md\nMemory template\tmemory-template.md\nFull review workflow\treview-playbook.md\nSeverity model and scoring\tseverity-model.md\nSafe remediation patterns\tremediation-patterns.md\nRisk exception log\texceptions.md\nCore Rules\n1. Establish Scope and Evidence First\n\nBefore any conclusions, confirm:\n\nSystem boundary (service, module, endpoint, or workflow)\nStack evidence (language, framework, deployment context)\nThreat assumptions (external attacker, internal misuse, privilege level)\n\nNo evidence, no finding.\n\n2. Map Risks to a Repeatable Baseline\n\nEvaluate every review against a consistent baseline:\n\nAuthn/authz boundaries\nInput validation and output encoding\nSecrets handling and configuration safety\nDependency and supply chain posture\nLogging, error handling, and data exposure controls\n\nUse review-playbook.md to keep scans systematic instead of ad hoc.\n\n3. Produce Findings That Are Verifiable\n\nEach finding must include:\n\nSeverity from severity-model.md\nFile path and line references\nConcrete evidence snippet\nImpact statement in plain language\nMinimal safe fix direction\n\nAvoid speculative findings without repository evidence.\n\n4. Prioritize Exploitability Over Theory\n\nRank by practical risk, not by checklist volume:\n\nReachability from untrusted inputs\nPrivilege required by attacker\nBlast radius if exploited\nEase of abuse and repeatability\n\nHigh confidence, exploitable issues come first.\n\n5. Remediate With Minimal Product Risk\n\nFix one finding at a time:\n\nPrefer small diffs that preserve existing behavior\nAdd tests when security fixes alter code paths\nFlag expected behavior changes before implementing\nRe-run project validation after each fix batch\n\nUse remediation-patterns.md for safe rollouts.\n\n6. Respect Explicit Exceptions and Ownership\n\nIf the user accepts a known risk:\n\nRecord rationale in exceptions.md\nDefine expiry or next review date\nKeep the exception scoped to the specific context\n\nNever apply broad silent overrides.\n\nSecurity Review Traps\nReporting generic best practices without file evidence -> low-trust output that teams cannot action.\nFlooding with low-severity noise -> critical vulnerabilities get ignored.\nProposing major refactors as \"quick fixes\" -> teams reject security work due to delivery risk.\nIgnoring framework defaults and deployment context -> false positives and wrong remediations.\nDeclaring a system \"secure\" after one pass -> hidden regressions remain untested.\nSecurity & Privacy\n\nData that leaves your machine:\n\nNone by default from this skill itself.\n\nData that stays local:\n\nReview preferences and finding history in ~/security-best-practices/.\nException rationale in local memory files only.\n\nThis skill does NOT:\n\nExfiltrate source code to undeclared third-party endpoints.\nMark unresolved risks as fixed.\nPerform hidden destructive changes.\nRelated Skills\n\nInstall with clawhub install if user confirms:\n\nauth - Authentication design and hardening.\nauthorization - Access control and permission boundaries.\nencryption - Key management and cryptographic hygiene.\nfirewall - Network exposure review and policy controls.\ndevops - Secure delivery, CI checks, and operational safeguards.\nFeedback\nIf useful: clawhub star security-best-practices\nStay updated: clawhub sync" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ivangdavila/security-best-practices", "publisherUrl": "https://clawhub.ai/ivangdavila/security-best-practices", "owner": "ivangdavila", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/security-best-practices", "downloadUrl": "https://openagent3.xyz/downloads/security-best-practices", "agentUrl": "https://openagent3.xyz/skills/security-best-practices/agent", "manifestUrl": "https://openagent3.xyz/skills/security-best-practices/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-best-practices/agent.md" } }