Security

Auditing and updating npm dependencies to prevent security vulnerabilities in TypeScript projects

Set up and configure MCP (Model Context Protocol) servers with Claude Code. Use when the user wants to connect Claude Code to external tools, databases, APIs, or services via MCP. Handles HTTP, SSE, and stdio server configurations with proper authentication.

Implement server-side validation with allowlists, specific error messages, type checking, and sanitization to prevent security vulnerabilities and ensure data integrity. Use this skill when creating or editing form request classes, when validating API inputs, when implementing validation rules in controllers or services, when writing client-side validation for user experience, when sanitizing user input to prevent injection attacks, when validating business rules, when implementing error message display, or when ensuring consistent validation across all application entry points.

セキュリティレビュー、RLS確認、認証・認可チェック、脆弱性検出。コードレビューやセキュリティ監査時に使用。

WordPress development best practices - coding standards, custom post types, security, performance, hooks/filters, and template hierarchy. Use for any WordPress theme or plugin development guidance.

WHEN: Code review, quality check, code smell detection, refactoring suggestionsWHAT: Complexity analysis + code smell list + severity-based issues + improvement suggestionsWHEN NOT: Next.js specific → nextjs-reviewer, Security → security-scanner, Performance → perf-analyzer

Guide users through a structured workflow for co-authoring documentation. Use when user wants to write documentation, proposals, technical specs, decision docs, or similar structured content. This workflow helps users efficiently transfer context, refine content through iteration, and verify the doc works for readers. Trigger when user mentions writing docs, creating proposals, drafting specs, or similar documentation tasks.

Least-privilege IAM roles for GKE nodes and workloads. Workload Identity Federation for external authentication and comprehensive audit logging for visibility.

Next.js 15 API route patterns, NextRequest, NextResponse, error handling, maxDuration configuration, authentication, request validation, server-side operations, route handlers, and API endpoint best practices. Use when creating API routes, handling requests, configuring timeouts, or building server-side endpoints.

Proactively investigates Go SSO codebase to understand authentication flows, trace gRPC request paths, analyze clean architecture patterns, and provide comprehensive backend code insights. Use when users ask about SSO implementation, service structure, database queries, or need to understand how authentication/authorization works.

Container security, secret management, compliance, and secure infrastructure.

Package Go CLIs as minimal secure containers with distroless base images. Static binaries, non-root users, read-only filesystems for production.

Lossless image optimization using ImageOptim on macOS. Use when user mentions ImageOptim, asks to optimize images, or invokes /image-optim.

Better Auth authentication library for TypeScript. Covers session management, passkeys, social auth, and organization features. Triggers on better-auth, auth, session, passkey.

Build production-grade FastAPI backends with SQLModel, Dapr integration, and JWT authentication.Use when building REST APIs with Neon PostgreSQL, implementing event-driven microservices withDapr pub/sub, scheduling jobs, or creating CRUD endpoints with JWT/JWKS verification.NOT when building simple scripts or non-microservice architectures.

Expert in managing YouTube content using YouTube Data API v3 and yt-dlp. **Use this skill whenever the user mentions 'YouTube', 'video download', 'playlist', 'YouTube videos', 'download from YouTube', or requests to list playlists, search videos, download videos, manage playlists, or any YouTube-related operations.** Handles authentication via OAuth, listing playlists (including Watch Later and Liked Videos), getting playlist items, downloading videos with yt-dlp, searching videos, getting video details, creating/deleting playlists, and adding/removing videos from playlists. (project, gitignored)

Expert skill for implementing Better Auth with JWT tokens and JWKS (JSON Web Key Set) for secure authentication between Next.js frontend and FastAPI backend. Handles JWT token generation, verification, JWKS endpoint setup, and secure API communication. Includes setup for database integration, session management, and user isolation. Use when implementing authentication between frontend (Next.js) and backend (FastAPI) services with JWT tokens and JWKS.

FastAPI backend development with SQLAlchemy 2.0, Pydantic v2, and async Python. Use for API endpoints, database models, migrations, authentication, and background tasks.

Review code for Next.js 16 compliance - security patterns, caching, breaking changes. Use when reviewing Next.js code, preparing for migration, or auditing for violations.

Generates .env.local file for local development environment variables. Contains developer-specific configuration like API URLs, ports, and feature flags. Gitignored for security.