omnistudio-security
Use when designing or reviewing OmniStudio security across OmniScripts, Integration Procedures, DataRaptors, custom LWCs, Apex actions, guest-user exposure, and outbound HTTP actions. Triggers: 'OmniStudio security', 'guest user omniscript', 'DataRaptor CRUD FLS', 'OmniStudio Apex security', 'HTTP action data exposure'. NOT for general portal identity architecture or generic Apex security reviews when OmniStudio is not the main surface.
Best use case
omnistudio-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when designing or reviewing OmniStudio security across OmniScripts, Integration Procedures, DataRaptors, custom LWCs, Apex actions, guest-user exposure, and outbound HTTP actions. Triggers: 'OmniStudio security', 'guest user omniscript', 'DataRaptor CRUD FLS', 'OmniStudio Apex security', 'HTTP action data exposure'. NOT for general portal identity architecture or generic Apex security reviews when OmniStudio is not the main surface.
Teams using omnistudio-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/omnistudio-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How omnistudio-security Compares
| Feature / Agent | omnistudio-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when designing or reviewing OmniStudio security across OmniScripts, Integration Procedures, DataRaptors, custom LWCs, Apex actions, guest-user exposure, and outbound HTTP actions. Triggers: 'OmniStudio security', 'guest user omniscript', 'DataRaptor CRUD FLS', 'OmniStudio Apex security', 'HTTP action data exposure'. NOT for general portal identity architecture or generic Apex security reviews when OmniStudio is not the main surface.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# OmniStudio Security Use this skill when OmniStudio must be reviewed as a real application boundary, not just as a convenience layer. OmniScripts, DataRaptors, Integration Procedures, and custom Apex or LWC extensions can all expose or mutate data. Security defects usually appear where teams assume the OmniStudio layer is safe by default and skip the same rigor they would apply to a public API or site-exposed application. The key is to review the whole chain: who the user is, what data the asset can access, which server-side code runs, what gets returned to the client, and what gets sent outside Salesforce. Guest and portal scenarios need the tightest design because broad Apex, permissive DataRaptor contracts, or overexposed HTTP responses become visible faster there than in internal-only use. --- ## Before Starting Gather this context before working on anything in this domain: - Is the OmniStudio surface internal, authenticated external, or guest-facing? - Which OmniStudio assets are in play: OmniScript, Integration Procedure, DataRaptor, FlexCard, or custom component? - Does the chain call Apex, invoke HTTP actions, or write data through DataRaptor Load? - What is the minimum data the caller truly needs to see or modify? --- ## Core Concepts ### OmniStudio Does Not Replace Platform Security CRUD, FLS, sharing, Apex execution context, and least-privilege integration design still matter. OmniStudio configuration does not automatically secure a weak server boundary. ### External Context Changes The Threat Model Internal service processes and public or portal flows are not equivalent. Guest and portal users need a narrower data contract, tighter Apex review, and stronger exposure controls. ### Outbound And Inbound Data Contracts Need Review DataRaptor outputs, Integration Procedure responses, and HTTP action payloads should return only what the consumer needs. Avoid treating intermediate data as safe to send simply because OmniStudio generated it. ### Custom Apex And LWC Are Security Multipliers The riskiest OmniStudio assets are often the ones that bridge into Apex or custom client components. Their sharing model, CRUD/FLS enforcement, and external exposure are part of the OmniStudio review. --- ## Common Patterns ### Least-Data Response Pattern **When to use:** OmniStudio returns data to OmniScript, FlexCard, or an external-facing surface. **How it works:** Shape responses narrowly, strip internal-only fields, and separate operator diagnostics from end-user payloads. **Why not the alternative:** Over-returned data becomes accidental exposure. ### Secure Extension Boundary Pattern **When to use:** OmniStudio depends on Apex or custom LWC behavior. **How it works:** Use explicit sharing and CRUD/FLS enforcement in Apex, and treat the component or action as a secure service boundary instead of a convenience helper. ### External-User Narrowing Pattern **When to use:** The same business process has both internal and portal or guest variants. **How it works:** Narrow fields, actions, and server dependencies for the external path instead of reusing the internal design unchanged. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Guest or portal OmniScript collects public input | Minimal field and action surface | Reduces exposure risk | | Integration Procedure calls an external system | Named Credentials and narrow response contract | Safer auth and data handling | | Custom Apex action sits behind OmniStudio | Explicit sharing and CRUD/FLS review | OmniStudio does not secure Apex automatically | | DataRaptor writes records | Review write contract like any other data API | Declarative write paths still mutate data | | Internal and external variants differ | Split or narrow the external contract | Safer than one broad reusable path | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner activating this skill: 1. Gather context — confirm the org edition, relevant objects, and current configuration state 2. Review official sources — check the references in this skill's well-architected.md before making changes 3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above 4. Validate — run the skill's checker script and verify against the Review Checklist below 5. Document — record any deviations from standard patterns and update the template if needed --- ## Review Checklist Run through these before marking work in this area complete: - [ ] User context is explicit: internal, portal, or guest. - [ ] Apex extensions declare and enforce security intentionally. - [ ] DataRaptor and IP outputs return only necessary fields. - [ ] HTTP actions use secure endpoint and credential patterns. - [ ] External-user variants are narrowed rather than copied from internal designs. - [ ] Sensitive diagnostics are not leaked through business-facing responses. --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **Declarative assets can still expose broad data** - DataRaptor and IP responses are still application contracts. 2. **Guest and portal access magnify small server mistakes** - weak Apex behind OmniStudio becomes a production security issue quickly. 3. **HTTP action security is not only about authentication** - response shape and downstream logging still matter. 4. **A secure internal OmniStudio design may be unsafe externally** - user context changes what "safe enough" means. --- ## Output Artifacts | Artifact | Description | |---|---| | OmniStudio security review | Findings on user context, data exposure, and extension safety | | External-user hardening plan | Guidance for guest and portal narrowing | | Secure-boundary recommendation | How to treat Apex, DataRaptors, and HTTP actions safely | --- ## Related Skills - `omnistudio/integration-procedures` - use when HTTP action and orchestration safety is the main technical surface. - `apex/apex-security-patterns` - use when the real issue sits in Apex execution context and CRUD/FLS enforcement. - `flow/flow-for-experience-cloud` - use when the external-facing experience is primarily Flow rather than OmniStudio.
Related Skills
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
security-incident-response
When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.
security-health-check
Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.
network-security-and-trusted-ips
Configure and audit Salesforce network security controls — trusted IP ranges (org-wide Network Access), login IP ranges on profiles, CSP Trusted Sites for Lightning components, CORS allowlists for external JavaScript, and TLS requirements — and troubleshoot login-blocked-by-IP or CSP violation errors. NOT for org-wide session settings, MFA configuration, or real-time Transaction Security Policies.
guest-user-security
Use when hardening the Experience Cloud guest user profile, controlling unauthenticated access to records and Apex, or investigating data exposure through guest SOQL. Covers object permissions, sharing model enforcement for unauthenticated users, and Apex execution context. NOT for Experience Cloud site creation (use Experience Cloud skills) or for authenticated external user security (use security/experience-cloud-security).
guest-user-security-audit
Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).
experience-cloud-security
Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).
connected-app-security-policies
Managing OAuth policies, IP relaxation, session security, PKCE, and credential rotation for Salesforce Connected Apps. Use when hardening Connected App security, rotating client secrets, configuring IP restrictions, or requiring high-assurance sessions. NOT for basic Connected App setup or creation. NOT for OAuth flow implementation (use oauth-flows-and-connected-apps).
api-security-and-rate-limiting
Use when configuring, auditing, or troubleshooting API rate limits, Connected App OAuth scope restriction, Connected App IP restrictions, API session policies, or API usage monitoring in a Salesforce org. Trigger keywords: 'API rate limit', '429 error', 'OAuth scope restriction', 'Connected App IP restriction', 'API usage monitoring', 'concurrent API limits', 'Bulk API limits'. NOT for OAuth flow implementation, token exchange mechanics, or general Connected App setup — use security/oauth-flows-and-connected-apps for those.
vlocity-to-native-omnistudio-migration
Use when migrating an org from the Vlocity managed package (vlocity_ins, vlocity_cmt, vlocity_ps) to native OmniStudio. Trigger keywords: Vlocity to OmniStudio migration, namespace migration, vlocity_ins to omnistudio, OmniStudio Migration Tool, DataRaptor namespace update, OmniScript JSON export, managed package to native. NOT for new OmniStudio setup in greenfield orgs, nor for migrating between OmniStudio-native orgs, nor for Salesforce CPQ to Industries CPQ migration.
omnistudio-vs-flow-decision
Use when choosing between OmniStudio (OmniScript / Integration Procedure / FlexCard / DataRaptor) and Flow / Screen Flow / Apex for a given capability. Triggers: 'omnistudio or flow', 'omniscript vs screen flow', 'integration procedure vs subflow', 'flexcard vs lightning page'. NOT for general automation selection across Workflow/Process Builder/Apex (see automation-selection tree).