security
Security Review
Pre-publish checklist: secrets, personal IDs, attribution, and validate-registry gates for ted-craft artifacts.
skilldev-ted
Terminal
npx ted-craft add security-review -a cursor -g -y---
name: security-review
description: >-
Pre-publish security checklist for ted-craft registry artifacts: secret scanning,
no personal IDs, attribution for catalog entries, and validate-registry gates.
Use before merging registry PRs or publishing new skills.
---
# Security review (registry)
Before publishing or merging registry changes:
## Must pass
1. `npm run validate` — Zod manifests, frontmatter, hooks JSON, secret patterns, no absolute home-directory paths
2. No API keys, tokens, private keys, or `.env` values in artifact files
3. No personal workspace IDs, emails, or private ClickUp list IDs — placeholders only
4. Catalog entries include `attribution.license` + `catalogUrl` + upstream install commands
5. First-party items ship with `manifest.json` + validated artifacts
## Review prompts
- Could this skill cause destructive MCP actions without confirmation?
- Are destructive ops documented as requiring user confirmation?
- Does description over-claim access or hide side effects?
## CI
PRs touching `registry/` run `validate-registry`. Fix errors locally before push.Security review (registry)
Before publishing or merging registry changes:
Must pass
npm run validate— Zod manifests, frontmatter, hooks JSON, secret patterns, no absolute home-directory paths- No API keys, tokens, private keys, or
.envvalues in artifact files - No personal workspace IDs, emails, or private ClickUp list IDs — placeholders only
- Catalog entries include
attribution.license+catalogUrl+ upstream install commands - First-party items ship with
manifest.json+ validated artifacts
Review prompts
- Could this skill cause destructive MCP actions without confirmation?
- Are destructive ops documented as requiring user confirmation?
- Does description over-claim access or hide side effects?
CI
PRs touching registry/ run validate-registry. Fix errors locally before push.