business-logic-flaws_skill

This skill helps you identify and remediate race conditions, integer overflows, and calculation errors in AI-generated JavaScript code to secure business logic.
  • JavaScript

4

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill harperaa/secure-claude-skills --skill business-logic-flaws

  • SKILL.md24.5 KB

Overview

This skill explains how AI-generated code can introduce business logic vulnerabilities such as race conditions, integer overflow, and calculation errors that pass functional tests but create security holes. It shows common failure patterns, real-world impacts, and concrete mitigation patterns you can apply to production systems. Use it to evaluate AI-assisted code and harden logic that touches money, inventory, or concurrent state.

How this skill works

The skill inspects code patterns where correctness on single requests masks failures under concurrency, extreme inputs, or precision edge cases. It highlights check-then-update flows, missing input validation, unbounded arithmetic, and absence of transactional or locking primitives. For each issue it outlines attack scenarios and provides concrete secure alternatives like DB transactions with row locking, distributed locks, atomic operations, and safe numeric handling with Decimal and strict bounds.

When to use it

  • Reviewing AI-generated endpoints that modify shared state (inventory, balances, counters).
  • Auditing payment, refund, discount, or coupon logic for negative/overflow outcomes.
  • Designing flash sales, reservation systems, or concurrent checkout flows.
  • Hardening systems where small calculation errors can cause financial loss or fraud.
  • Implementing input validation and limits for quantities, prices, and discounts.

Best practices

  • Treat every check-then-update as potentially racy; use transactions or distributed locks.
  • Enforce strict input validation: ranges, types, precision, and size limits before computing.
  • Use atomic DB operations or in-memory atomic counters for high-throughput stock updates.
  • Use fixed-point decimals (not floats) and cap intermediate totals to prevent overflow.
  • Log attempts that violate constraints and incrementally roll out stricter validation.

Example use cases

  • Secure a flash-sale purchase endpoint by replacing in-memory stock checks with transactional row locking.
  • Prevent refund abuse by validating quantity and ensuring totals never go negative.
  • Protect cart calculations using Decimal arithmetic, max-item and max-total guards, and minimum charge rules.
  • Convert AI-generated checkout logic into an auditable calculation version with detailed breakdowns.
  • Apply Redis-based distributed locks when a transactional DB cannot be used across services.

FAQ

Run concurrent request tests, use stress tests that simulate many simultaneous clients, and inspect check-then-update patterns in code for missing locks or transactions.

Are floating point errors really a security risk?

Yes — float precision can make discounts and totals unpredictable, enabling free purchases or negative charges; use fixed-point/Decimal and validate precision limits.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
business-logic-flaws skill by harperaa/secure-claude-skills | VeilStrat