security-review
Ensures code adheres to security best practices, identifying vulnerabilities in authentication, API endpoints, and sensitive data handling.
Install this skill
Security score
The security-review skill was audited on Jun 14, 2026 and we found 18 security issues across 5 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 117 | const query = `SELECT * FROM users WHERE email = '${userEmail}'` |
Template literal with variable interpolation in command context
| 151 | `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) |
Template literal with variable interpolation in command context
| 268 | `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`) |
Template literal with variable interpolation in command context
| 448 | headers: { Authorization: `Bearer ${userToken}` } |
Fetch to external URL
| 441 | const response = await fetch('/api/protected') |
Fetch to external URL
| 447 | const response = await fetch('/api/admin', { |
Fetch to external URL
| 455 | const response = await fetch('/api/users', { |
Fetch to external URL
| 465 | fetch('/api/endpoint') |
Access to .env file
| 36 | const apiKey = process.env.OPENAI_API_KEY |
Access to .env file
| 37 | const dbUrl = process.env.DATABASE_URL |
Access to .env file
| 48 | - [ ] `.env.local` in .gitignore |
Buffer.from base64 decode
| 363 | Buffer.from(signature, 'base64'), |
Buffer.from base64 decode
| 364 | Buffer.from(publicKey, 'base64') |
External URL reference
| 233 | connect-src 'self' https://api.example.com; |
External URL reference
| 499 | - [OWASP Top 10](https://owasp.org/www-project-top-ten/) |
External URL reference
| 500 | - [Next.js Security](https://nextjs.org/docs/security) |
External URL reference
| 501 | - [Supabase Security](https://supabase.com/docs/guides/auth) |
External URL reference
| 502 | - [Web Security Academy](https://portswigger.net/web-security) |