coderabbit-triage
Analyzes code review findings to create structured execution plans for fixing issues based on severity and dependencies.
Install this skill
Security score
The coderabbit-triage skill was audited on Feb 9, 2026 and we found 43 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 44 | - Race condition in webhook async handler (domain: concurrency) |
Webhook reference - potential data exfiltration
| 50 | - Missing signature verification depends on understanding webhook flow |
Webhook reference - potential data exfiltration
| 56 | - Race condition in webhook handler AND race condition in retry logic |
Webhook reference - potential data exfiltration
| 74 | Task 1: src/webhooks.ts:42 (signature verification) |
Webhook reference - potential data exfiltration
| 75 | Task 2: src/webhooks.ts:89 (idempotency handling) |
Webhook reference - potential data exfiltration
| 76 | Task 3: src/webhooks.ts:156 (error logging) |
Webhook reference - potential data exfiltration
| 125 | "file": "src/webhooks.ts", |
Webhook reference - potential data exfiltration
| 136 | "domain": "payment-webhook-security", |
Webhook reference - potential data exfiltration
| 137 | "file": "src/webhooks.ts", |
Webhook reference - potential data exfiltration
| 139 | "issue": "Missing HMAC signature verification for webhook authenticity", |
Webhook reference - potential data exfiltration
| 143 | "2. At webhook handler entry (line 42), before processing body:", |
Webhook reference - potential data exfiltration
| 144 | " - Extract 'X-Webhook-Signature' header", |
Webhook reference - potential data exfiltration
| 146 | " - Compute HMAC-SHA256 signature using process.env.WEBHOOK_SECRET", |
Webhook reference - potential data exfiltration
| 149 | "3. Extract 'X-Webhook-Timestamp' header", |
Webhook reference - potential data exfiltration
| 152 | "6. Add structured logging: {timestamp, signature_valid, webhook_id, processed: true}", |
Webhook reference - potential data exfiltration
| 153 | "7. Run: npm test -- src/webhooks.test.ts", |
Webhook reference - potential data exfiltration
| 154 | "8. Verify all webhook security tests pass" |
Webhook reference - potential data exfiltration
| 157 | "DO NOT modify webhook body parsing logic", |
Webhook reference - potential data exfiltration
| 160 | "ONLY modify webhook entry point validation" |
Webhook reference - potential data exfiltration
| 171 | "domain": "webhook-concurrency", |
Webhook reference - potential data exfiltration
| 172 | "file": "src/webhooks.ts", |
Webhook reference - potential data exfiltration
| 174 | "issue": "Race condition: multiple concurrent webhook calls can update state simultaneously", |
Webhook reference - potential data exfiltration
| 179 | "2. At webhook handler (line 89), extract 'X-Idempotency-Key' header", |
Webhook reference - potential data exfiltration
| 183 | "4. Process webhook (database writes, event emits, etc)", |
Webhook reference - potential data exfiltration
| 188 | "7. Add test: duplicate webhook with same key returns same result", |
Webhook reference - potential data exfiltration
| 189 | "8. Add test: webhook with different key processes independently", |
Webhook reference - potential data exfiltration
| 190 | "9. Run: npm test -- src/webhooks.test.ts", |
Webhook reference - potential data exfiltration
| 209 | "domain": "webhook-observability", |
Webhook reference - potential data exfiltration
| 210 | "file": "src/webhooks.ts", |
Webhook reference - potential data exfiltration
| 212 | "issue": "Missing error logging for webhook failures. Makes debugging production issues difficult.", |
Webhook reference - potential data exfiltration
| 213 | "coderabbit_suggestion": "Add structured logging with timestamp, error type, and webhook ID. Include full error stack.", |
Webhook reference - potential data exfiltration
| 216 | "2. At webhook handler (line 156), add pre-processing log:", |
Webhook reference - potential data exfiltration
| 217 | " logger.info({event: 'webhook_received', webhook_id, timestamp, domain})", |
Webhook reference - potential data exfiltration
| 218 | "3. Wrap webhook processing in try-catch:", |
Webhook reference - potential data exfiltration
| 219 | " - On success: logger.info({event: 'webhook_processed', webhook_id, duration_ms})", |
Webhook reference - potential data exfiltration
| 220 | " - On error: logger.error({event: 'webhook_failed', webhook_id, error_type, error_message, stack})", |
Webhook reference - potential data exfiltration
| 229 | "6. Verify all logs have: webhook_id, timestamp, event_type, error details", |
Webhook reference - potential data exfiltration
| 230 | "7. Run: npm test -- src/webhooks.test.ts", |
Webhook reference - potential data exfiltration
| 234 | "DO NOT change webhook processing logic", |
Webhook reference - potential data exfiltration
| 251 | "reason": "All tasks target src/webhooks.ts - sequential execution prevents merge conflicts", |
Webhook reference - potential data exfiltration
| 253 | "after_each_fix": "Run npm test -- src/webhooks.test.ts", |
Webhook reference - potential data exfiltration
| 261 | "summary": "3 issues identified in src/webhooks.ts. Strategy: SINGLE_COMPREHENSIVE (all same file). Sequential execution required to prevent conflicts. Estimated total time: 30 minutes." |
Access to .env file
| 146 | " - Compute HMAC-SHA256 signature using process.env.WEBHOOK_SECRET", |