security-review_skill

This skill guides secure review of desktop apps, ensuring key management, input validation, SQL safety, and logging hygiene to protect data.
  • Python

0

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill cacr92/wereply --skill security-review

  • SKILL.md2.8 KB

Overview

This skill provides a focused security-review checklist and practical guidance for desktop applications, especially Tauri-based projects. It highlights key areas like secret management, Tauri command safety, SQL injection defenses, input validation, and sensitive-data handling. Use it to run consistent security checks during development and before commits or releases.

How this skill works

The skill inspects code and configuration patterns and maps them to a concise checklist: no hard-coded secrets, environment-based keys, validated Tauri commands, parameterized SQL queries, and safe logging. It also defines trigger conditions for full reviews (new commands, DB changes, file imports, third-party integrations) and a pre-submit verification list (clippy, cargo audit, no sensitive logs).

When to use it

  • When adding or changing Tauri commands or IPC handlers
  • When modifying database access or query logic
  • Before integrating or calling third-party APIs
  • When accepting user file uploads or imports
  • As part of pre-release or pre-merge checks

Best practices

  • Never hard-code API keys or passwords; load secrets from environment variables or encrypted stores
  • Validate all Tauri command parameters with a validator crate and return generic error messages
  • Use parameterized queries or a query builder; avoid string concatenation in SQL
  • Enforce both frontend and backend validation; treat backend validation as mandatory
  • Exclude secrets from logs and sanitize error outputs to avoid leaking internals
  • Run dependency audits and static checks (e.g., cargo audit, cargo clippy) before merging

Example use cases

  • Review a pull request that adds a new Tauri command handling user input
  • Audit a feature that introduces dynamic SQL queries based on user filters
  • Check a change that adds integration with an external API requiring stored keys
  • Validate file import functionality for path traversal and content validation
  • Run a pre-release checklist to ensure no sensitive data is logged and dependencies are up to date

FAQ

Triggers include adding new Tauri commands, changing the database layer, handling user file uploads, integrating third-party APIs, or introducing new configuration options.

How should secrets be stored in a desktop app?

Keep secrets out of source code. Use environment variables, platform-secure storage, or encryption. Never commit keys, and avoid printing them in logs.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational