Protects endpoints from brute force attacks and resource abuse by limiting requests to 5 per minute per IP address. The documentation drives home the cost angle with a compelling example: a startup's unsecured AI endpoint racked up $200,000 in charges during a 4-hour attack. Implementation is straightforward with a middleware wrapper that works standalone or stacks with CSRF protection. Best applied to contact forms, password resets, file uploads, and any expensive operations like AI API calls. The 5 requests per minute limit stops automated attacks without impacting legitimate users, though you'll want something more sophisticated for high-traffic production APIs that need granular control or distributed rate limiting.
npx skills add https://github.com/harperaa/secure-claude-skills --skill rate-limiting