Unlighted01/security-scan
.claude/skills/quality/security-scan/SKILL.md
Scan the ResearchMate codebase for security issues — hardcoded API keys, auth bypasses, exposed secrets, XSS risks, and missing credit refunds
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add Unlighted01/ResearchMate-Website security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 12:30 AM107.8s1 file scanned
SKILL.md
- name:
- security-scan
- description:
- Scan the ResearchMate codebase for security issues — hardcoded API keys, auth bypasses, exposed secrets, XSS risks, and missing credit refunds
- context:
- fork
- agent:
- Explore
- effort:
- high
- disable-model-invocation:
- true
- allowed-tools:
- Grep, Read, Glob
Run a security scan on the ResearchMate codebase.
Scope: $ARGUMENTS (if empty, scan entire codebase)
1. Hardcoded secrets
Search for:
- Patterns:
sk-,AIza,Bearer,gsk_, actual key strings - In: src/, api/, supabase/
- Skip: .env, env.example, node_modules
2. Auth pattern audit (api/)
Every endpoint MUST have one of:
authenticateUser(req)call before any data access- Smart Pen bypass:
req.headers['x-smart-pen-key'] === process.env.SMART_PEN_SERVICE_KEY
Flag any endpoint missing both.
3. Credit refund audit (api/)
Every AI endpoint MUST have:
creditDeducted+deductedUserIdflags before try blockrefundCredit(deductedUserId)in catch block
Flag any AI endpoint missing this pattern.
4. XSS risks (src/)
dangerouslySetInnerHTMLwithout sanitization- User input rendered as HTML
5. .gitignore coverage
Must cover: .env, .env.local, *.local, *.key
Output
Group by severity: CRITICAL → HIGH → MEDIUM → LOW Each finding: file:line + description + suggested fix
Related Skills
Unlighted01/add-theme
development
VerifiedTrustedCommunity
Add proper theme support (glass/bubble/minimalist + dark mode) to a ResearchMate component, or add new CSS variables to index.css for a specific theme
SKILL.mdUpdated Apr 16, 2026
Unlighted01/write-tests
development
VerifiedTrustedCommunity
Write Vitest integration tests for a ResearchMate API endpoint following all established patterns from ocr.integration.test.ts
SKILL.mdUpdated Apr 16, 2026
Unlighted01/run-tests
testing
VerifiedTrustedCommunity
Run the ResearchMate OCR integration test suite using Vitest. Optionally filter by test name.
SKILL.mdUpdated Apr 16, 2026
Unlighted01/new-endpoint
development
VerifiedTrustedCommunity
Scaffold a new ResearchMate Vercel serverless API endpoint with correct fallback chain, credit refund pattern, auth, PART sections, and TypeScript
SKILL.mdUpdated Apr 16, 2026