{"id":"3e3f45bd-ba8e-4b6a-b1fb-591eac123fc0","shortId":"tneeum","kind":"skill","title":"cc-skill-security-review","tagline":"This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints.","description":"# Security Review Skill\n\nThis skill ensures all code follows security best practices and identifies potential vulnerabilities.\n\n## When to Use\n- Implementing authentication or authorization\n- Handling user input or file uploads\n- Creating new API endpoints\n- Working with secrets or credentials\n- Implementing payment features\n- Storing or transmitting sensitive data\n- Integrating third-party APIs\n\n## Security Checklist\n\n### 1. Secrets Management\n\n#### ❌ NEVER Do This\n```typescript\nconst apiKey = \"sk-proj-xxxxx\" // Hardcoded secret\nconst dbPassword = \"password123\" // In source code\n```\n\n#### ✅ ALWAYS Do This\n```typescript\nconst apiKey = process.env.OPENAI_API_KEY\nconst dbUrl = process.env.DATABASE_URL\n\n// Verify secrets exist\nif (!apiKey) {\n throw new Error('OPENAI_API_KEY not configured')\n}\n```\n\n#### Verification Steps\n- [ ] No hardcoded API keys, tokens, or passwords\n- [ ] All secrets in environment variables\n- [ ] `.env.local` in .gitignore\n- [ ] No secrets in git history\n- [ ] Production secrets in hosting platform (Vercel, Railway)\n\n### 2. Input Validation\n\n#### Always Validate User Input\n```typescript\nimport { z } from 'zod'\n\n// Define validation schema\nconst CreateUserSchema = z.object({\n email: z.string().email(),\n name: z.string().min(1).max(100),\n age: z.number().int().min(0).max(150)\n})\n\n// Validate before processing\nexport async function createUser(input: unknown) {\n try {\n const validated = CreateUserSchema.parse(input)\n return await db.users.create(validated)\n } catch (error) {\n if (error instanceof z.ZodError) {\n return { success: false, errors: error.errors }\n }\n throw error\n }\n}\n```\n\n#### File Upload Validation\n```typescript\nfunction validateFileUpload(file: File) {\n // Size check (5MB max)\n const maxSize = 5 * 1024 * 1024\n if (file.size > maxSize) {\n throw new Error('File too large (max 5MB)')\n }\n\n // Type check\n const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']\n if (!allowedTypes.includes(file.type)) {\n throw new Error('Invalid file type')\n }\n\n // Extension check\n const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']\n const extension = file.name.toLowerCase().match(/\\.[^.]+$/)?.[0]\n if (!extension || !allowedExtensions.includes(extension)) {\n throw new Error('Invalid file extension')\n }\n\n return true\n}\n```\n\n#### Verification Steps\n- [ ] All user inputs validated with schemas\n- [ ] File uploads restricted (size, type, extension)\n- [ ] No direct use of user input in queries\n- [ ] Whitelist validation (not blacklist)\n- [ ] Error messages don't leak sensitive info\n\n### 3. SQL Injection Prevention\n\n#### ❌ NEVER Concatenate SQL\n```typescript\n// DANGEROUS - SQL Injection vulnerability\nconst query = `SELECT * FROM users WHERE email = '${userEmail}'`\nawait db.query(query)\n```\n\n#### ✅ ALWAYS Use Parameterized Queries\n```typescript\n// Safe - parameterized query\nconst { data } = await supabase\n .from('users')\n .select('*')\n .eq('email', userEmail)\n\n// Or with raw SQL\nawait db.query(\n 'SELECT * FROM users WHERE email = $1',\n [userEmail]\n)\n```\n\n#### Verification Steps\n- [ ] All database queries use parameterized queries\n- [ ] No string concatenation in SQL\n- [ ] ORM/query builder used correctly\n- [ ] Supabase queries properly sanitized\n\n### 4. Authentication & Authorization\n\n#### JWT Token Handling\n```typescript\n// ❌ WRONG: localStorage (vulnerable to XSS)\nlocalStorage.setItem('token', token)\n\n// ✅ CORRECT: httpOnly cookies\nres.setHeader('Set-Cookie',\n `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)\n```\n\n#### Authorization Checks\n```typescript\nexport async function deleteUser(userId: string, requesterId: string) {\n // ALWAYS verify authorization first\n const requester = await db.users.findUnique({\n where: { id: requesterId }\n })\n\n if (requester.role !== 'admin') {\n return NextResponse.json(\n { error: 'Unauthorized' },\n { status: 403 }\n )\n }\n\n // Proceed with deletion\n await db.users.delete({ where: { id: userId } })\n}\n```\n\n#### Row Level Security (Supabase)\n```sql\n-- Enable RLS on all tables\nALTER TABLE users ENABLE ROW LEVEL SECURITY;\n\n-- Users can only view their own data\nCREATE POLICY \"Users view own data\"\n ON users FOR SELECT\n USING (auth.uid() = id);\n\n-- Users can only update their own data\nCREATE POLICY \"Users update own data\"\n ON users FOR UPDATE\n USING (auth.uid() = id);\n```\n\n#### Verification Steps\n- [ ] Tokens stored in httpOnly cookies (not localStorage)\n- [ ] Authorization checks before sensitive operations\n- [ ] Row Level Security enabled in Supabase\n- [ ] Role-based access control implemented\n- [ ] Session management secure\n\n### 5. XSS Prevention\n\n#### Sanitize HTML\n```typescript\nimport DOMPurify from 'isomorphic-dompurify'\n\n// ALWAYS sanitize user-provided HTML\nfunction renderUserContent(html: string) {\n const clean = DOMPurify.sanitize(html, {\n ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],\n ALLOWED_ATTR: []\n })\n return
\n}\n```\n\n#### Content Security Policy\n```typescript\n// next.config.js\nconst securityHeaders = [\n {\n key: 'Content-Security-Policy',\n value: `\n default-src 'self';\n script-src 'self' 'unsafe-eval' 'unsafe-inline';\n style-src 'self' 'unsafe-inline';\n img-src 'self' data: https:;\n font-src 'self';\n connect-src 'self' https://api.example.com;\n `.replace(/\\s{2,}/g, ' ').trim()\n }\n]\n```\n\n#### Verification Steps\n- [ ] User-provided HTML sanitized\n- [ ] CSP headers configured\n- [ ] No unvalidated dynamic content rendering\n- [ ] React's built-in XSS protection used\n\n### 6. CSRF Protection\n\n#### CSRF Tokens\n```typescript\nimport { csrf } from '@/lib/csrf'\n\nexport async function POST(request: Request) {\n const token = request.headers.get('X-CSRF-Token')\n\n if (!csrf.verify(token)) {\n return NextResponse.json(\n { error: 'Invalid CSRF token' },\n { status: 403 }\n )\n }\n\n // Process request\n}\n```\n\n#### SameSite Cookies\n```typescript\nres.setHeader('Set-Cookie',\n `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)\n```\n\n#### Verification Steps\n- [ ] CSRF tokens on state-changing operations\n- [ ] SameSite=Strict on all cookies\n- [ ] Double-submit cookie pattern implemented\n\n### 7. Rate Limiting\n\n#### API Rate Limiting\n```typescript\nimport rateLimit from 'express-rate-limit'\n\nconst limiter = rateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // 100 requests per window\n message: 'Too many requests'\n})\n\n// Apply to routes\napp.use('/api/', limiter)\n```\n\n#### Expensive Operations\n```typescript\n// Aggressive rate limiting for searches\nconst searchLimiter = rateLimit({\n windowMs: 60 * 1000, // 1 minute\n max: 10, // 10 requests per minute\n message: 'Too many search requests'\n})\n\napp.use('/api/search', searchLimiter)\n```\n\n#### Verification Steps\n- [ ] Rate limiting on all API endpoints\n- [ ] Stricter limits on expensive operations\n- [ ] IP-based rate limiting\n- [ ] User-based rate limiting (authenticated)\n\n### 8. Sensitive Data Exposure\n\n#### Logging\n```typescript\n// ❌ WRONG: Logging sensitive data\nconsole.log('User login:', { email, password })\nconsole.log('Payment:', { cardNumber, cvv })\n\n// ✅ CORRECT: Redact sensitive data\nconsole.log('User login:', { email, userId })\nconsole.log('Payment:', { last4: card.last4, userId })\n```\n\n#### Error Messages\n```typescript\n// ❌ WRONG: Exposing internal details\ncatch (error) {\n return NextResponse.json(\n { error: error.message, stack: error.stack },\n { status: 500 }\n )\n}\n\n// ✅ CORRECT: Generic error messages\ncatch (error) {\n console.error('Internal error:', error)\n return NextResponse.json(\n { error: 'An error occurred. Please try again.' },\n { status: 500 }\n )\n}\n```\n\n#### Verification Steps\n- [ ] No passwords, tokens, or secrets in logs\n- [ ] Error messages generic for users\n- [ ] Detailed errors only in server logs\n- [ ] No stack traces exposed to users\n\n### 9. Blockchain Security (Solana)\n\n#### Wallet Verification\n```typescript\nimport { verify } from '@solana/web3.js'\n\nasync function verifyWalletOwnership(\n publicKey: string,\n signature: string,\n message: string\n) {\n try {\n const isValid = verify(\n Buffer.from(message),\n Buffer.from(signature, 'base64'),\n Buffer.from(publicKey, 'base64')\n )\n return isValid\n } catch (error) {\n return false\n }\n}\n```\n\n#### Transaction Verification\n```typescript\nasync function verifyTransaction(transaction: Transaction) {\n // Verify recipient\n if (transaction.to !== expectedRecipient) {\n throw new Error('Invalid recipient')\n }\n\n // Verify amount\n if (transaction.amount > maxAmount) {\n throw new Error('Amount exceeds limit')\n }\n\n // Verify user has sufficient balance\n const balance = await getBalance(transaction.from)\n if (balance < transaction.amount) {\n throw new Error('Insufficient balance')\n }\n\n return true\n}\n```\n\n#### Verification Steps\n- [ ] Wallet signatures verified\n- [ ] Transaction details validated\n- [ ] Balance checks before transactions\n- [ ] No blind transaction signing\n\n### 10. Dependency Security\n\n#### Regular Updates\n```bash\n# Check for vulnerabilities\nnpm audit\n\n# Fix automatically fixable issues\nnpm audit fix\n\n# Update dependencies\nnpm update\n\n# Check for outdated packages\nnpm outdated\n```\n\n#### Lock Files\n```bash\n# ALWAYS commit lock files\ngit add package-lock.json\n\n# Use in CI/CD for reproducible builds\nnpm ci # Instead of npm install\n```\n\n#### Verification Steps\n- [ ] Dependencies up to date\n- [ ] No known vulnerabilities (npm audit clean)\n- [ ] Lock files committed\n- [ ] Dependabot enabled on GitHub\n- [ ] Regular security updates\n\n## Security Testing\n\n### Automated Security Tests\n```typescript\n// Test authentication\ntest('requires authentication', async () => {\n const response = await fetch('/api/protected')\n expect(response.status).toBe(401)\n})\n\n// Test authorization\ntest('requires admin role', async () => {\n const response = await fetch('/api/admin', {\n headers: { Authorization: `Bearer ${userToken}` }\n })\n expect(response.status).toBe(403)\n})\n\n// Test input validation\ntest('rejects invalid input', async () => {\n const response = await fetch('/api/users', {\n method: 'POST',\n body: JSON.stringify({ email: 'not-an-email' })\n })\n expect(response.status).toBe(400)\n})\n\n// Test rate limiting\ntest('enforces rate limits', async () => {\n const requests = Array(101).fill(null).map(() =>\n fetch('/api/endpoint')\n )\n\n const responses = await Promise.all(requests)\n const tooManyRequests = responses.filter(r => r.status === 429)\n\n expect(tooManyRequests.length).toBeGreaterThan(0)\n})\n```\n\n## Pre-Deployment Security Checklist\n\nBefore ANY production deployment:\n\n- [ ] **Secrets**: No hardcoded secrets, all in env vars\n- [ ] **Input Validation**: All user inputs validated\n- [ ] **SQL Injection**: All queries parameterized\n- [ ] **XSS**: User content sanitized\n- [ ] **CSRF**: Protection enabled\n- [ ] **Authentication**: Proper token handling\n- [ ] **Authorization**: Role checks in place\n- [ ] **Rate Limiting**: Enabled on all endpoints\n- [ ] **HTTPS**: Enforced in production\n- [ ] **Security Headers**: CSP, X-Frame-Options configured\n- [ ] **Error Handling**: No sensitive data in errors\n- [ ] **Logging**: No sensitive data logged\n- [ ] **Dependencies**: Up to date, no vulnerabilities\n- [ ] **Row Level Security**: Enabled in Supabase\n- [ ] **CORS**: Properly configured\n- [ ] **File Uploads**: Validated (size, type)\n- [ ] **Wallet Signatures**: Verified (if blockchain)\n\n## Resources\n\n- [OWASP Top 10](https://owasp.org/www-project-top-ten/)\n- [Next.js Security](https://nextjs.org/docs/security)\n- [Supabase Security](https://supabase.com/docs/guides/auth)\n- [Web Security Academy](https://portswigger.net/web-security)\n\n---\n\n**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.\n\n### When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["skill","security","review","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-cc-skill-security-review","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/cc-skill-security-review","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 37911 github stars · SKILL.md body (12,344 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:50:45.532Z","embedding":null,"createdAt":"2026-04-18T20:35:41.298Z","updatedAt":"2026-05-18T18:50:45.532Z","lastSeenAt":"2026-05-18T18:50:45.532Z","tsv":"'/api':787 '/api/admin':1147 '/api/endpoint':1198 '/api/protected':1131 '/api/search':817 '/api/users':1168 '/docs/guides/auth)':1329 '/docs/security)':1324 '/g':656 '/lib/csrf':690 '/web-security)':1335 '/www-project-top-ten/)':1319 '0':196,286,1213 '1':89,189,384,803 '10':806,807,1043,1316 '100':191,774,775 '1000':770,802 '101':1193 '1024':245,246 '15':768,771 '150':198 '2':165,655 '3':332 '3600':438 '4':407 '400':1181 '401':1135 '403':469,714,1155 '429':1209 '5':244,564 '500':892,913 '5mb':240,257 '6':681 '60':769,801 '7':750 '8':843 '9':940 'academi':1332 'access':558 'action':1369 'add':1079 'admin':463,1140 'age':192,437 'aggress':792 'allow':590,597 'allowedextens':277 'allowedextensions.includes':289 'allowedtyp':261 'allowedtypes.includes':266 'alter':488 'alway':110,168,355,450,576,1074 'amount':997,1004 'api':34,67,86,117,132,140,753,825 'api.example.com':652 'apikey':97,115,127 'app.use':786,816 'appli':783 'applic':1363 'array':1192 'ask':1407 'async':203,443,692,951,981,1126,1142,1163,1189 'attr':598 'audit':1053,1059,1103 'auth.uid':513,533 'authent':22,56,408,842,1122,1125,1249 'author':24,58,409,439,452,544,1137,1149,1253 'autom':1117 'automat':1055 'await':214,352,365,377,456,473,1014,1129,1145,1166,1201 'b':592 'balanc':1011,1013,1018,1024,1035 'base':557,834,839 'base64':968,971 'bash':1048,1073 'bearer':1150 'best':13,46 'blacklist':324 'blind':1040 'blockchain':941,1312 'bodi':1171 'boundari':1415 'buffer.from':964,966,969 'build':1086 'builder':400 'built':676 'built-in':675 'card.last4':874 'cardnumb':860 'catch':217,883,897,974 'caution':1356 'cc':2 'cc-skill-security-review':1 'chang':737 'check':239,259,275,440,545,1036,1049,1065,1255 'checklist':88,1218 'ci':1088 'ci/cd':1083 'clarif':1409 'clean':587,603,1104 'clear':1382 'code':10,43,109 'commit':1075,1107 'compromis':1344 'concaten':337,396 'configur':135,667,1275,1302 'connect':649 'connect-src':648 'console.error':899 'console.log':853,858,866,871 'const':96,104,114,119,180,209,242,260,276,282,344,363,454,586,609,697,764,797,961,1012,1127,1143,1164,1190,1199,1204 'content':604,613,671,1244 'content-security-polici':612 'control':559 'cooki':424,428,541,718,723,743,747 'cor':1300 'correct':402,422,862,893 'creat':32,65,502,522 'createus':205 'createuserschema':181 'createuserschema.parse':211 'credenti':73 'criteria':1418 'csp':665,1270 'csrf':682,684,688,702,711,732,1246 'csrf.verify':705 'cvv':861 'danger':340 'dangerouslysetinnerhtml':601 'data':81,364,501,507,521,527,642,845,852,865,1280,1286 'databas':389 'date':1098,1291 'db.query':353,378 'db.users.create':215 'db.users.delete':474 'db.users.findunique':457 'dbpassword':105 'dburl':120 'default':618 'default-src':617 'defin':177 'delet':472 'deleteus':445 'depend':1044,1062,1095,1288 'dependabot':1108 'deploy':1216,1222 'describ':1370,1386 'detail':882,928,1033 'direct':314 'div':600 'dompurifi':571,575 'dompurify.sanitize':588 'doubl':745 'double-submit':744 'doubt':1350 'dynam':670 'em':594 'email':183,185,350,371,383,856,869,1173,1177 'enabl':483,491,552,1109,1248,1260,1297 'endpoint':35,68,826,1263 'enforc':1186,1265 'ensur':8,41 'entir':1346 'env':1229 'env.local':150 'environ':148,1398 'environment-specif':1397 'eq':370 'err':1351 'error':130,218,220,226,229,252,270,293,325,466,709,876,884,887,895,898,901,902,905,907,923,929,975,993,1003,1022,1276,1282 'error.errors':227 'error.message':888 'error.stack':890 'eval':627 'exceed':1005 'execut':1365 'exist':125 'expect':1132,1152,1178,1210 'expectedrecipi':990 'expens':789,830 'expert':1403 'export':202,442,691 'expos':880,937 'exposur':846 'express':761 'express-rate-limit':760 'extens':274,283,288,290,296,312 'fals':225,977 'featur':76 'fetch':1130,1146,1167,1197 'file':29,63,230,236,237,253,272,295,307,1072,1077,1106,1303 'file.name.tolowercase':284 'file.size':248 'file.type':267 'fill':1194 'first':453 'fix':1054,1060 'fixabl':1056 'follow':11,44 'font':645 'font-src':644 'frame':1273 'function':204,234,444,582,693,952,982 'generic':894,925 'getbal':1015 'gif':281 'git':156,1078 'github':1111 'gitignor':152 'handl':25,59,412,1252,1277 'hardcod':102,139,1225 'header':666,1148,1269 'histori':157 'host':161 'html':568,581,584,589,602,663 'httpon':423,431,540,726 'https':643,1264 'id':459,476,514,534 'identifi':16,49 'image/gif':264 'image/jpeg':262 'image/png':263 'img':639 'img-src':638 'implement':21,55,74,560,749 'import':173,570,687,757,947 'info':331 'inject':334,342,1238 'inlin':630,637 'input':27,61,166,171,206,212,303,318,1157,1162,1231,1235,1412 'instal':1092 'instanceof':221 'instead':1089 'insuffici':1023 'int':194 'integr':82 'intern':881,900 'invalid':271,294,710,994,1161 'ip':833 'ip-bas':832 'isomorph':574 'isomorphic-dompurifi':573 'issu':1057 'isvalid':962,973 'jpeg':279 'jpg':278 'json.stringify':1172 'jwt':410 'key':118,133,141,611 'known':1100 'larg':255 'last4':873 'leak':329 'level':479,493,550,1295 'limit':752,755,763,765,788,794,822,828,836,841,1006,1184,1188,1259,1374 'localstorag':415,543 'localstorage.setitem':419 'lock':1071,1076,1105 'log':847,850,922,933,1283,1287 'login':855,868 'manag':91,562 'mani':781,813 'map':1196 'match':285,1383 'max':190,197,241,256,436,773,805 'max-ag':435 'maxamount':1000 'maxsiz':243,249 'messag':326,779,811,877,896,924,958,965 'method':1169 'min':188,195 'minut':772,804,810 'miss':1420 'name':186 'never':92,336 'new':33,66,129,251,269,292,992,1002,1021 'next.config.js':608 'next.js':1320 'nextjs.org':1323 'nextjs.org/docs/security)':1322 'nextresponse.json':465,708,886,904 'not-an-email':1174 'npm':1052,1058,1063,1069,1087,1091,1102 'null':1195 'occur':908 'one':1341 'openai':131 'oper':548,738,790,831 'option':1274,1340 'orm/query':399 'outdat':1067,1070 'output':1392 'overview':1373 'owasp':1314 'owasp.org':1318 'owasp.org/www-project-top-ten/)':1317 'p':596 'packag':1068 'package-lock.json':1080 'parameter':357,361,392,1241 'parti':85 'password':144,857,917 'password123':106 'pattern':748 'payment':75,859,872 'per':777,809 'permiss':1413 'place':1257 'platform':162,1347 'pleas':909 'png':280 'polici':503,523,606,615 'portswigger.net':1334 'portswigger.net/web-security)':1333 'post':694,1170 'potenti':17,50 'practic':14,47 'pre':1215 'pre-deploy':1214 'prevent':335,566 'proceed':470 'process':201,715 'process.env.database':121 'process.env.openai':116 'product':158,1221,1267 'proj':100 'promise.all':1202 'proper':405,1250,1301 'protect':679,683,1247 'provid':580,662 'publickey':954,970 'queri':320,345,354,358,362,390,393,404,1240 'r':1207 'r.status':1208 'railway':164 'rate':751,754,762,793,821,835,840,1183,1187,1258 'ratelimit':758,766,799 'raw':375 'react':673 'recipi':987,995 'redact':863 'regular':1046,1112 'reject':1160 'rememb':1336 'render':672 'renderusercont':583 'replac':653 'reproduc':1085 'request':455,695,696,716,776,782,808,815,1191,1203 'request.headers.get':699 'requester.role':462 'requesterid':448,460 'requir':1124,1139,1411 'res.setheader':425,720 'resourc':1313 'respons':1128,1144,1165,1200 'response.status':1133,1153,1179 'responses.filter':1206 'restrict':309 'return':213,223,297,464,599,707,885,903,972,976,1025 'review':5,37,1404 'rls':484 'role':556,1141,1254 'role-bas':555 'rout':785 'row':478,492,549,1294 'safe':360 'safeti':1414 'samesit':433,717,728,739 'sanit':406,567,577,664,1245 'schema':179,306 'scope':1385 'script':622 'script-src':621 'search':796,814 'searchlimit':798,818 'secret':71,90,103,124,146,154,159,920,1223,1226 'secur':4,12,36,45,87,432,480,494,551,563,605,614,727,942,1045,1113,1115,1118,1217,1268,1296,1321,1326,1331,1337 'securityhead':610 'select':346,369,379,511 'self':620,624,634,641,647,651 'sensit':80,330,547,844,851,864,1279,1285 'server':932 'session':561,724 'sessionid':725 'set':427,722 'set-cooki':426,721 'side':1354 'sign':1042 'signatur':956,967,1030,1309 'size':238,310,1306 'sk':99 'sk-proj-xxxxx':98 'skill':3,7,38,40,1361,1377 'skill-cc-skill-security-review' 'solana':943 'solana/web3.js':950 'sourc':108 'source-sickn33' 'specif':1399 'sql':333,338,341,376,398,482,1237 'src':619,623,633,640,646,650 'stack':889,935 'state':736 'state-chang':735 'status':468,713,891,912 'step':137,300,387,536,659,731,820,915,1028,1094 'stop':1405 'store':77,538 'strict':434,729,740 'stricter':827 'string':395,447,449,585,955,957,959 'strong':595 'style':632 'style-src':631 'submit':746 'substitut':1395 'success':224,1417 'suffici':1010 'supabas':366,403,481,554,1299,1325 'supabase.com':1328 'supabase.com/docs/guides/auth)':1327 'tabl':487,489 'tag':591 'task':1381 'test':1116,1119,1121,1123,1136,1138,1156,1159,1182,1185,1401 'third':84 'third-parti':83 'throw':128,228,250,268,291,991,1001,1020 'tobe':1134,1154,1180 'tobegreaterthan':1212 'token':142,411,420,421,429,430,537,685,698,703,706,712,733,918,1251 'toomanyrequest':1205 'toomanyrequests.length':1211 'top':1315 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':936 'transact':978,984,985,1032,1038,1041 'transaction.amount':999,1019 'transaction.from':1016 'transaction.to':989 'transmit':79 'treat':1390 'tri':208,910,960 'trim':657 'true':298,1026 'type':258,273,311,1307 'typescript':95,113,172,233,339,359,413,441,569,607,686,719,756,791,848,878,946,980,1120 'unauthor':467 'unknown':207 'unsaf':626,629,636 'unsafe-ev':625 'unsafe-inlin':628,635 'unvalid':669 'updat':518,525,531,1047,1061,1064,1114 'upload':30,64,231,308,1304 'url':122 'use':19,54,315,356,391,401,512,532,680,1081,1359,1375 'user':26,60,170,302,317,348,368,381,490,495,504,509,515,524,529,579,661,838,854,867,927,939,1008,1234,1243 'user-bas':837 'user-provid':578,660 'useremail':351,372,385 'userid':446,477,870,875 'usertoken':1151 'valid':167,169,178,199,210,216,232,304,322,1034,1158,1232,1236,1305,1400 'validatefileupload':235 'valu':616 'var':1230 'variabl':149 'vercel':163 'verif':136,299,386,535,658,730,819,914,945,979,1027,1093 'verifi':123,451,948,963,986,996,1007,1031,1310 'verifytransact':983 'verifywalletownership':953 'view':498,505 'vulner':18,51,343,416,1051,1101,1293,1342 'wallet':944,1029,1308 'web':1330 'whitelist':321 'window':778 'windowm':767,800 'work':69 'workflow':1367 'wrong':414,849,879 'x':701,1272 'x-csrf-token':700 'x-frame-opt':1271 'xss':418,565,678,1242 'xxxxx':101 'z':174 'z.number':193 'z.object':182 'z.string':184,187 'z.zoderror':222 'zod':176","prices":[{"id":"3e4726de-eef8-4e17-bf7b-a904bb22ebf3","listingId":"3e3f45bd-ba8e-4b6a-b1fb-591eac123fc0","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T20:35:41.298Z"}],"sources":[{"listingId":"3e3f45bd-ba8e-4b6a-b1fb-591eac123fc0","source":"github","sourceId":"sickn33/antigravity-awesome-skills/cc-skill-security-review","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/cc-skill-security-review","isPrimary":false,"firstSeenAt":"2026-04-18T21:34:07.149Z","lastSeenAt":"2026-05-18T18:50:45.532Z"},{"listingId":"3e3f45bd-ba8e-4b6a-b1fb-591eac123fc0","source":"skills_sh","sourceId":"sickn33/antigravity-awesome-skills/cc-skill-security-review","sourceUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/cc-skill-security-review","isPrimary":true,"firstSeenAt":"2026-04-18T20:35:41.298Z","lastSeenAt":"2026-05-07T22:40:40.210Z"}],"details":{"listingId":"3e3f45bd-ba8e-4b6a-b1fb-591eac123fc0","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"cc-skill-security-review","github":{"repo":"sickn33/antigravity-awesome-skills","stars":37911,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-05-18T08:24:49Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"ccacefd32433e5968407ac236ac7b1257e35adff","skill_md_path":"skills/cc-skill-security-review/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/cc-skill-security-review"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"cc-skill-security-review","description":"This skill ensures all code follows security best practices and identifies potential vulnerabilities. Use when implementing authentication or authorization, handling user input or file uploads, or creating new API endpoints."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/cc-skill-security-review"},"updatedAt":"2026-05-18T18:50:45.532Z"}}