菜单
Pre-deploy security audit with vulnerability pattern scanning. Auto-loaded with review, audit, ship.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Show token / tool usage stats from the local telemetry log. Use when you want to know "which tools am I burning context on", "which skills are expensive", or "was yesterday's session mostly Read/Grep or actually productive".
Parallel quality audit with 7 specialized agents (Opus). Finds bugs, violations, and quality issues. Use audit for fixes, brainstorm for features.
Manage environment variables with Doppler — auto-install CLI, login, link projects, wrap commands with `doppler run`. Replaces scattered .env files with a hub/spoke architecture.
Scaffolds new projects or onboards existing ones. Detects stack, creates monorepo/single-app, configures strict tooling. Use for greenfield or first-time setup.
Archives completed stories from prd.json to reduce token usage.
Autonomous task execution with testing and security. Works through all tasks without stopping.
| name | security |
| description | Pre-deploy security audit with vulnerability pattern scanning. Auto-loaded with review, audit, ship. |
| triggers | ["security"] |
| allowed-tools | Bash, Grep, Read, Glob |
| model | opus |
| user-invocable | true |
| argument-hint | [scope: full|quick|file] |
Run before every deploy.
# Check for hardcoded secrets in source AND migrations
grep -rn "sk_live\|sk_test\|api_key\s*=\s*['\"][^'\"]\+" src/ supabase/ --include="*.ts" --include="*.tsx" --include="*.sql"
grep -rn "password\s*=\s*['\"][^'\"]\+" src/ supabase/ --include="*.ts" --include="*.tsx" --include="*.sql"
grep -rn "service_role\|supabase_admin\|cron\.\|pg_cron" supabase/migrations/ --include="*.sql" 2>/dev/null
If found: move to env vars or Edge Function secrets. CRON secrets must use vault.secrets, never hardcoded in migrations.
# Check .env files not committed
git status | grep ".env"
If .env tracked: add to .gitignore immediately.
# Check all tables have RLS
npx supabase db lint
If RLS disabled: enable RLS before proceeding.
Beyond enabled — check policy quality:
-- Find tables with public SELECT (data exposure risk)
SELECT schemaname, tablename, policyname, cmd, qual
FROM pg_policies WHERE schemaname = 'public';
Flag these patterns:
auth.uid() = user_idauth.uid() = id)Supabase auth config checks:
// Check for unvalidated inputs
grep -rn "req.body\." src/ --include="*.ts" | grep -v "zod\|schema\|validate"
If unvalidated: WARN - add Zod validation.
grep -rn "dangerouslySetInnerHTML\|innerHTML\|document.write" src/
If found: WARN - sanitize or remove.
# Check for user-supplied URLs passed to fetch/axios without validation
grep -rn "fetch(\|axios\.\(get\|post\)" src/ --include="*.ts" --include="*.tsx" | grep -v "localhost\|supabase\|vercel\|stripe"
Flag if user input flows into URL without private IP blocking (10.x, 172.16-31.x, 192.168.x, 127.x, ::1).
# Check for inverted auth logic (should deny by default)
grep -rn "if.*session\|if.*user\|if.*auth" src/middleware* src/app/**/route.ts src/app/**/page.tsx --include="*.ts" --include="*.tsx" 2>/dev/null | head -20
Flag patterns like if (session) { allow } without a default deny. Correct: if (!session) { redirect('/login'); return; }
# Check next.config headers or middleware
grep -rn "X-Frame-Options\|Content-Security-Policy\|X-Content-Type-Options\|Referrer-Policy\|Permissions-Policy" next.config* src/middleware* 2>/dev/null
Flag if missing: X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
# Check for unvalidated redirect URLs from query params
grep -rn "redirect\|router.push\|window.location" src/ --include="*.ts" --include="*.tsx" | grep -i "searchParams\|query\|url\|next\|callback\|return"
# Check API routes for rate limiting
grep -rn "rateLimit\|rate-limit\|throttle\|limiter" src/ --include="*.ts" --include="*.tsx" 2>/dev/null
Flag if auth endpoints (login, signup, password reset) lack rate limiting.
npm audit --production 2>/dev/null | tail -10
Flag critical/high vulnerabilities.
Security Check
==============
Secrets: Pass/Fail
Env files: Pass/Fail
RLS: Pass/Fail
RLS Logic: Pass/Fail
Validation: Pass/Warn
XSS: Pass/Warn
SSRF: Pass/Warn
Auth Logic: Pass/Warn
HTTP Headers: Pass/Warn
Open Redirect: Pass/Warn
Rate Limiting: Pass/Warn
npm Audit: Pass/Warn
Result: PASS/FAIL (N warnings)
Ready to deploy: Yes/No
For common issues:
.env.local.env* to .gitignoreALTER TABLE x ENABLE ROW LEVEL SECURITYQuick reference for security vulnerabilities to catch during code review.
Path: .github/workflows/*.yml
Unsafe (user input in run command):
run: echo "${{ github.event.issue.title }}"
Safe (use environment variables):
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"
Risky inputs to watch:
github.event.issue.title/bodygithub.event.pull_request.title/bodygithub.event.comment.bodygithub.event.commits.*.messagegithub.head_refUnsafe:
exec(`command ${userInput}`)
Safe:
execFile('command', [userInput])
| Pattern | Risk | Alternative |
|---|---|---|
eval() | Arbitrary code execution | JSON.parse() for data |
new Function() | Code injection | Static functions |
pickle (Python) | Arbitrary code execution | json module |
os.system() | Shell injection | subprocess.run() with list args |
| Pattern | Risk | Alternative |
|---|---|---|
dangerouslySetInnerHTML | XSS if unsanitized | DOMPurify sanitizer |
document.write() | XSS + performance | createElement + appendChild |
.innerHTML = | XSS if unsanitized | .textContent or sanitizer |
Flag these:
Don't flag:
Reference: GitHub Actions Security Guide
# Check for unrestricted or long-lived keys in source
grep -rn "AIza\|GOOG\|ya29\.\|service_account" src/ --include="*.ts" --include="*.tsx" --include="*.json" --include="*.env*"
# Check for keys committed to git history
git log -p --all -S "AIza" --diff-filter=A -- "*.ts" "*.json" 2>/dev/null | head -20
Rules:
Flag if missing: