Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

guimap01/review-nestjs

Name: review-nestjs
Author: guimap01

.cursor/skills/review-nestjs/SKILL.md

npx skillsauth add guimap01/notes_app review-nestjs

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

NestJS Code Review

Targets NestJS with Prisma in a multi-tenant SaaS context. Work through the five areas in order. For the full pass/fail checklist, see checklist.md.

1. Guards vs Interceptors — never mix concerns

Guards decide whether a request proceeds (authentication, authorization, RBAC). They run before the route handler and must return true/false or throw.
Interceptors shape or decorate the request/response (logging, caching, response transformation). They never make authorization decisions.
Mixing these means auth logic can silently not run — treat any mixed usage as a high bug.

RBAC guard chain pattern (two guards, not one):

@UseGuards(JwtAuthGuard, RolesGuard)   // auth first, roles second
@Roles(Role.ADMIN)
@Get('admin-data')

Never collapse token validation and role checking into a single guard.

2. Tenant isolation — the highest-risk area

Every query on a tenant-scoped resource must filter by tenantId sourced from the JWT/session, not from the request body or URL params.

// BAD — tenantId from request body; attacker can spoof it
async getNotes(@Body() dto: GetNotesDto) {
  return this.notesService.findAll({ tenantId: dto.tenantId });
}

// GOOD — tenantId from validated JWT payload
async getNotes(@CurrentUser() user: JwtPayload) {
  return this.notesService.findAll({ tenantId: user.tenantId });
}

Use Prisma middleware to inject tenantId automatically as a safety net — but do not rely on it as the only enforcement layer.

Background jobs and raw queries bypass Prisma middleware: every one must explicitly set tenant context.

3. Validation pipes

Apply ValidationPipe globally with strict settings:

app.useGlobalPipes(
  new ValidationPipe({
    whitelist: true, // strip unknown properties
    forbidNonWhitelisted: true, // throw on unknown properties
    transform: true, // auto-transform to DTO types
  }),
);

Without whitelist: true, unvalidated properties reach service logic. Every incoming DTO must use class-validator decorators.

4. Module boundaries

Providers should be exported from a module only when another module genuinely needs them
Never export a service that contains security logic (guards, token validation) broadly
Shared utilities belong in a SharedModule imported explicitly where needed

5. Logging and observability

Use an interceptor (not console.log) for request/response logging
Log auth events (login, logout, token refresh, permission denial) via a dedicated AuditService
Permission denials must be logged at warn level with user ID, resource, and action — never swallowed silently
AI request/response pairs should be logged with latency and any error codes

Additional resources

Full pass/fail checklist → checklist.md

guimap01/review-nestjs

.cursor/skills/review-nestjs/SKILL.md

Reviews NestJS TypeScript code for correctness, security, multi-tenancy safety, and architectural best practices. Use when reviewing generated NestJS controllers, services, guards, interceptors, pipes, or modules, or when asked to do a code review on backend API code.

development

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add guimap01/notes_app review-nestjs

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 2:30 PM41.5s2 files scanned

SKILL.md

name:: review-nestjs
description:: Reviews NestJS TypeScript code for correctness, security, multi-tenancy safety, and architectural best practices. Use when reviewing generated NestJS controllers, services, guards, interceptors, pipes, or modules, or when asked to do a code review on backend API code.

NestJS Code Review

Targets NestJS with Prisma in a multi-tenant SaaS context. Work through the five areas in order. For the full pass/fail checklist, see checklist.md.

1. Guards vs Interceptors — never mix concerns

Guards decide whether a request proceeds (authentication, authorization, RBAC). They run before the route handler and must return true/false or throw.
Interceptors shape or decorate the request/response (logging, caching, response transformation). They never make authorization decisions.
Mixing these means auth logic can silently not run — treat any mixed usage as a high bug.

RBAC guard chain pattern (two guards, not one):

@UseGuards(JwtAuthGuard, RolesGuard)   // auth first, roles second
@Roles(Role.ADMIN)
@Get('admin-data')

Never collapse token validation and role checking into a single guard.

2. Tenant isolation — the highest-risk area

Every query on a tenant-scoped resource must filter by tenantId sourced from the JWT/session, not from the request body or URL params.

// BAD — tenantId from request body; attacker can spoof it
async getNotes(@Body() dto: GetNotesDto) {
  return this.notesService.findAll({ tenantId: dto.tenantId });
}

// GOOD — tenantId from validated JWT payload
async getNotes(@CurrentUser() user: JwtPayload) {
  return this.notesService.findAll({ tenantId: user.tenantId });
}

Use Prisma middleware to inject tenantId automatically as a safety net — but do not rely on it as the only enforcement layer.

Background jobs and raw queries bypass Prisma middleware: every one must explicitly set tenant context.

3. Validation pipes

Apply ValidationPipe globally with strict settings:

app.useGlobalPipes(
  new ValidationPipe({
    whitelist: true, // strip unknown properties
    forbidNonWhitelisted: true, // throw on unknown properties
    transform: true, // auto-transform to DTO types
  }),
);

Without whitelist: true, unvalidated properties reach service logic. Every incoming DTO must use class-validator decorators.

4. Module boundaries

Providers should be exported from a module only when another module genuinely needs them
Never export a service that contains security logic (guards, token validation) broadly
Shared utilities belong in a SharedModule imported explicitly where needed

5. Logging and observability

Use an interceptor (not console.log) for request/response logging
Log auth events (login, logout, token refresh, permission denial) via a dedicated AuditService
Permission denials must be logged at warn level with user ID, resource, and action — never swallowed silently
AI request/response pairs should be logged with latency and any error codes

Additional resources

Full pass/fail checklist → checklist.md

Related Skills

guimap01/test-react

tools

VerifiedTrustedCommunity

Writes unit tests for React components using Vitest and React Testing Library. Use when writing or reviewing tests for React components, hooks, forms, or pages in apps/client. Covers setup, mocking strategy, form validation testing, async interactions, and testing library best practices.

SKILL.mdUpdated Apr 16, 2026

guimap01/review-react

development

VerifiedTrustedCommunity

Reviews React and TypeScript code for correctness, security, hook usage, and multi-tenancy safety. Use when reviewing generated React components, hooks, or TypeScript files, or when asked to do a code review on frontend code.

SKILL.mdUpdated Apr 16, 2026

guimap01/review-react

openclaw/openclaw-secret-scanning-maintainer

development

VerifiedTrustedCommunity

Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.

357,764SKILL.mdUpdated Apr 15, 2026

openclaw/openclaw-secret-scanning-maintainer

openclaw/openclaw-release-maintainer

development

VerifiedTrustedCommunity

Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.

357,764SKILL.mdUpdated Apr 10, 2026

openclaw/openclaw-release-maintainer

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/guimap01/notes_app.git

# Copy into Claude Code skills folder (global)
cp -r notes_app/.cursor/skills/review-nestjs ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

guimap01/notes_app

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT