Security-First-Design Skill
Auto-activate when: User mentions authentication, authorization, API security, sensitive data, user input, secrets management, encryption, security review, or when working with .env$ (actual env files, not examples), credentials.json, secrets.yaml, API keys, authentication systems, or security-critical features.
Systematically evaluate security implications before implementation.
When to Activate
- •Designing new authentication/authorization systems
- •Building APIs that handle sensitive data
- •Implementing user input handling
- •Reviewing security concerns in existing code
- •Planning features with security requirements
Framework
Five-phase security analysis framework:
- •Attack Surface Mapping - Identify all external inputs, resource access, privileges, data handling, and authentication needs
- •Threat Modeling - Evaluate injection attacks, authentication bypass, authorization bypass, data exposure, and denial of service vectors
- •Secret Management Audit - Verify API keys, credentials, .gitignore rules, logging, and encryption
- •Input Validation Design - Establish whitelist validation, type/length/format checks, sanitization, and escaping
- •Security Checklist - Verify no secrets in code, input validation coverage, least privilege, safe error messages, dependency scanning, and documented risks
Usage
Apply this framework when security is a primary design concern. Work through phases sequentially, documenting findings and mitigations at each stage.