Back to skills
extension
Category: Development & EngineeringNo API key required

security-review

Security audit for vulnerabilities, compliance issues, and sensitive data exposure. Use before production deployments or when reviewing security-sensitive code.

personAuthor: jakexiaohubgithub

Security Review

Comprehensive security audit for the MuRP codebase.

Security Checklist

Authentication & Authorization

  • [ ] No hardcoded credentials
  • [ ] API keys only in environment variables
  • [ ] Proper token handling
  • [ ] RLS policies on Supabase tables

Data Protection

  • [ ] No sensitive data in logs
  • [ ] PII properly handled
  • [ ] Encryption for sensitive fields
  • [ ] Input sanitization

API Security

  • [ ] SQL injection prevention (parameterized queries)
  • [ ] XSS protection
  • [ ] CSRF tokens where needed
  • [ ] Rate limiting configured

Dependencies

  • [ ] Run npm audit
  • [ ] Check for known vulnerabilities
  • [ ] Verify dependency integrity

Infrastructure

  • [ ] Environment variables not exposed to frontend
  • [ ] Edge functions use proper auth
  • [ ] Webhook endpoints validated

Scan Commands

# Check for hardcoded secrets
grep -r "sk_" --include="*.ts" --include="*.tsx" .
grep -r "password.*=" --include="*.ts" --include="*.tsx" .

# Check npm vulnerabilities
npm audit

# Check for console.log with sensitive data
grep -r "console.log.*token\|password\|secret" --include="*.ts" .

Report Format

| Severity | File | Issue | Remediation | |----------|------|-------|-------------| | Critical | path | desc | fix |

Trigger Phrases

  • "security review"
  • "security audit"
  • "check for vulnerabilities"
  • "/security-review"