sec-check
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Best use case
sec-check is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Teams using sec-check should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sec-check/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sec-check Compares
| Feature / Agent | sec-check | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security review checklist for Convex functions, auth logic, public queries, admin routes, webhooks, uploads, and AI-generated code. Use when reviewing code that touches user data, PII, or access control.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Review Skill Use this skill when reviewing Convex functions, auth logic, public query shapes, admin routes, webhooks, uploads, or any AI generated code that touches user data. ## When to use it Reach for this skill when: - a mutation writes user or admin data - a public query returns package or user data - an internal function should be separated from a public wrapper - a form collects names, emails, or other contact info - a webhook, upload, or API key flow is added - AI generated code needs a security pass before shipping ## Auth and ownership checks - Call `ctx.auth.getUserIdentity()` before authenticated writes. - Never trust client supplied user ids for ownership. - Prefer indexed ownership checks over fetch then compare patterns. - Use `internalQuery`, `internalMutation`, and `internalAction` for sensitive backend work. - Keep public wrappers thin. Do auth and access checks there, then call internal functions. - Return generic `Not found` style errors when you should not reveal existence. ## Data exposure rules - Public queries should return public safe shapes only. - Strip PII like email, name, Discord handle, internal notes, AI review details, or admin metadata unless the caller is allowed to see them. - Add explicit return validators on public functions so the response shape stays tight. - Mutations should return minimal data, usually ids or `null`, not the submitted object. - Treat everything returned by a query as visible in browser DevTools and WebSocket traffic. ## Sensitive integrations - Keep secrets in server side environment variables only. - Validate webhook signatures before processing. - Restrict CORS for sensitive endpoints. - Validate upload types and file sizes server side. - Do not send user PII into AI prompts when it is not required for the task. - Use simple actor labels like `AI` or `System`, not fake email addresses, for automated actions. ## AI generated code checks - Watch for missing `returns` validators. - Watch for public `query` or `mutation` usage where `internal*` should be used. - Watch for `ctx.db.get()` plus client supplied ids in ownership checks. - Watch for full objects returned from public queries or mutations. - Watch for vague or over detailed error messages that leak internal state. ## Verification checklist - Open the browser network panel and inspect WebSocket or XHR responses for sensitive fields. - Hard refresh after deploying security changes so cached subscriptions do not fool the test. - Verify public queries exclude PII and internal metadata. - Verify admin queries require auth and admin checks before returning full data. - Verify mutations return minimal data. - Verify any new action or integration logs full errors only on the server side.
Related Skills
workos-convex-debug
Debug and troubleshoot WorkOS AuthKit authentication issues with Convex. Use when authentication fails, JWT validation errors occur, user identity returns null, email claims are missing, admin access checks fail, or sign in button does not work. Supports Netlify deployment.
workos-convex-auth
Set up and configure WorkOS AuthKit authentication with Convex backend. Use when integrating AuthKit, configuring JWT providers, setting up environment variables, or implementing sign in and sign out flows with React and Vite. Supports Netlify deployment.
convex-scale-optimization
Patterns for scaling read-heavy Convex apps to millions of users. Use when optimizing bandwidth, reducing query costs, fixing slow queries, creating digest tables, replacing reactive subscriptions with one-shot fetches, adding compound indexes, debouncing writes, rate-controlling backfills, or running npx convex insights. Trigger when users mention "scale", "bandwidth", "performance", "optimize", "slow queries", "expensive queries", "digest table", "denormalize", or "thundering herd" in the context of Convex.
convex-design-system
Convex UI component patterns from the live Storybook preview. Use when building React components, forms, modals, navigation, feedback states, or app layouts that should match the current Convex design system. Applies to both shared primitives and dashboard style product UI.
Update project docs
Sync project tracking files after completing work, then provide a ready to use git commit message.
typeset
Improves typography by fixing font choices, hierarchy, sizing, weight, and readability so text feels intentional. Use when the user mentions fonts, type, readability, text hierarchy, sizing looks off, or wants more polished, intentional typography.
teach-impeccable
One-time setup that gathers design context for your project and saves it to your AI config file. Run once to establish persistent design guidelines.
robel-auth
Integrate and maintain Robelest Convex Auth in apps by always checking upstream before implementation. Use when adding auth setup, updating auth wiring, migrating between upstream patterns, or troubleshooting @robelest/convex-auth behavior across projects.
quieter
Tones down visually aggressive or overstimulating designs, reducing intensity while preserving quality. Use when the user mentions too bold, too loud, overwhelming, aggressive, garish, or wants a calmer, more refined aesthetic.
polish
Performs a final quality pass fixing alignment, spacing, consistency, and micro-detail issues before shipping. Use when the user mentions polish, finishing touches, pre-launch review, something looks off, or wants to go from good to great.
overdrive
Pushes interfaces past conventional limits with technically ambitious implementations — shaders, spring physics, scroll-driven reveals, 60fps animations. Use when the user wants to wow, impress, go all-out, or make something that feels extraordinary.
optimize
Diagnoses and fixes UI performance across loading speed, rendering, animations, images, and bundle size. Use when the user mentions slow, laggy, janky, performance, bundle size, load time, or wants a faster, smoother experience.