production-audit
Conducts local production readiness audits for applications, ensuring they are ready for deployment without external data sharing.
Install this skill
Security score
The production-audit skill was audited on May 18, 2026 and we found 11 security issues across 1 threat category. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 66 | - API routes, webhooks, auth middleware, background workers, cron jobs, and |
Webhook reference - potential data exfiltration
| 95 | - Are retries idempotent for writes, jobs, and webhook handlers? |
Webhook reference - potential data exfiltration
| 97 | ### Payments And Webhooks |
Webhook reference - potential data exfiltration
| 99 | - Are webhook signatures verified before parsing trusted payload fields? |
Webhook reference - potential data exfiltration
| 100 | - Is each payment, subscription, or fulfillment webhook idempotent? |
Webhook reference - potential data exfiltration
| 135 | - Payment or fulfillment webhooks are not idempotent. |
Webhook reference - potential data exfiltration
| 148 | Production audit: 76/100, launchable with caveats, with webhook idempotency and rollback docs as the two risks to fix before public launch. |
Webhook reference - potential data exfiltration
| 173 | Production audit: 68/100, risky, because Stripe webhooks are verified but not idempotent and there is no rollback note for the pending migration. |
Webhook reference - potential data exfiltration
| 181 | - Add one E2E path for upgrade, webhook fulfillment, and billing-page refresh. |
Webhook reference - potential data exfiltration
| 184 | - `api/stripe/webhook.ts` |
Webhook reference - potential data exfiltration
| 188 | Next action: Want me to patch webhook idempotency first? |