clean-code

GitHub

作为代码生成的基础技能,强制实施安全、防幻觉及高质量编码规范。涵盖供应链安全、输入输出防护、禁止占位符及模块化原则,确保所有代码可运行且无安全隐患。

100 skills/clean-code/SKILL.md xenitV1/claude-code-maestro

Trigger Scenarios

生成任何代码片段时 进行代码审查或重构时 引入第三方依赖包时

Install

npx skills add xenitV1/claude-code-maestro --skill clean-code -g -y
More Options

Use without installing

npx skills use xenitV1/claude-code-maestro@clean-code

指定 Agent (Claude Code)

npx skills add xenitV1/claude-code-maestro --skill clean-code -a claude-code -g -y

安装 repo 全部 skill

npx skills add xenitV1/claude-code-maestro --all -g -y

预览 repo 内 skill

npx skills add xenitV1/claude-code-maestro --list

SKILL.md

Frontmatter
{
    "name": "clean-code",
    "description": "The Foundation Skill. LLM Firewall + 2025 Security + Cross-Skill Coordination. Use for ALL code output - prevents hallucinations, enforces security, ensures quality."
}

<domain_overview>

🛡️ CLEAN CODE: THE FOUNDATION

Philosophy: This skill is the FOUNDATION - it applies to ALL other skills. Every piece of code must pass these gates. ALGORITHMIC ELEGANCE MANDATE (CRITICAL): Never prioritize "clever" code over readable, intent-revealing engineering. AI-generated code often fails by introducing unnecessary abstractions or using vague naming conventions that obscure logic. You MUST use intent-revealing names for every variable and function. Any implementation that increases cognitive complexity without a proportional gain in performance or scalability must be rejected. Avoid "Hype-Driven Development"—proven patterns trump trending but unstable frameworks. </domain_overview> <iron_laws>

🚨 IRON LAWS

1. NO HALLUCINATED PACKAGES - Verify before import
2. NO LAZY PLACEHOLDERS - Code must be runnable
3. NO SECURITY SHORTCUTS - Production-ready defaults
4. NO OVER-ENGINEERING - Simplest solution first

</iron_laws> <security_protocols>

📦 PROTOCOL 1: SUPPLY CHAIN SECURITY

LLMs hallucinate packages that sound real but don't exist.

  1. Verify before import - npm search or pip show for unfamiliar packages
  2. Prefer battle-tested - lodash, date-fns, zod over obscure alternatives
  3. Check npm audit / pip-audit before adding new dependencies
  4. Pin versions in production - no ^ or ~ for critical deps 2025 AI Package Risks:
  • Never import AI "wrapper" libraries without verification
  • LLM SDKs: Use official only (openai, anthropic, google-generativeai)
  • Vector DBs: Stick to established (pinecone, weaviate, chromadb)

🔐 PROTOCOL 2: SECURITY-FIRST DEFAULTS

Frontend Security:

Forbidden Required
dangerouslySetInnerHTML DOMPurify sanitization
Inline event handlers Event delegation
eval(), new Function() Static code only
Storing tokens in localStorage httpOnly cookies
Backend Security:
Forbidden Required
----------- ----------
CORS: * Explicit origin whitelist
Raw SQL strings Parameterized queries
chmod 777 Principle of least privilege
Hardcoded secrets Environment variables + validation
API Security (2025):
  • Rate limiting on ALL public endpoints
  • Input validation at the gate (Zod/Pydantic)
  • Output sanitization for AI-generated content
  • PASETO > JWT for new projects </security_protocols> <modularity_and_placeholder_rules>

🏗️ PROTOCOL 3: NO LAZY PLACEHOLDERS

Forbidden Patterns:

// ❌ BANNED
// TODO: Implement this
// ... logic goes here
function placeholder() { }
throw new Error('Not implemented');

Required:

  • Every function must be runnable
  • If too complex, break into smaller complete functions
  • "Hurry" is not an excuse - write minimal viable implementation

📐 PROTOCOL 4: MODULARITY & STRUCTURE

The 50/300 Rule:

  • Functions > 50 lines → Break down
  • Files > 300 lines → Split into modules SOLID Principles: | Principle | Quick Check | |-----------|-------------| | Single Responsibility | Does this do ONE thing? | | Open/Closed | Can I extend without modifying? | | Liskov Substitution | Can subtypes replace parent? | | Interface Segregation | Are interfaces minimal? | | Dependency Inversion | Do I depend on abstractions? | </modularity_and_placeholder_rules> <complexity_and_dependencies>

🎯 PROTOCOL 5: COMPLEXITY CAP

Native First:

// ❌ Don't install is-odd
npm install is-odd
// ✅ Use native
const isOdd = n => n % 2 !== 0;

Anti-Patterns:

  • AbstractFactoryBuilderManager for simple functions
  • 10 layers of abstraction for CRUD
  • "Future-proofing" for requirements that don't exist YAGNI: You Aren't Gonna Need It. Build for today's requirements.

🔄 PROTOCOL 6: DEPENDENCY HYGIENE

Freshness Check:

npm outdated      # Check for updates
npm audit         # Check for vulnerabilities

The CVE Brake:

  • "Latest" is not always "Safest"
  • If latest has Critical CVE → Rollback to last secure version
  • Security > New Features 2025 Recommended: | Category | Recommended | |----------|-------------| | Validation | zod, valibot | | HTTP | ky, ofetch | | State | zustand, jotai | | ORM | drizzle, prisma | | Auth | lucia, better-auth | </complexity_and_dependencies> <ai_era_protocols>

🤖 PROTOCOL 7: AI-ERA CONSIDERATIONS

When Building AI Features:

  1. Validate AI outputs - Never trust raw LLM responses
  2. Rate limit AI calls - Prevent cost explosions
  3. Sanitize before display - AI can generate malicious content
  4. Log AI interactions - For debugging and compliance When AI is Writing Code:
  5. Verify imports exist - AI hallucinates packages
  6. Check types are correct - AI guesses at APIs
  7. Test edge cases - AI misses boundary conditions
  8. Review security - AI takes shortcuts </ai_era_protocols> <audit_and_reference>

✅ QUICK AUDIT CHECKLIST

Before committing ANY code:

  • No hallucinated imports (verified packages exist)
  • No security shortcuts (CORS, eval, hardcoded secrets)
  • No lazy placeholders (// TODO, empty functions)
  • Functions < 50 lines, files < 300 lines
  • Dependencies audited (npm audit clean)
  • Types are strict (no any)

🔗 CROSS-SKILL INTEGRATION

When Using... Clean Code Adds...
@frontend-design Security defaults, no eval, CSP awareness
@backend-design Input validation, no raw SQL, Zero Trust
@tdd-mastery No placeholders (tests enforce completeness)
@planning-mastery Modularity guides task breakdown
@brainstorming SOLID/YAGNI guide architecture decisions
@debug-mastery Logging standards, no silent failures
</audit_and_reference>

Version History

  • 924315b Current 2026-07-05 09:10

Same Skill Collection

SKILL.md
skills/backend-design/SKILL.md
skills/brainstorming/SKILL.md
skills/browser-extension/SKILL.md
skills/debug-mastery/SKILL.md
skills/frontend-design/SKILL.md
skills/git-worktrees/SKILL.md
skills/optimization-mastery/SKILL.md
skills/planning-mastery/SKILL.md
skills/ralph-wiggum/SKILL.md
skills/tdd-mastery/SKILL.md
skills/verification-mastery/SKILL.md

Metadata

Files
0
Version
924315b
Hash
25e3e8a1
Indexed
2026-07-05 09:10

- 위키
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-05 18:16
浙ICP备14020137号-1 $방문자$