igorwarzocha/security-vite
agents/security-reviewer/.opencode/skill/security-vite/SKILL.md
Review Vite security audit patterns for SPA and dev server security. Use for auditing VITE_* exposure, build-time secrets, and proxy configs. Use proactively when reviewing Vite apps (vite.config.ts present). Examples: - user: "Audit Vite env vars" → check for secrets with VITE_ prefix - user: "Check Vite build config" → verify define block and source maps - user: "Review Vite dev server" → check host binding and proxy security - user: "Scan Vite bundles" → search dist/ for leaked API keys or secrets - user: "Audit Vite SPA auth" → verify server-side auth vs client route guards
$ install --global
skillsauthnpx skillsauth add igorwarzocha/opencode-workflows security-viteInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:06 PM5.3s2 files scanned
SKILL.md
- name:
- security-vite
- description:
- |-
- - user:
- Audit Vite SPA auth" → verify server-side auth vs client route guards
<overview>
Security audit patterns for Vite applications focusing on environment variable exposure, build-time secrets, and SPA-specific vulnerabilities.
</overview> <rules>Environment Variable Exposure
The VITE_ Footgun
VITE_* → Bundled into client JavaScript → Visible to everyone
No prefix → Only available in vite.config.ts → Safe for secrets
Audit steps:
grep -r "VITE_" . -g "*.env*"- Check
import.meta.env.VITE_*usage in source - Common mistakes:
VITE_API_SECRET(SHOULD be server-only)VITE_DATABASE_URL(MUST NOT use)VITE_STRIPE_SECRET_KEY(only publishable keys)
Env Files Priority
Vite loads in this order (later overrides earlier):
.env # Always loaded
.env.local # Always loaded, gitignored
.env.[mode] # e.g., .env.production
.env.[mode].local # e.g., .env.production.local, gitignored
Check: Are .env.local and .env.*.local in .gitignore?
envPrefix Overrides
If envPrefix is configured, Vite exposes any variables with those prefixes. Treat envPrefix as a security-sensitive setting.
Build-Time vs Runtime
Dangerous: Secrets in vite.config.ts
// ❌ Secret in config (ends up in bundle)
export default defineConfig({
define: {
'process.env.API_KEY': JSON.stringify(process.env.API_KEY),
},
});
// The above makes API_KEY available in client code!
Safe Pattern
// Only use VITE_ prefix for truly public values
export default defineConfig({
define: {
'__APP_VERSION__': JSON.stringify(process.env.npm_package_version),
},
});
// Keep secrets on server (use a backend API)
Dev Server Security
Open to Network
// ❌ Exposes dev server to network
export default defineConfig({
server: {
host: '0.0.0.0', // or host: true
},
});
This is dangerous on shared networks. Check if intentional.
Proxy Misconfiguration
export default defineConfig({
server: {
proxy: {
'/api': {
target: 'http://localhost:3000',
changeOrigin: true,
// ❌ Missing secure options for production-like setup
},
},
},
});
SPA Security Issues
Client-Side Auth Only
// ❌ "Protection" only in React Router
const ProtectedRoute = ({ children }) => {
const { user } = useAuth();
if (!user) return <Navigate to="/login" />;
return children;
};
// API calls still need server-side auth!
// This is UI convenience, not security.
Secrets in Bundle
# Check the built bundle for secrets
rg -a "(sk_live|sk_test|AKIA|api[_-]?key)" dist/
Source Maps in Production
// Check vite.config.ts
export default defineConfig({
build: {
sourcemap: true, // ❌ Exposes source code in production
},
});
<severity_table>
Common Vulnerabilities
| Issue | Where to Look | Severity |
|-------|---------------|----------|
| VITE_* secrets | .env*, source files | CRITICAL |
| Secrets in define | vite.config.ts | CRITICAL |
| Source maps in prod | vite.config.ts | MEDIUM |
| Dev server exposed | vite.config.ts server.host | MEDIUM |
| Client-only auth | Route guards without API auth | HIGH |
| API keys in bundle | dist/ directory | CRITICAL |
</severity_table>
<commands>Quick Audit Commands
# Find VITE_ secrets
grep -r "VITE_" . -g "*.env*"
# Find import.meta.env usage
rg 'import\.meta\.env' . -g "*.ts" -g "*.tsx" -g "*.vue"
# Check define in config
rg 'define:' vite.config.*
# Scan built bundle for secrets
rg -a "(sk_live|AKIA|ghp_|api[_-]?key['\"]?\s*[:=])" dist/
# Check for source maps
fd '\.map$' dist/
Hardening Checklist
- [ ] No secrets in
VITE_*variables - [ ]
.env.localand.env.*.localin.gitignore - [ ]
sourcemap: falsein production build - [ ]
server.hostis not0.0.0.0ortrue(unless intentional) - [ ] All sensitive API calls go through a backend (not direct from browser)
- [ ] No secrets in
vite.config.tsdefine block
Related Skills
igorwarzocha/writing
development
VerifiedTrustedCommunity
Handle structured co-authoring of professional documentation. Use for proposals, technical specs, and RFCs. Use proactively when a collaborative drafting process (Gathering -> Refinement -> Testing) is needed. Examples: - user: "Draft a technical RFC for the new API" -> follow Stage 1 context gathering - user: "Refine the introduction of this proposal" -> use iterative surgical edits - user: "Test if this document is clear for readers" -> run reader testing workflow
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/word
development
VerifiedTrustedCommunity
Handle Word document (.docx) creation, editing, and analysis with high-fidelity visual review. Use for professional reports, legal documents, and tracked changes. Use proactively when quality and precise formatting are critical. Examples: - user: "Create a professional report in Word" -> use python-docx with render loops - user: "Draft a legal contract with redlines" -> use ooxml redlining workflow - user: "Extract text from this DOCX while preserving structure" -> use pandoc markdown conversion
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/themes
testing
VerifiedTrustedCommunity
Apply professional visual themes to documents and presentations. Use for styling artifacts with consistent color palettes and font pairings. Use proactively to quickly improve the aesthetic quality of deliverables. Examples: - user: "Apply a modern theme to this deck" -> use Modern Minimalist theme - user: "I want a tech aesthetic for this doc" -> apply Tech Innovation theme - user: "Create a custom theme for my project" -> generate new color/font specification
100SKILL.mdUpdated Apr 5, 2026
igorwarzocha/skill-creator
tools
VerifiedTrustedCommunity
Guide for creating effective opencode skills. Use for creating or updating skills that extend agent capabilities with specialized knowledge, workflows, or tool integrations. Examples: - user: "Create a skill for git workflows" → define SKILL.md with instructions and examples - user: "Add examples to my skill" → follow the user: "query" → action pattern - user: "Update skill description" → use literal block scalar and trigger contexts - user: "Structure a complex skill" → organize with scripts/ and references/ directories - user: "Validate my skill" → check structure, frontmatter, and discovery triggers
100SKILL.mdUpdated Apr 5, 2026