feat(skill): runtime-debug-endpoint-security — reviews debug/diagnostic endpoints for production exposure

[daviediao-code]

feat(skill): runtime-debug-endpoint-security

Addresses issue #2427

What this skill does

Reviews runtime debug, diagnostic, and internal monitoring endpoints across web backends, cloud infrastructure, and internal tooling. Covers Flask debug, Django debug panel, Spring Boot Actuator, Kubernetes API servers, Prometheus metrics, Swagger UI, and custom diagnostic endpoints.

Deliverables

• skills/appsec/runtime-debug-endpoint-security/SKILL.md — complete security review skill
• skills/appsec/runtime-debug-endpoint-security/tests/vulnerable/ — 1 vulnerable fixture
• skills/appsec/runtime-debug-endpoint-security/tests/benign/ — 1 benign fixture
• index.yaml — updated with new skill entry (skill_count: 46 → 47)

Compliance checklist

• SKILL.md follows format specification
• Framework cited (OWASP Top 10 2021)
• All framework references verified
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum (Read, Grep, Glob)
• Tested with vulnerable and benign fixtures
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry

Framework References

• OWASP Top 10 2021 — A05: Security Misconfiguration, A01: Broken Access Control
• Spring Boot Actuator Security Documentation
• Flask Debug Mode Security
• Django Debug Mode
• Kubernetes Security Best Practices

Requested bounty tier: Intermediate ($350)

Payment details can be provided privately after maintainer acceptance.

[github-actions]

Thanks for contributing! 🙏 To keep the queue reviewable, we allow one open PR per contributor at a time. You already have #2580 open, so we're closing this one — please reopen it after that PR is resolved.