How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does secure support?

secure works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is secure free to use?

Yes. secure is free to install and use. It is available from the open explainx.ai skill registry published by whawkinsiv.

Where can I read ratings and reviews for secure?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install secure?

Run `npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure` in your terminal. You need to have run `npx skills init` once in your project first.

Productivity

secure▌

whawkinsiv/claude-code-superpowers · updated Apr 8, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure

0 commentsdiscussion

summary

This skill is for securing your app's code and data. For regulatory compliance (HIPAA, SOC 2, GDPR), use compliance. For pre-launch readiness checks, use go-live. For environment variable setup during deployment, use deploy. For database-level security (Row Level Security), use database.

skill.md

Security

This skill is for securing your app's code and data. For regulatory compliance (HIPAA, SOC 2, GDPR), use compliance. For pre-launch readiness checks, use go-live. For environment variable setup during deployment, use deploy. For database-level security (Row Level Security), use database.

Don't Do Yet

Don't implement OAuth/SSO until you have paying customers who need it. Email + password is fine for launch.
Don't buy a pentest until you have 1,000+ users or handle sensitive data (health, finance). This checklist is enough for MVP.
Don't set up a Web Application Firewall (WAF) — your hosting platform (Vercel, Railway) handles this. You don't need Cloudflare yet.
Don't build your own auth system. Use Supabase Auth, Clerk, or NextAuth. Rolling your own is how breaches happen.

Quick Start

Claude Code:

Run a security audit on my app. Check for:
- API keys or secrets in code (should be in .env)
- Missing auth on protected routes
- SQL injection risks
- XSS vulnerabilities
- Missing rate limiting
Fix anything you find.

Lovable / Replit / Cursor (paste into chat):

Review my app for security issues. Check these common problems:
1. Are any API keys or passwords hardcoded? Move them to environment variables.
2. Can someone access pages without logging in? Add auth checks.
3. Is user input validated before hitting the database?
4. Are passwords hashed (not stored as plain text)?
5. Is rate limiting set up on API endpoints?
Show me what needs fixing and fix it.

Security Checklist

Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)

See COMMON-VULNS.md for detailed checks.

Critical: Never Store These in Code

Move to environment variables:

Database passwords
API keys (Stripe, SendGrid, etc)
JWT secrets
OAuth client secrets
Encryption keys

Tell AI:

Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY

Authentication

Use a service. Don't build this yourself.

If you use...	Auth solution
Supabase	Supabase Auth (built in)
Next.js	NextAuth.js or Clerk
Lovable	Supabase Auth (Lovable's default)
Replit	Replit Auth or Supabase

If you must build auth yourself (not recommended), the minimums are:

Passwords: 8+ chars, hashed with bcrypt (12 rounds), never stored plain text
Email verification required for signups
Password reset via email token only
Sessions expire after 30-60 minutes idle

Tell AI:

Set up authentication using [Supabase Auth / NextAuth / Clerk].
I need: email+password signup, email verification, password reset,
and session timeout after 30 minutes of inactivity.

See SECURITY-PROMPTS.md for implementation details.

Data Protection

Always encrypt:

Passwords (hashed, not encrypted)
Payment info (use Stripe, don't store cards)
Personal identifiable information (PII)

Never log:

Passwords (even hashed)
Credit card numbers
API keys
Session tokens

Tell AI:

Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.

API Security

Required for all API endpoints:

Authentication check
Rate limiting (prevent abuse)
Input validation
Error messages don't leak info

Tell AI:

Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)

Common Vulnerabilities

Most common in AI-built apps:

Exposed API keys - In code instead of .env
No rate limiting - APIs can be spammed
Missing auth checks - Routes accessible without login
SQL injection - Raw SQL with user input
XSS attacks - Unescaped user content displayed

See COMMON-VULNS.md for how to check.

Security Prompts for AI

Adding authentication:

Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.

Rate limiting:

Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed

Input validation:

Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message

See SECURITY-PROMPTS.md for more.

Pre-Launch Security Review

Before deploying:

Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")

When to Get Security Audit

Signs you need expert review:

Handling payments directly (not Stripe)
Storing health/financial data
Multi-tenant with data isolation
Over 1,000 users
Processing sensitive PII

For most MVPs: Following this checklist is sufficient.

Common Founder Mistakes

Mistake	Fix
API keys in code	Move to .env
No rate limiting	Add to all endpoints
Plain text passwords	Use bcrypt
HTTP in production	Force HTTPS
Accepting all CORS	Whitelist domains
No input validation	Validate server-side
Detailed error messages	Generic messages only

Quick Wins

Easy security improvements:

Add Helmet.js (Node) - Sets security headers
Use HTTPS everywhere - Force in production
Add rate limiting - Prevents abuse
Environment variables - Keep secrets safe
Update dependencies - Fix known vulnerabilities

Tell AI:

Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).

Testing Security

Quick checks:

Exposed secrets:

grep -r "api_key" src/
grep -r "password" src/
# Should only find references to env vars

No auth bypass:

Try accessing protected routes without login
Should redirect to login or return 401

Rate limiting works:

Hit API endpoint 100 times quickly
Should get 429 error

Success Looks Like

✅ No secrets in code (all in .env) ✅ Can't access protected routes without auth ✅ Passwords hashed, never stored plain text ✅ Rate limiting prevents abuse ✅ HTTPS enforced in production ✅ Input validated on server side

Related Skills

compliance — Regulatory requirements (HIPAA, SOC 2, GDPR, CCPA)
go-live — Pre-launch readiness checks (security is one part of this)
deploy — Hosting and environment variable setup
database — Row Level Security, data access policies
payments — Stripe security and PCI compliance

how to use secure

How to use secure on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add secure

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/whawkinsiv/claude-code-superpowers --skill secure

The skills CLI fetches secure from GitHub repository whawkinsiv/claude-code-superpowers and configures it for Cursor.

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ── always included ────

│ • Amp

│ • Antigravity

│ • Cline

│ • Codex

│ ●Cursor(selected)

│ • Cursor

│ • Windsurf

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/secure

Reload or restart Cursor to activate secure. Access the skill through slash commands (e.g., /secure) or your agent's skill management interface.

⚠

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

›View source code on GitHub ›Skills CLI documentation ›Learn more about Cursor ›What are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases▌

User Story & Requirements Generation

Create detailed user stories, acceptance criteria, and feature specs

Example

Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios

✓

Reduce spec writing time by 50%, ensure comprehensive coverage

Competitive Analysis

Research competitors, compare features, identify gaps

Example

Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities

✓

Complete competitive research in 2 hours instead of 2 days

Roadmap Prioritization

Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs

Example

Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale

✓

Make data-driven prioritization decisions faster

Stakeholder Communication

Draft PRDs, status updates, and stakeholder presentations

Example

Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement

✓

Save 3-5 hours/week on communication overhead

Implementation Guide▌

Prerequisites

›Claude Desktop or compatible AI client
›Access to product documentation and roadmap tools (Jira, Notion, etc.)
›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
›Stakeholder contact information and communication channels

Time Estimate

30-60 minutes to see productivity improvements

Installation Steps

1.Install product management skill
2.Start with user story generation for known feature
3.Progress to competitive analysis: research 2-3 competitors
4.Use for roadmap prioritization: apply RICE/ICE scoring
5.Draft stakeholder communications and refine based on feedback
6.Build template library for recurring PM tasks
7.Share effective prompts with product team

Common Pitfalls

⚠Not validating competitive research—verify facts before sharing
⚠Accepting user stories without involving engineering team
⚠Over-relying on frameworks without qualitative judgment
⚠Not customizing outputs to company culture and communication style
⚠Skipping stakeholder validation of generated requirements

Best Practices▌

✓ Do

+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition

✗ Don't

−Don't publish competitive analysis without fact-checking
−Don't finalize user stories without engineering review
−Don't make prioritization decisions solely on AI scoring
−Don't skip customer validation of generated requirements
−Don't ignore company-specific context and culture

💡 Pro Tips

★Provide context: company goals, constraints, customer feedback
★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
★Use skill for 70% generation + 30% customization to company needs

When to Use This▌

✓ Use When

Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.

✗ Avoid When

Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.

Learning Path▌

1Basic: user stories, feature specs, status updates
2Intermediate: competitive analysis, prioritization frameworks, PRDs
3Advanced: product strategy, go-to-market planning, OKR setting
4Expert: product vision, market positioning, business model innovation

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.5★★★★★55 reviews

★★★★★Sofia Khan· Dec 20, 2024
secure fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Ganesh Mohane· Dec 12, 2024
Solid pick for teams standardizing on skills: secure is focused, and the summary matches what you get after install.
★★★★★Meera Abbas· Dec 8, 2024
Solid pick for teams standardizing on skills: secure is focused, and the summary matches what you get after install.
★★★★★Benjamin Reddy· Dec 8, 2024
secure is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Benjamin Taylor· Dec 4, 2024
Registry listing for secure matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Sofia Perez· Nov 27, 2024
We added secure from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Omar Bhatia· Nov 23, 2024
Useful defaults in secure — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Diya Abbas· Nov 11, 2024
secure has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Omar Khanna· Nov 11, 2024
Useful defaults in secure — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Rahul Santra· Nov 3, 2024
We added secure from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

showing 1-10 of 55

1 / 6