Validating Inputs
Claude Code agent workflow helper from OBRA clank repository.
Install
npx skills add https://github.com/obra/clank --skill validating-inputsWhat is this skill?
- OBRA clank agent workflow.
- Install via skills.sh registry.
- Pairs with Superpowers ecosystem.
Adoption & trust: 2 installs on skills.sh; 40 GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Microsoft Foundrymicrosoft/azure-skills
Azure Aimicrosoft/azure-skills
Azure Hosted Copilot Sdkmicrosoft/azure-skills
Lark Eventlarksuite/cli
Running Claude Code Via Litellm Copilotxixu-me/skills
Setup Matt Pocock Skillsmattpocock/skills
Journey fit
Common Questions / FAQ
Is Validating Inputs safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Validating Inputs
# Validating Inputs ## Overview Professional-grade software never outputs garbage regardless of what it receives. "Garbage in, garbage out" is the mark of sloppy, insecure code. **Core principle:** Check all data from external sources. Validate all routine parameters from untrusted sources. Decide consciously how to handle invalid data. **Modern standard:** "Garbage in, nothing out" OR "Garbage in, error message out" OR "No garbage allowed in" **Violating the letter of this rule is violating the spirit of defensive programming.** ## When to Use **Always use when writing functions that receive:** - User input (forms, command-line args, uploaded files) - External API responses - Database query results - File contents - Network data - Configuration files - Any data from outside your direct control **Warning signs you need this:** - Function assumes inputs are valid - No validation beyond empty/null checks - No assertions documenting assumptions - Spec mentions constraints but code doesn't check them - Silent failures or wrong results with bad data - Security vulnerabilities (injection, overflow, etc.) - Functions accept any input without question **Don't skip when:** - "Inputs will always be valid" (they won't) - "Validation happens elsewhere" (defense in depth - check anyway) - "It's just internal code" (today's internal is tomorrow's API) - Under time pressure (validation prevents longer debugging) ## The Two-Level Defense ### Level 1: Assertions (Should NEVER Happen) **Use for:** Conditions that indicate bugs in YOUR code ```python def calculate_velocity(distance: float, time: float) -> float: # Preconditions: These should NEVER be violated if caller is correct assert distance >= 0, "distance cannot be negative" assert time > 0, "time must be positive" result = distance / time # Postcondition: Result should be reasonable assert result >= 0, f"velocity cannot be negative: {result}" return result ``` **Assertions are:** - Executable documentation - Compiled out in production (typically) - For catching programmer errors during development - Should fire = bug in code that needs fixing ### Level 2: Error Handling (MIGHT Happen) **Use for:** Conditions you expect might occur in production ```python def calculate_average_score(scores: list[float]) -> float: """Calculate average of test scores (must be 0-100).""" # Error handling: Validate external data if scores is None: raise ValueError("scores cannot be None") if not scores: raise ValueError("Cannot calculate average of empty score list") # Validate each score for i, score in enumerate(scores): if not isinstance(score, (int, float)): raise TypeError(f"Score {i} is not a number: {score}") if score < 0 or score > 100: raise ValueError(f"Score {i} out of range [0-100]: {score}") result = sum(scores) / len(scores) # Postcondition: Verify result is valid assert 0 <= result <= 100, f"Calculated average out of range: {result}" return result ``` **Error handling:** - Stays in production code - Handles expected anomalies gracefully - Validates external/untrusted data - Should trigger = need to handle error, not fix code ## Qu