These are tips — quick, practical prompts you can paste into an AI coding assistant. They are not a certified security assessment, not a substitute for professional review, and they do not produce 100% accurate results. Treat every finding as a starting point for your own judgement, not a verdict. The author and this site accept no liability for decisions made on the basis of the output. See the full disclaimer in the footer.
This is a short, self-contained playbook for testing the AI tool or agent you are building today, without standing up a test infrastructure. The tips are intentionally short, tool-agnostic, and copy-pasteable. They assume you have access to some AI coding assistant with a chat or inline-edit interface; the prompts are written so they work the same way whichever one you use.
Foundations
The prompts
-
Tip 02
The prompt pack — thirteen targeted security checks
Thirteen paste-ready prompts, each targeting a specific security failure mode common in AI tools and agents. Each prompt asks the assistant to look for one mode, point to the lines that prove it, and propose a concrete fix.
-
Tip 03
One red-team prompt that tries to break your agent
A single longer prompt that role-plays an attacker against your tool. Useful as a follow-up after you have run the prompt pack and want a second pass that is less structured and more adversarial.
Working the results
-
Tip 04
Turn the answers into a fix list — and re-run after each fix
A tiny convention for capturing what the assistant found, what you changed, and what changed in the next run. Keeps the self-review honest and prevents one fix from quietly opening a new hole.
-
Tip 05
A 10-minute pre-release self-audit
The minimum routine to run before tagging a release of your tool: a five-question checklist, the three prompts that catch the highest-impact regressions, and a one-paragraph release note template.
How to use this series
If you are short on time, jump straight to Tip 2 and try the first three or four prompts against the tool you are building right now. The other tips fill in the supporting habit — scoping the assistant correctly, capturing answers, re-testing after fixes, and a short pre-release routine — but the prompts are the part that does the work.
Nothing in this series is specific to a particular AI assistant, IDE, language, or framework. The prompts are written in plain English and only assume that the assistant can see your tool’s source. If yours cannot, fix that first (Tip 1).
More field guides
-
Field guide
Anti-Patterns Catalogue
Fourteen named security failure modes in agentic AI, each with a definition, a hypothetical scenario, and a layered remediation. The reference half of the playbook.
-
Field guide
Release Engineering
Eight chapters on shipping an agent to a customer environment: delivery models, signing, the pin file, the bootstrap repo, ephemeral runners, hygiene, cadence and rollback.