BuilderIO/security
.agents/skills/security/SKILL.md
Secure coding practices for agent-native apps: input validation, SQL injection, XSS, secrets, data scoping, and auth. Use when writing any action, route, or component that touches user data or external input.
$ install --global
skillsauthnpx skillsauth add BuilderIO/agent-native securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 7:36 PM7.0s1 file scanned
SKILL.md
- name:
- security
- description:
- >-
- Secure coding practices for agent-native apps:
- input validation, SQL
Security
Rule
Use the framework's security primitives everywhere. Never bypass them.
Input Validation
Use defineAction with a Zod schema: for every action. The framework validates input automatically and returns clear 400 errors for HTTP callers and structured error results for agent tool calls.
export default defineAction({
schema: z.object({
email: z.string().email(),
role: z.enum(["admin", "member"]),
limit: z.coerce.number().int().min(1).max(100).default(25),
}),
run: async (args) => { /* args is fully typed and validated */ },
});
The legacy parameters: field (plain JSON Schema) has no runtime validation — do not use it for new code.
SQL Injection
Never concatenate user input into SQL strings. Use Drizzle ORM's query builder (always safe) or parameterized queries:
// Safe — Drizzle ORM
await db.select().from(users).where(eq(users.email, args.email));
// Safe — parameterized raw SQL
await client.execute({ sql: "SELECT * FROM users WHERE id = ?", args: [id] });
// NEVER do this
await client.execute(`SELECT * FROM users WHERE id = '${id}'`);
XSS
- React auto-escapes JSX content — trust it.
- Never use
dangerouslySetInnerHTML,innerHTML,eval(), ordocument.write()with user-controlled content. - For rich text editing, use TipTap (framework dependency).
- For rendering markdown, use
react-markdown.
Secrets
- API keys and credentials go in
.envonly (gitignored). - OAuth tokens go in the
oauth_tokensstore viasaveOAuthTokens(). - Never store secrets in
settings,application_state, source code, or action responses sent to the client.
Auth
- All actions are protected by the auth guard automatically.
- If you must create custom
/api/routes, always callgetSession(event)and reject requests without a session:
import { getSession } from "@agent-native/core/server";
export default defineEventHandler(async (event) => {
const session = await getSession(event);
if (!session) throw createError({ statusCode: 401 });
// ...
});
- Never create unprotected routes that modify data.
Data Scoping
In production, the framework automatically restricts all agent SQL queries to the current user's data using temporary views. This is enforced at the SQL level — the agent cannot bypass it.
Per-User Scoping (owner_email)
Every template table with user data must have an owner_email text column:
- Framework detects
owner_emailvia schema introspection - Creates temp views
WHERE owner_email = <current user>before each query - Auto-injects
owner_emailinto INSERT statements
The current user is resolved from AGENT_USER_EMAIL (set automatically from the session).
Per-Org Scoping (org_id)
For multi-org apps, tables also need org_id:
WHERE org_id = <current org>is added (in addition toowner_emailif present)org_idis auto-injected into INSERT statements
Enable org scoping in the agent-chat plugin:
createAgentChatPlugin({
resolveOrgId: async (event) => {
const ctx = await getOrgContext(event);
return ctx.orgId;
},
});
Column Conventions
| Column | Purpose | Required |
| ------------- | ----------------------- | ------------------------------- |
| owner_email | Per-user data isolation | Yes, for all user-facing tables |
| org_id | Per-org data isolation | Yes, for multi-org apps |
Run pnpm action db-check-scoping to verify. Use --require-org for multi-org apps.
Checklist
- [ ] New action uses
defineActionwith a Zodschema: - [ ] No SQL string concatenation with user input
- [ ] No
dangerouslySetInnerHTMLwith user content - [ ] New env vars in
.envonly, not committed - [ ] New user-data tables have
owner_emailcolumn - [ ] Custom routes call
getSessionand reject unauthenticated requests
Related Skills
storing-data— SQL patterns and the agent's db toolsactions—defineActionwith Zod schema validationauthentication— Auth modes, sessions, and org context
Related Skills
BuilderIO/booker
tools
VerifiedTrustedCommunity
Public booking flow — the state machine, animations, and URL/app-state sync.
108SKILL.mdUpdated Apr 19, 2026
BuilderIO/workflows
tools
VerifiedTrustedCommunity
Trigger-based automations — reminders, follow-ups, webhooks — across the booking lifecycle.
46SKILL.mdUpdated Apr 19, 2026
BuilderIO/team-scheduling
tools
VerifiedTrustedCommunity
Team event types, round-robin assignment, collective bookings, host weights, and no-show calibration.
46SKILL.mdUpdated Apr 19, 2026
BuilderIO/slot-engine
development
VerifiedTrustedCommunity
The pure `computeAvailableSlots` function — inputs, outputs, invariants, and debugging guide.
46SKILL.mdUpdated Apr 19, 2026