// Review code for security issues in self-hosted and managed Vercel deployments of this Slack bot. Covers secrets, tokens, permissions, logs, user data handling, SSRF, and data minimization. Use when reviewing code for security, auditing data handling, checking for leaked secrets, or verifying privacy compliance.
| name | security-review |
| description | Review code for security issues in self-hosted and managed Vercel deployments of this Slack bot. Covers secrets, tokens, permissions, logs, user data handling, SSRF, and data minimization. Use when reviewing code for security, auditing data handling, checking for leaked secrets, or verifying privacy compliance. |
Review the relevant code with a code review mindset. Prioritize bugs, behavioral regressions, security issues, and missing tests. Findings must be the primary focus, ordered by severity. Do not make code changes unless the user explicitly asks for them.
This is a self-hostable Slack bot. Review it for security issues in both self-hosted deployments and our managed Vercel deployment. Pay close attention to how secrets, tokens, permissions, logs, and user data are handled. Make sure we do not collect, track, or store any user data unless it comes from the Million workspace or is strictly required for the product to function.
Two deployment modes — each has different trust boundaries:
| Mode | Operator | Tokens held by | Trust boundary |
|---|---|---|---|
| Managed (Vercel) | Million | Million | Million workspace data only; no cross-workspace leaks |
| Self-hosted | External operator | Operator | Operator controls their own data; bot must not phone home |
Work through every item. Report each finding with severity, file, and line range.
.env / .env.* files are in .gitignoreenv.ts schemas mark optional secrets as .optional() — no startup crash on missing non-critical varsconsole.log, console.error, or structured log payloadsSLACK_USER_TOKEN warning comment present — must not be set on multi-workspace installs/api/onboarding/connect are time-limited and single-usevalidateMcpServerUrl before any fetchSLACK_USER_TOKEN fallback only activates on self-hosted single-workspace deployments--global config, MCP management) check caller identityteamId / userId from the signed Slack payload, not from user-supplied textcatch blocks log enough context to debug without leaking PII or secretsrenderHtml)eval, Function(), or dynamic import() of user-supplied stringsCRON_SECRET bearer tokenCache-Control: no-store on all auth/onboarding HTML responses| Level | Meaning |
|---|---|
| P0 — Critical | Exploitable now: RCE, auth bypass, secret leak to client |
| P1 — High | Data exposure, privilege escalation, SSRF |
| P2 — Medium | Missing validation, excessive logging, weak error handling |
| P3 — Low | Hardening opportunities, defense-in-depth gaps |
### P0 — [Title]
**File:** `path/to/file.ts` (lines X–Y)
**Issue:** Description of the vulnerability
**Impact:** What an attacker can achieve
**Fix:** Concrete remediation steps
Group findings by severity. End with a summary count: X critical, Y high, Z medium, W low.
CSS and UI animation patterns for responsive, polished interfaces. Use when implementing hover effects, tooltips, button feedback, transitions, or fixing animation issues like flicker and shakiness. Covers animation theory, CSS animations, Framer Motion, performance, accessibility, and real-world walkthrough patterns.
Fix accessibility issues in UI components. Use when adding or changing buttons, links, inputs, menus, dialogs, tabs, dropdowns, forms, validation, error states, keyboard shortcuts, focus states, or icon-only controls.
Fix animation performance issues. Use when adding or changing UI animations, refactoring janky interactions, implementing scroll-linked motion, animating layout/filters/masks, or reviewing components that use will-change, transforms, or measurement.
Use when working on Slack agent/bot code, Chat SDK applications, or projects using `chat` and `@chat-adapter/slack`. Provides development patterns, testing requirements, and quality standards.
Use when creating new skills, editing existing skills, or verifying skills work before deployment
Use when working on Slack agent/bot code, Chat SDK applications, or projects using `chat` and `@chat-adapter/slack`. Provides development patterns, testing requirements, and quality standards.