backend-api
Designs and reviews HTTP APIs for FastAPI, Express, and NestJS, focusing on contracts, authentication, and error handling.
Install this skill
or
71/100
Security score
The backend-api skill was audited on May 31, 2026 and we found 9 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 306
Template literal with variable interpolation in command context
SourceSKILL.md
| 306 | const cached = await cache.get(`idem:${key}`); |
medium line 72
Webhook reference - potential data exfiltration
SourceSKILL.md
| 72 | - [ ] Write endpoints that may be retried (`POST /payments`, webhook receivers, order creation) define idempotency behavior |
medium line 99
Webhook reference - potential data exfiltration
SourceSKILL.md
| 99 | - Design idempotency for retries on create, payment, provisioning, and webhook endpoints. |
medium line 111
Webhook reference - potential data exfiltration
SourceSKILL.md
| 111 | - **Who calls it?** Browser app, mobile app, third-party integrator, internal service, webhook sender |
medium line 215
Webhook reference - potential data exfiltration
SourceSKILL.md
| 215 | - Check retries and duplicate submissions for create/payment/webhook paths |
low line 353
Base64 decode operation
SourceSKILL.md
| 353 | expected = base64.urlsafe_b64encode(hmac.new(SECRET, body.encode(), hashlib.sha256).digest()[:8]).rstrip(b"=").decode() |
low line 356
Base64 decode operation
SourceSKILL.md
| 356 | return json.loads(base64.urlsafe_b64decode(body + "==")) |
low line 246
External URL reference
SourceSKILL.md
| 246 | "type": "https://api.example.com/errors/insufficient-funds", |
low line 281
External URL reference
SourceSKILL.md
| 281 | "type": "https://api.example.com/errors/validation", |
Scanned on May 31, 2026
View Security Dashboard