sst-best-practices
Provides expert guidance on best practices for building and optimizing full-stack serverless applications using the SST framework.
Install this skill
or
65/100
Security score
The sst-best-practices skill was audited on Apr 5, 2026 and we found 5 security issues across 2 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 289
Template literal with variable interpolation in command context
SourceSKILL.md
| 289 | - Stage-aware domains: `$app.stage === "production" ? "api.example.com" : \`${$app.stage}.api.example.com\`` |
medium line 124
Access to .env file
SourceSKILL.md
| 124 | Use SST's `link` + `Resource` for all resource access. It auto-generates IAM permissions and provides type-safe config injection. Never use raw `process.env` for resource names/ARNs. |
medium line 147
Access to .env file
SourceSKILL.md
| 147 | | `environment: {}` | Non-sensitive config that can't use link (e.g., feature flags, external URLs) | Plaintext | `process.env.X` | |
medium line 339
Access to .env file
SourceSKILL.md
| 339 | | `process.env.TABLE_NAME` for resource names | Use `link` + `Resource` | |
medium line 344
Access to .env file
SourceSKILL.md
| 344 | | Secrets in `.env` files | Use `sst.Secret` | |
Scanned on Apr 5, 2026
View Security Dashboard