Skip to main content

expo-api-routes

Provides guidelines for creating secure API routes in Expo Router, ensuring safe handling of server-side secrets and database operations.

Install this skill

or
51/100

Security score

The expo-api-routes skill was audited on Feb 19, 2026 and we found 21 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 143

Template literal with variable interpolation in command context

SourceSKILL.md
143Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
medium line 353

Template literal with variable interpolation in command context

SourceSKILL.md
353`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
medium line 209

Curl to non-GitHub URL

SourceSKILL.md
209curl http://localhost:8081/api/hello
medium line 210

Curl to non-GitHub URL

SourceSKILL.md
210curl -X POST http://localhost:8081/api/users -H "Content-Type: application/json" -d '{"name":"Test"}'
low line 139

Fetch to external URL

SourceSKILL.md
139const response = await fetch("https://api.openai.com/v1/chat/completions", {
low line 265

Fetch to external URL

SourceSKILL.md
265const response = await fetch("https://api.example.com");
low line 304

Fetch to external URL

SourceSKILL.md
304const response = await fetch("/api/hello");
low line 308

Fetch to external URL

SourceSKILL.md
308const response = await fetch("/api/users", {
medium line 16

Webhook reference - potential data exfiltration

SourceSKILL.md
16- **Webhook endpoints** — Receive callbacks from services like Stripe or GitHub
medium line 132

Access to .env file

SourceSKILL.md
132Use `process.env` for server-side secrets:
low line 143

Access to .env file

SourceSKILL.md
143Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
medium line 158

Access to .env file

SourceSKILL.md
158- **Local**: Create `.env` file (never commit)
low line 290

Access to .env file

SourceSKILL.md
290url: process.env.TURSO_URL!,
low line 291

Access to .env file

SourceSKILL.md
291authToken: process.env.TURSO_AUTH_TOKEN!,
low line 353

Access to .env file

SourceSKILL.md
353`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
low line 139

External URL reference

SourceSKILL.md
139const response = await fetch("https://api.openai.com/v1/chat/completions", {
low line 204

External URL reference

SourceSKILL.md
204This starts a local server at `http://localhost:8081` with full API route support.
low line 209

External URL reference

SourceSKILL.md
209curl http://localhost:8081/api/hello
low line 210

External URL reference

SourceSKILL.md
210curl -X POST http://localhost:8081/api/users -H "Content-Type: application/json" -d '{"name":"Test"}'
low line 265

External URL reference

SourceSKILL.md
265const response = await fetch("https://api.example.com");
low line 353

External URL reference

SourceSKILL.md
353`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
Scanned on Feb 19, 2026
View Security Dashboard

Install this skill with one command

/learn @expo/expo-api-routes
GitHub Stars 1.4K
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawapibackendfrontend-developermobile-developerproduct-managerdevelopmentproduct
expo-app-designexpo/skills