with one click
audit-security
Automated pre-flight security checks for secrets and PII.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Automated pre-flight security checks for secrets and PII.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | Audit Security |
| description | Automated pre-flight security checks for secrets and PII. |
| version | 1.0.0 |
Use this skill to perform a "Pre-Flight Security Check" before any deployment.
Goal: Ensure no hardcoded API keys exist in the codebase.
Action: Run a grep search for these patterns. If found outside of wix-secrets, FAIL the audit.
GAS_WEB_APP_URL = "https://..." (Hardcoded URL)Authorization: "Bearer ..." (Hardcoded Token)AI_API_KEY or SIGNNOW_KEYCorrect Pattern:
import { getSecret } from 'wix-secrets-backend';
const apiKey = await getSecret('GAS_API_KEY');
Goal: Ensure no customer data is logged in plain text.
Action: Review console.log statements in backend files.
console.log("User Data:", userData); (Dumps everything)console.log("User updated:", userData._id); (Logs ID only)Goal: Verify the public/private boundary.
http-functions.js (if it exists) has suppressAuth: true ONLY where absolutely necessary.gasIntegration.jsw exports only meant for Admin use are not effectively public (though .jsw are internal-ish, always check permissions).To run a manual audit:
AKfy (Common Google Script ID start).AIza (Generic Google API Key start).@gmail.com (Hardcoded emails).If any are found in code files (not Markdown), alert the user immediately.
Dynamically manage MCP server limits by toggling disabled states in mcp_config.json. Use when hitting the 100-tool limit, or when needing a specific MCP server that is currently disabled.
When the user wants to set up, improve, or audit analytics tracking and measurement. Also use when the user mentions "set up tracking," "GA4," "Google Analytics," "conversion tracking," "event tracking," "UTM parameters," "tag manager," "GTM," "analytics implementation," "tracking plan," "how do I measure this," "track conversions," "attribution," "Mixpanel," "Segment," "are my events firing," or "analytics isn't working." Use this whenever someone asks how to know if something is working or wants to measure marketing results. For A/B test measurement, see ab-test-setup.
When the user wants to create or optimize an email sequence, drip campaign, automated email flow, or lifecycle email program. Also use when the user mentions "email sequence," "drip campaign," "nurture sequence," "onboarding emails," "welcome sequence," "re-engagement emails," "email automation," "lifecycle emails," "trigger-based emails," "email funnel," "email workflow," "what emails should I send," "welcome series," or "email cadence." Use this for any multi-email automated flow. For cold outreach emails, see cold-email. For in-app onboarding, see onboarding-cro.
When the user wants to plan, map, or restructure their website's page hierarchy, navigation, URL structure, or internal linking. Also use when the user mentions "sitemap," "site map," "visual sitemap," "site structure," "page hierarchy," "information architecture," "IA," "navigation design," "URL structure," "breadcrumbs," "internal linking strategy," "website planning," "what pages do I need," "how should I organize my site," or "site navigation." Use this whenever someone is planning what pages a website should have and how they connect. NOT for XML sitemaps (that's technical SEO — see seo-audit). For SEO audits, see seo-audit. For structured data, see schema-markup.
Wix Design System component reference. Use when building UI with @wix/design-system, choosing components, or checking props and examples. Triggers on "what component", "how do I make", "WDS", "show me props", or component names like Button, Card, Modal, Box, Text.
Creates HTTP endpoints for Wix CLI apps. Use only when the user specifically asks for a backend endpoint. Use when building REST API endpoints, backend HTTP handlers, or server-side logic. Triggers include backend API, HTTP endpoint, HTTP methods, form handling, file uploads.