Skip to main content

dev-prod-build-identity

Facilitates the setup of distinct development and production builds for apps, ensuring data isolation and preventing conflicts.

Install this skill

or
0/100

Security score

The dev-prod-build-identity skill was audited on Mar 8, 2026 and we found 84 security issues across 3 threat categories, including 5 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 397

Direct command execution function call

SourceSKILL.md
397execSync(`electron-builder ${builderArgs} ${configOverride}`, {
high line 425

Direct command execution function call

SourceSKILL.md
425execSync(`electron-builder ${builderArgs} ${configOverride}`, {
medium line 279

Template literal with variable interpolation in command context

SourceSKILL.md
279displayName: IS_DEV ? `${APP_NAME} [DEV]` : APP_NAME,
medium line 288

Template literal with variable interpolation in command context

SourceSKILL.md
288databaseName: IS_DEV ? `${TECHNICAL_NAME}.dev.db` : `${TECHNICAL_NAME}.db`,
medium line 291

Template literal with variable interpolation in command context

SourceSKILL.md
291urlScheme: IS_DEV ? `${TECHNICAL_NAME}-dev://` : `${TECHNICAL_NAME}://`,
medium line 351

Template literal with variable interpolation in command context

SourceSKILL.md
351```yaml
high line 363

Template literal with variable interpolation in command context

SourceSKILL.md
363Note the `${env.*}` references -- electron-builder reads these from the
medium line 392

Template literal with variable interpolation in command context

SourceSKILL.md
392`--config.appId="${process.env.APP_ID}"`,
medium line 393

Template literal with variable interpolation in command context

SourceSKILL.md
393`--config.productName="${process.env.PRODUCT_NAME}"`,
medium line 397

Template literal with variable interpolation in command context

SourceSKILL.md
397execSync(`electron-builder ${builderArgs} ${configOverride}`, {
medium line 420

Template literal with variable interpolation in command context

SourceSKILL.md
420`--config.appId="${process.env.APP_ID}"`,
medium line 421

Template literal with variable interpolation in command context

SourceSKILL.md
421`--config.productName="${process.env.PRODUCT_NAME}"`,
medium line 425

Template literal with variable interpolation in command context

SourceSKILL.md
425execSync(`electron-builder ${builderArgs} ${configOverride}`, {
medium line 503

Template literal with variable interpolation in command context

SourceSKILL.md
503const iconPath = `./assets/images/${iconFolder}`;
medium line 509

Template literal with variable interpolation in command context

SourceSKILL.md
509icon: `${iconPath}/icon.png`,
medium line 517

Template literal with variable interpolation in command context

SourceSKILL.md
517foregroundImage: `${iconPath}/android-icon-foreground.png`,
medium line 518

Template literal with variable interpolation in command context

SourceSKILL.md
518backgroundImage: `${iconPath}/android-icon-background.png`,
medium line 519

Template literal with variable interpolation in command context

SourceSKILL.md
519monochromeImage: `${iconPath}/android-icon-monochrome.png`,
medium line 526

Template literal with variable interpolation in command context

SourceSKILL.md
526image: `${iconPath}/splash-icon.png`,
high line 787

Template literal with variable interpolation in command context

SourceSKILL.md
787- **Electron-builder's `${env.*}` syntax reads from `process.env`.** The build
high line 789

Template literal with variable interpolation in command context

SourceSKILL.md
789via `${env.ARTIFACT_NAME}`, `${env.PRODUCT_NAME}`, etc. If these aren't set,
low line 375

Node child_process module reference

SourceSKILL.md
375const { execSync } = require("child_process");
low line 406

Node child_process module reference

SourceSKILL.md
406const { execSync } = require("child_process");
medium line 101

Access to .env file

SourceSKILL.md
101**Why dotenv-flow?** It provides cascading environment files (`.env` →
medium line 102

Access to .env file

SourceSKILL.md
102`.env.{NODE_ENV}` → `.env.local`) with no custom code. The `NODE_ENV` variable
medium line 103

Access to .env file

SourceSKILL.md
103selects which override file loads, and `.env.local` (gitignored) handles
low line 130

Access to .env file

SourceSKILL.md
130.env # Base development configuration (committed)
low line 131

Access to .env file

SourceSKILL.md
131.env.production # Production overrides (committed)
low line 132

Access to .env file

SourceSKILL.md
132.env.local # Machine-specific overrides (gitignored)
low line 133

Access to .env file

SourceSKILL.md
133.env.example # Template documenting all variables (committed)
medium line 138

Access to .env file

SourceSKILL.md
138`.env` (development defaults):
medium line 152

Access to .env file

SourceSKILL.md
152`.env.production` (production overrides):
medium line 161

Access to .env file

SourceSKILL.md
161`.env.example` (template with documentation):
low line 175

Access to .env file

SourceSKILL.md
175# API URL (use .env.local for machine-specific IP on physical devices)
medium line 179

Access to .env file

SourceSKILL.md
179**1.4 Add .env.local to .gitignore**
low line 182

Access to .env file

SourceSKILL.md
182.env.local
low line 183

Access to .env file

SourceSKILL.md
183.env.*.local
medium line 194

Access to .env file

SourceSKILL.md
194automatically available in the renderer via `import.meta.env.VITE_*`.
low line 302

Access to .env file

SourceSKILL.md
302import.meta.env.VITE_BUILD_ENV || // Explicit override
low line 303

Access to .env file

SourceSKILL.md
303import.meta.env.MODE || // --mode flag (development|production)
low line 304

Access to .env file

SourceSKILL.md
304(import.meta.env.DEV ? "development" : "production"); // Dev server detection
medium line 307

Access to .env file

SourceSKILL.md
307`import.meta.env.MODE` is set by the `--mode` flag passed to electron-vite. This
low line 379

Access to .env file

SourceSKILL.md
379// Load .env (development mode)
low line 386

Access to .env file

SourceSKILL.md
386process.env.APP_ID = "com.myapp.dev";
low line 387

Access to .env file

SourceSKILL.md
387process.env.PRODUCT_NAME = process.env.PRODUCT_NAME || "MyApp-Dev";
low line 388

Access to .env file

SourceSKILL.md
388process.env.ARTIFACT_NAME = "myapp-dev";
low line 392

Access to .env file

SourceSKILL.md
392`--config.appId="${process.env.APP_ID}"`,
low line 393

Access to .env file

SourceSKILL.md
393`--config.productName="${process.env.PRODUCT_NAME}"`,
low line 399

Access to .env file

SourceSKILL.md
399env: process.env,
low line 410

Access to .env file

SourceSKILL.md
410// Load .env.production
low line 414

Access to .env file

SourceSKILL.md
414process.env.APP_ID = "com.myapp";
low line 415

Access to .env file

SourceSKILL.md
415process.env.PRODUCT_NAME = process.env.PRODUCT_NAME || "MyApp";
low line 416

Access to .env file

SourceSKILL.md
416process.env.ARTIFACT_NAME = "myapp";
low line 420

Access to .env file

SourceSKILL.md
420`--config.appId="${process.env.APP_ID}"`,
low line 421

Access to .env file

SourceSKILL.md
421`--config.productName="${process.env.PRODUCT_NAME}"`,
low line 427

Access to .env file

SourceSKILL.md
427env: process.env,
low line 500

Access to .env file

SourceSKILL.md
500process.env.EXPO_PUBLIC_APP_VARIANT || process.env.NODE_ENV || "production";
low line 531

Access to .env file

SourceSKILL.md
531apiUrl: process.env.EXPO_PUBLIC_API_URL || "https://api.myapp.com",
low line 532

Access to .env file

SourceSKILL.md
532appVariant: process.env.EXPO_PUBLIC_APP_VARIANT || "production",
medium line 558

Access to .env file

SourceSKILL.md
558`NODE_ENV` controls which `.env` files `dotenv-flow` loads.
low line 617

Access to .env file

SourceSKILL.md
617const parsed = envSchema.safeParse(process.env);
low line 636

Access to .env file

SourceSKILL.md
636...env.ALLOWED_ORIGINS.split(",").map((s) => s.trim()),
medium line 644

Access to .env file

SourceSKILL.md
644**6.3 Development vs production .env for the API**
medium line 646

Access to .env file

SourceSKILL.md
646`.env` (development):
medium line 654

Access to .env file

SourceSKILL.md
654`.env.production`:
medium line 691

Access to .env file

SourceSKILL.md
691not the production one. The API URL in your `.env` files controls this
medium line 712

Access to .env file

SourceSKILL.md
712| App Name | "MyApp Dev" | "MyApp" | `.env` / `.env.production` |
medium line 717

Access to .env file

SourceSKILL.md
717| API URL | http://localhost:3011 | https://api.myapp.com | `.env` / `.env.production` |
medium line 719

Access to .env file

SourceSKILL.md
719| Debug Logging | Enabled | Disabled | `.env` |
medium line 772

Access to .env file

SourceSKILL.md
772- **dotenv-flow loads `.env` first, then overlays.** The base `.env` file is
medium line 773

Access to .env file

SourceSKILL.md
773always loaded. `.env.production` only overrides the values it explicitly sets.
medium line 774

Access to .env file

SourceSKILL.md
774This means your `.env` should contain development defaults, and
medium line 775

Access to .env file

SourceSKILL.md
775`.env.production` should only contain values that differ in production.
medium line 777

Access to .env file

SourceSKILL.md
777- **`.env.local` is for machine-specific values only.** Things like your local
medium line 779

Access to .env file

SourceSKILL.md
779`.env.local`, which is gitignored. Never put variant-specific configuration
medium line 780

Access to .env file

SourceSKILL.md
780here -- it should be in `.env` or `.env.production`.
medium line 787

Access to .env file

SourceSKILL.md
787- **Electron-builder's `${env.*}` syntax reads from `process.env`.** The build
low line 64

External URL reference

SourceSKILL.md
64API URL: https://api.myapp.com API URL: http://localhost:3011
low line 149

External URL reference

SourceSKILL.md
149API_URL=http://localhost:3011
low line 158

External URL reference

SourceSKILL.md
158API_URL=https://api.myapp.com
low line 176

External URL reference

SourceSKILL.md
176API_URL=http://localhost:3011
low line 531

External URL reference

SourceSKILL.md
531apiUrl: process.env.EXPO_PUBLIC_API_URL || "https://api.myapp.com",
low line 650

External URL reference

SourceSKILL.md
650ALLOWED_ORIGINS="http://localhost:3000,http://localhost:5173"
low line 717

External URL reference

SourceSKILL.md
717| API URL | http://localhost:3011 | https://api.myapp.com | `.env` / `.env.production` |
Scanned on Mar 8, 2026
View Security Dashboard

Install this skill with one command

/learn @ichabodcole/dev-prod-build-identity
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawmobilebackendfrontend-developerbackend-developermobile-developerdevops-sreproduct-managerdevelopmentproduct
ichabodcole/project-docs-scaffold-template