Skill v1.0.1

currentAutomated scan100/100

cloudnative-co/claude-code-starter-kit/security-review

1 files

──Details

PublishedMay 30, 2026 at 08:43 AM

Content Hashsha256:d0c5c930a72973d1...

Git SHA746ce69ab220

Bump Typepatch

Compare with v1.0.0

──Files

Files (1 file, 3.0 KB)

SKILL.md3.0 KBactive

SKILL.md · 70 lines · 3.0 KB

version: "1.0.1" name: security-review description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns. when_to_use: Use when code touches authentication, secrets, user input, file uploads, payments, third-party APIs, or other sensitive surfaces.

Security Review Skill

Ensures all code follows security best practices and identifies potential vulnerabilities.

When to Activate

Implementing authentication or authorization
Handling user input or file uploads
Creating new API endpoints
Working with secrets or credentials
Implementing payment features
Storing or transmitting sensitive data
Integrating third-party APIs

Security Checklist Categories

Review each category. See references/vulnerability-patterns.md for WRONG/CORRECT code examples.

Secrets Management -- No hardcoded secrets; all in env vars; .env* gitignored
Input Validation -- Schema validation (zod); file upload size/type/extension checks
SQL Injection -- Parameterized queries only; no string concatenation
Auth & Authorization -- httpOnly cookies; RBAC; Supabase RLS enabled
XSS Prevention -- DOMPurify for user HTML; CSP headers configured
CSRF Protection -- CSRF tokens on state-changing ops; SameSite=Strict cookies
Rate Limiting -- All endpoints rate-limited; stricter on expensive operations
Data Exposure -- No secrets in logs; generic error messages to users
Blockchain -- Wallet signatures verified; transaction validation; balance checks
Dependencies -- npm audit clean; lock files committed; Dependabot enabled

Full checkbox checklist: assets/security-checklist.md

Pre-Deployment Checklist

Before ANY production deployment, confirm ALL of the following:

[ ] No hardcoded secrets, all in env vars
[ ] All user inputs validated
[ ] All queries parameterized
[ ] User content sanitized (XSS)
[ ] CSRF protection enabled
[ ] Proper token handling (httpOnly cookies)
[ ] Authorization role checks in place
[ ] Rate limiting on all endpoints
[ ] HTTPS enforced
[ ] Security headers configured (CSP, X-Frame-Options)
[ ] No sensitive data in error messages or logs
[ ] Dependencies up to date, no vulnerabilities
[ ] CORS properly configured
[ ] File uploads validated (size, type)

References

references/vulnerability-patterns.md -- All WRONG/CORRECT code examples by vulnerability type
assets/security-checklist.md -- Full security review checklist (markdown checkboxes)
OWASP Top 10
Next.js Security
Supabase Security
Web Security Academy

Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.

← v1.0.0 All versions