A Claude Code agent skill that teaches Claude language- and framework-specific secure-coding practices across 15 popular stacks. Install it once and Claude will apply the right guidance every time you write, review, or refactor code in any of these.
Covered:
Web frameworks
- Java Spring / Spring Boot
- Python Django
- Python Flask
- Python FastAPI
- Ruby on Rails
- React (incl. Next.js)
- Vue (incl. Nuxt)
- Angular
- Go (net/http, Gin, Echo, Fiber, Chi)
- ASP.NET (Core, MVC, Web API, Razor, Blazor)
Languages
- C (C99–C23, systems / embedded / kernel-adjacent)
- C++ (C++17/20/23)
- TypeScript (Node/Express/NestJS/Fastify/Deno/Bun + shared frontend)
- C# language (non-web: console, services, desktop, libraries)
Infrastructure as Code
- Terraform / OpenTofu (AWS, Azure, GCP)
The skills CLI is the open agent-skills package manager. It works with Claude Code, Cursor, Codex, OpenCode, and 40+ other agents, handles updates, and supports symlinks so one canonical copy is reused across agents.
# Global (to ~/.claude/skills)
npx skills add securityreviewai/secure-coding-skill -g
# Project-local (to ./.claude/skills, committable)
npx skills add securityreviewai/secure-coding-skill
# Target specific agents
npx skills add securityreviewai/secure-coding-skill -a claude-code
npx skills add securityreviewai/secure-coding-skill -a claude-code -a cursor -a codex
# Non-interactive (CI-friendly)
npx skills add securityreviewai/secure-coding-skill -g -a claude-code -yUpdate and remove:
npx skills update secure-coding
npx skills remove secure-codingIf you don't want the skills CLI, this package also ships a self-contained installer:
# Per-user (to ~/.claude/skills/secure-coding)
npx @securityreviewai/secure-coding-skill
# Per-project (to ./.claude/skills/secure-coding)
npx @securityreviewai/secure-coding-skill --project
# Custom location
npx @securityreviewai/secure-coding-skill --dest /path/to/skills
# Uninstall
npx @securityreviewai/secure-coding-skill --uninstall
npx @securityreviewai/secure-coding-skill --uninstall --project
# Dry-run (prints actions, writes nothing)
npx @securityreviewai/secure-coding-skill --dry-runAfter install (either method), restart Claude Code (or reload your project) so the skill is picked up.
Once installed, Claude consults the skill whenever you:
- add a new endpoint, form handler, or route (web frameworks)
- handle user input, query a database, or render user-controlled content
- configure auth, session cookies, CORS, or security headers
- process file uploads or fetch URLs on behalf of the user (SSRF surface)
- deserialize data, call
eval/Function/vm, or run a subprocess with user input - write systems code in C/C++ that allocates memory, copies buffers, parses untrusted bytes, or calls
system/exec - tighten
tsconfig.jsonor validate inputs at a TypeScript trust boundary (Zod / class-validator / Valibot) - work with crypto APIs, secrets, HMAC comparisons, or random number generation in any language
- define cloud resources, IAM policies, security groups, or state backends in Terraform / OpenTofu
- review a PR in any of the covered stacks
The skill directs Claude to load the right reference (e.g., references/python-django.md, references/cpp.md, references/terraform.md) and apply concrete, idiomatic patterns — not generic OWASP advice.
skills/secure-coding/
├── SKILL.md # triggers + reference selection
└── references/
├── java-spring.md # Spring / Spring Boot
├── python-django.md # Django
├── python-flask.md # Flask
├── python-fastapi.md # FastAPI
├── ruby-on-rails.md # Rails
├── react.md # React (incl. Next.js)
├── vue.md # Vue (incl. Nuxt)
├── angular.md # Angular
├── go.md # Go (net/http, Gin, Echo, Fiber, Chi)
├── aspnet.md # ASP.NET (Core, MVC, Web API, Razor, Blazor)
├── c.md # C (C99–C23)
├── cpp.md # C++ (C++17/20/23)
├── typescript.md # TypeScript (Node + shared frontend)
├── csharp.md # C# language (non-web)
└── terraform.md # Terraform / OpenTofu (AWS / Azure / GCP)
Web-framework references (Spring, Django, Flask, FastAPI, Rails, React, Vue, Angular, Go, ASP.NET) cover the same categories — injection, authn/authz, CSRF, XSS, CORS, secrets, crypto, file upload, deserialization, SSRF, security headers, logging, dependencies, framework-specific footguns — tailored to each framework's APIs and defaults.
Language references (C, C++, TypeScript, C#) focus on issues that transcend frameworks: memory safety (buffer overflows, UAF, integer overflow, format strings), type safety at trust boundaries, crypto API usage, subprocess execution, compiler/linker hardening, and language-specific footguns like C++ slicing, TypeScript as-casts that lie, or C# BinaryFormatter / Newtonsoft.Json TypeNameHandling RCE surfaces.
The Terraform reference focuses on IaC-specific concerns: secrets in .tf/state, public-resource misconfigurations (S3, security groups, firewalls), IAM wildcards and trust-policy Condition blocks, encryption-at-rest/in-transit defaults, provider/module pinning, dangerous provisioners, and policy-as-code in CI (tfsec, checkov, trivy config).
When multiple stacks apply (e.g., a React+TypeScript frontend with a Django backend deployed via Terraform), Claude loads each relevant reference rather than picking just one.
- Claude Code (or any Claude client that loads agent skills from
~/.claude/skills/or./.claude/skills/) - Node.js ≥ 14 (only for
npxinstall; the skill itself is plain Markdown)
MIT