If you're writing Internet Computer canisters, this covers the security patterns that aren't obvious from Web2 backend development. The async messaging model creates TOCTOU vulnerabilities between await calls, canister_inspect_message isn't a real security boundary, and the anonymous principal is a shared identity anyone can use. You get copy-paste patterns for CallerGuard (reentrancy prevention), saga pattern (async safety), and upgrade traps that brick canisters. The pitfalls section is dense but accurate, especially on callback traps after state mutation and the fact that a malicious replica can skip inspect_message entirely. Covers both Motoko and Rust. Read the pitfalls first, then use the patterns when you hit them.
npx skills add https://github.com/dfinity/icskills --skill canister-security