发现优质的 AI Agent 技能

- Backups first — decide where data lives and how it's backed up before deploying, not after data exists - Check resource requirements — many services need more RAM than expected, OOM kills corrupt data - Verify the project is actively maintained — abandoned projects become security liabilities

Use this model to keep severity decisions consistent.

Read this when `~/security-best-practices/` is missing or empty.

Use this sequence for explicit security scans and hardening reviews.

Use these patterns to reduce security risk without destabilizing delivery.

Create `~/security-best-practices/memory.md` with this structure:

Use this file when a risk is intentionally accepted instead of fixed immediately.

- `define_method` — captures closure, be careful with loop variables - `eval` string — security risk, avoid with user input - `class_eval` vs `instance_eval` — class_eval defines instance methods, instance_eval defines singleton - `const_get` with user input — can access any constant, security risk - `method(:name)` — raises NameError if method doesn't exist

来自 openclaw/skills 技能

- `where("email = '#{params[:email]}'")` — SQL injection, use `where(email: params[:email])` - `Model.new(params[:model])` without permit — mass assignment even with strong params - `skip_forgery_protection` on API — still needed if session-based auth - `html_safe` on user input — stored XSS, escape first then mark safe - `send(params[:method])` — arbitrary method call, whitelist allowed methods

来自 openclaw/skills 技能

- SQL injection — use prepared statements, NEVER concatenate user input - XSS — `htmlspecialchars($input, ENT_QUOTES, 'UTF-8')` on all output - CSRF — verify token on state-changing requests - File upload — check MIME type, extension, AND magic bytes - `include($userInput)` — remote file inclusion, validate path strictly