Does this skill help with Stripe webhook security?

Yes, it provides specific protocols for signature verification using constructEventWithSecret, checking replay windows, and ensuring idempotency for state-changing operations.

What are the 16 security invariants?

These are a standardized set of rules covering server-side isolation, authentication, input validation, output safety, data safety, and supply chain integrity that every route must satisfy.

Can it prevent XSS in email templates?

Absolutely. It requires all user-provided strings to be passed through a shared escapeHtml utility and mandates testing with XSS payloads in user-controlled fields.

How does it handle environment variable safety?

It mandates that all environment variables are routed through a validation layer (src/lib/env.ts) and synchronized across Vercel, GitHub, and local environments.

Security Posture & API Safety

Name: Security Posture & API Safety
Author: Undercurrent-Studio

byUndercurrent-Studio

0•

セキュリティとテスト

Enforces 16 critical security invariants across API boundaries, authentication flows, and data handling to ensure production-grade security.

The Security Posture skill provides a comprehensive safety framework for Claude, mandating 16 specific invariants for every API route, user input handler, and data boundary. It automates security reviews by enforcing server-side isolation, strict environment variable validation via Zod, and robust protection against common vulnerabilities like SQL injection, XSS, and CSRF. Whether you are implementing Stripe webhooks, building dashboard routes, or managing Row Level Security (RLS), this skill ensures that every code change adheres to a unified security contract, preventing silent auth bypasses and sensitive data leaks.

主な機能

0116-point security invariant enforcement for all API routes

02Server-side isolation and environment variable synchronization

03Comprehensive XSS prevention and HTML escaping for email templates

04Secure webhook implementation patterns with signature verification

05Automated Zod schema validation for user-provided data

060 GitHub stars

ユースケース

01Setting up secure third-party integrations like Stripe and email providers

02Conducting security audits on existing data boundaries and RLS policies

03Hardening new API routes against unauthorized access and CSRF attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add undercurrent-studio/undercurrent-cortex security-posture

For use in Claude.ai and ChatGPT

主な機能

0116-point security invariant enforcement for all API routes

02Server-side isolation and environment variable synchronization

03Comprehensive XSS prevention and HTML escaping for email templates

04Secure webhook implementation patterns with signature verification

05Automated Zod schema validation for user-provided data

060 GitHub stars

ユースケース

01Setting up secure third-party integrations like Stripe and email providers

02Conducting security audits on existing data boundaries and RLS policies

03Hardening new API routes against unauthorized access and CSRF attacks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add undercurrent-studio/undercurrent-cortex security-posture

For use in Claude.ai and ChatGPT