Menu
Pre-deploy security audit with vulnerability pattern scanning. Auto-loaded with review, audit, ship.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Show token / tool usage stats from the local telemetry log. Use when you want to know "which tools am I burning context on", "which skills are expensive", or "was yesterday's session mostly Read/Grep or actually productive".
Parallel quality audit with 7 specialized agents (Opus). Finds bugs, violations, and quality issues. Use audit for fixes, brainstorm for features.
Manage environment variables with Doppler — auto-install CLI, login, link projects, wrap commands with `doppler run`. Replaces scattered .env files with a hub/spoke architecture.
Scaffolds new projects or onboards existing ones. Detects stack, creates monorepo/single-app, configures strict tooling. Use for greenfield or first-time setup.
Archives completed stories from prd.json to reduce token usage.
Autonomous task execution with testing and security. Works through all tasks without stopping.
| name | security |
| description | Pre-deploy security audit with vulnerability pattern scanning. Auto-loaded with review, audit, ship. |
| triggers | ["security"] |
| allowed-tools | Bash, Grep, Read, Glob |
| model | opus |
| user-invocable | true |
| argument-hint | [scope: full|quick|file] |
Run before every deploy.
# Check for hardcoded secrets in source AND migrations
grep -rn "sk_live\|sk_test\|api_key\s*=\s*['\"][^'\"]\+" src/ supabase/ --include="*.ts" --include="*.tsx" --include="*.sql"
grep -rn "password\s*=\s*['\"][^'\"]\+" src/ supabase/ --include="*.ts" --include="*.tsx" --include="*.sql"
grep -rn "service_role\|supabase_admin\|cron\.\|pg_cron" supabase/migrations/ --include="*.sql" 2>/dev/null
If found: move to env vars or Edge Function secrets. CRON secrets must use vault.secrets, never hardcoded in migrations.
# Check .env files not committed
git status | grep ".env"
If .env tracked: add to .gitignore immediately.
# Check all tables have RLS
npx supabase db lint
If RLS disabled: enable RLS before proceeding.
Beyond enabled — check policy quality:
-- Find tables with public SELECT (data exposure risk)
SELECT schemaname, tablename, policyname, cmd, qual
FROM pg_policies WHERE schemaname = 'public';
Flag these patterns:
auth.uid() = user_idauth.uid() = id)Supabase auth config checks:
// Check for unvalidated inputs
grep -rn "req.body\." src/ --include="*.ts" | grep -v "zod\|schema\|validate"
If unvalidated: WARN - add Zod validation.
grep -rn "dangerouslySetInnerHTML\|innerHTML\|document.write" src/
If found: WARN - sanitize or remove.
# Check for user-supplied URLs passed to fetch/axios without validation
grep -rn "fetch(\|axios\.\(get\|post\)" src/ --include="*.ts" --include="*.tsx" | grep -v "localhost\|supabase\|vercel\|stripe"
Flag if user input flows into URL without private IP blocking (10.x, 172.16-31.x, 192.168.x, 127.x, ::1).
# Check for inverted auth logic (should deny by default)
grep -rn "if.*session\|if.*user\|if.*auth" src/middleware* src/app/**/route.ts src/app/**/page.tsx --include="*.ts" --include="*.tsx" 2>/dev/null | head -20
Flag patterns like if (session) { allow } without a default deny. Correct: if (!session) { redirect('/login'); return; }
# Check next.config headers or middleware
grep -rn "X-Frame-Options\|Content-Security-Policy\|X-Content-Type-Options\|Referrer-Policy\|Permissions-Policy" next.config* src/middleware* 2>/dev/null
Flag if missing: X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
# Check for unvalidated redirect URLs from query params
grep -rn "redirect\|router.push\|window.location" src/ --include="*.ts" --include="*.tsx" | grep -i "searchParams\|query\|url\|next\|callback\|return"
# Check API routes for rate limiting
grep -rn "rateLimit\|rate-limit\|throttle\|limiter" src/ --include="*.ts" --include="*.tsx" 2>/dev/null
Flag if auth endpoints (login, signup, password reset) lack rate limiting.
npm audit --production 2>/dev/null | tail -10
Flag critical/high vulnerabilities.
Security Check
==============
Secrets: Pass/Fail
Env files: Pass/Fail
RLS: Pass/Fail
RLS Logic: Pass/Fail
Validation: Pass/Warn
XSS: Pass/Warn
SSRF: Pass/Warn
Auth Logic: Pass/Warn
HTTP Headers: Pass/Warn
Open Redirect: Pass/Warn
Rate Limiting: Pass/Warn
npm Audit: Pass/Warn
Result: PASS/FAIL (N warnings)
Ready to deploy: Yes/No
For common issues:
.env.local.env* to .gitignoreALTER TABLE x ENABLE ROW LEVEL SECURITYQuick reference for security vulnerabilities to catch during code review.
Path: .github/workflows/*.yml
Unsafe (user input in run command):
run: echo "${{ github.event.issue.title }}"
Safe (use environment variables):
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"
Risky inputs to watch:
github.event.issue.title/bodygithub.event.pull_request.title/bodygithub.event.comment.bodygithub.event.commits.*.messagegithub.head_refUnsafe:
exec(`command ${userInput}`)
Safe:
execFile('command', [userInput])
| Pattern | Risk | Alternative |
|---|---|---|
eval() | Arbitrary code execution | JSON.parse() for data |
new Function() | Code injection | Static functions |
pickle (Python) | Arbitrary code execution | json module |
os.system() | Shell injection | subprocess.run() with list args |
| Pattern | Risk | Alternative |
|---|---|---|
dangerouslySetInnerHTML | XSS if unsanitized | DOMPurify sanitizer |
document.write() | XSS + performance | createElement + appendChild |
.innerHTML = | XSS if unsanitized | .textContent or sanitizer |
Flag these:
Don't flag:
Reference: GitHub Actions Security Guide
# Check for unrestricted or long-lived keys in source
grep -rn "AIza\|GOOG\|ya29\.\|service_account" src/ --include="*.ts" --include="*.tsx" --include="*.json" --include="*.env*"
# Check for keys committed to git history
git log -p --all -S "AIza" --diff-filter=A -- "*.ts" "*.json" 2>/dev/null | head -20
Rules:
Flag if missing: