security_skill
- HTML
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill trantuananh-17/product-reviews --skill security- SKILL.md5.8 KB
Overview
This skill provides a focused security audit checklist and concrete patterns for web APIs and services. It highlights high-risk issues like IDOR, unauthenticated PII exposure, missing auth, shop isolation, webhook HMAC verification, and input validation. Use it to quickly assess authentication, authorization, PII handling, webhook integrity, and database rules.
How this skill works
It inspects endpoint types, auth requirements, and common code patterns to identify insecure sources of shop or user identity (params/query vs. session). It verifies HMAC webhook and popup signature logic, checks ownership enforcement for reads/updates/deletes, and ensures PII is never returned from public endpoints. The skill provides grep commands, secure code snippets, Firestore/storage rule examples, and a checklist for manual audits.
When to use it
- When asked to audit security or check for vulnerabilities in APIs
- When reviewing authentication and authorization flows
- To prevent IDOR or shop-data leakage
- When validating webhook or popup signature implementations
- When ensuring PII is excluded from public responses
- During pre-release security reviews or incident triage
Best practices
- Always derive shopId from authenticated session/state (getCurrentShop) not request params
- Scope all queries by shopId and verify resource.shopId before read/update/delete
- Whitelist response fields; never return email/phone/address on public endpoints
- Verify HMAC signatures for popups and webhooks and validate timestamps to prevent replay
- Use crypto.timingSafeEqual for HMAC comparisons and enforce secrets via env variables
- Validate and sanitize inputs; trim and limit string lengths and whitelist permitted fields
Example use cases
- Audit controllers and repositories for IDOR using grep commands provided
- Review popup/widget endpoints to implement HMAC + timestamp validation
- Validate webhook endpoints against Shopify HMAC best practices and rawBody signing
- Review API responses to remove PII from unauthenticated or public endpoints
- Implement Firestore/storage rules that enforce request.auth.token.shopId == resource.shopId
- Add ownership checks on update/delete flows to prevent cross-shop modification
FAQ
Search for direct getById/.doc(id).get() calls and usages of ctx.params or ctx.query for shop/user IDs. Replace with patterns that use getCurrentShop(ctx) and ownership checks before returning data.
What if I can’t change an upstream webhook to include an HMAC?
If HMAC is unavailable, require a shared secret in a separate header, restrict IPs, add timestamp+nonce checks, and treat the endpoint as high risk until a proper signature is added.