Coding & Refactoringlow risk
input-validation-skill
Validates, sanitizes, normalizes user inputs before processing. Prevents injection attacks, data corruption, runtime errors in production. Enforces schema-driven validation at entry points with explicit rejection policies for malformed payloads.
pantheon-org/tekhne·tools/skill-auditor/testdata/fixtures/skill-full/SKILL.md
85/ 100品質
この Skill を導入
coding agent を選び、プロジェクト用または個人用コマンドをコピーします。
プロジェクトに導入.agents/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a codex -y個人環境に導入~/.agents/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a codex -g -yプロジェクトに導入.claude/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a claude-code -y個人環境に導入~/.claude/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a claude-code -g -yプロジェクトに導入.agents/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a github-copilot -y個人環境に導入~/.copilot/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a github-copilot -g -yプロジェクトに導入.agents/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a cursor -y個人環境に導入~/.cursor/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a cursor -g -yプロジェクトに導入.agents/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a gemini-cli -y個人環境に導入~/.gemini/skills/skill-full
npx skills add https://github.com/pantheon-org/tekhne/tree/4a79b500f771a61b6b4bf63751e038649d6535bc/tools/skill-auditor/testdata/fixtures/skill-full -a gemini-cli -g -yNative Gemini CLI
gemini skills install https://github.com/pantheon-org/tekhne.git --scope workspace --path tools/skill-auditor/testdata/fixtures/skill-full⚠ インストールには open-source skills CLI を使用します。実行前にソースと権限を確認してください。
Skill の指示
GitHub で元ファイルを表示 ↗# Input Validation Skill
Enforce strict input validation before any processing to prevent security vulnerabilities and data corruption. See `references/deep-reference.md` for schema details.
## Mindset
ALWAYS treat external input as untrusted. Validate at the boundary, not deep in business logic. Every gotcha in production traces back to skipped validation.
Core rules:
1. Validate at entry points, not deep in business logic
2. Reject early — fail fast on malformed input
3. NEVER assume internal callers are trusted without proof
4. ALWAYS return a structured error with the validation failure reason
## When to Use
- Processing user-supplied data from forms, APIs, or CLI arguments
- Ingesting files or configuration from external sources
- Handling webhook payloads or third-party integrations
## When NOT to Use
- Validating internal constants or compile-time values
- Re-validating data that has already passed a trusted validation boundary in the same request lifecycle
- skip for internal microservice calls behind a trusted network boundary verified at the infrastructure layer
NEVER bypass the validation boundary for performance reasons without an explicit security review.
## Procedures
### 1. Define the schema
```typescript
import { z } from "zod";
const InputSchema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
age: z.number().int().min(0).max(150),
});
```
### 2. Parse and validate at the entry point
```typescript
export const validateInput = (raw: unknown) => {
const result = InputSchema.safeParse(raw);
if (!result.success) {
throw new Error(`Validation failed: ${result.error.message}`);
}
return result.data;
};
```
### 3. Run validation before processing
```bash
bun run validate --input ./data/input.json
```
### 4. Handle errors explicitly
```typescript
try {
const validated = validateInput(req.body);
await process(validated);
} catch (err) {
return res.status(400).json({ error: err.message });
}
```
## Anti-Patterns
BAD: Skipping validation in a "trusted" internal path
```typescript
// BAD
function processInternal(data: any) {
db.insert(data); // no validation
}
```
WHY: Internal paths are often reachable from untrusted callers via indirection. NEVER assume trust without verifying the call chain.
GOOD:
```typescript
// GOOD
function processInternal(data: unknown) {
const safe = InternalSchema.parse(data);
db.insert(safe);
}
```
BAD: Validating after side effects
```typescript
// BAD
await db.insert(data);
validate(data); // too late
```
WHY: Side effects are already applied when validation fails. ALWAYS validate before any mutation.
## References
- [Deep Reference: Schema Design](./references/deep-reference.md) — Schema design and progressive disclosure patterns
- [Zod documentation](https://zod.dev) — advanced schema composition patterns