Skip to main content

upstash-qstash

Facilitates reliable serverless messaging and task scheduling with Upstash QStash, ensuring efficient HTTP-based task delivery.

Install this skill

or
0/100

Security score

The upstash-qstash skill was audited on May 12, 2026 and we found 68 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 454

Template literal with variable interpolation in command context

SourceSKILL.md
454deduplicationId: `charge-${orderId}`, // Same ID = same message
medium line 675

Template literal with variable interpolation in command context

SourceSKILL.md
675await alerting.notify(`Email failed: ${data.sourceMessageId}`);
medium line 753

Template literal with variable interpolation in command context

SourceSKILL.md
753console.log(`Group: ${group.name}`);
medium line 758

Template literal with variable interpolation in command context

SourceSKILL.md
758console.log(` OK: ${endpoint.url}`);
medium line 760

Template literal with variable interpolation in command context

SourceSKILL.md
760console.log(` DEAD: ${endpoint.url}`);
low line 509

Fetch to external URL

SourceSKILL.md
509await fetch('http://localhost:3000/api/process', {
medium line 19

Webhook reference - potential data exfiltration

SourceSKILL.md
19- Verify signatures always - never trust unverified webhooks
medium line 31

Webhook reference - potential data exfiltration

SourceSKILL.md
31- webhook-delivery
medium line 63

Webhook reference - potential data exfiltration

SourceSKILL.md
63- webhook-fanout
medium line 144

Webhook reference - potential data exfiltration

SourceSKILL.md
144// app/api/webhook/route.ts (Next.js App Router)
medium line 276

Webhook reference - potential data exfiltration

SourceSKILL.md
276### Not verifying QStash webhook signatures
medium line 284

Webhook reference - potential data exfiltration

SourceSKILL.md
284- No Receiver import in webhook handler
medium line 331

Webhook reference - potential data exfiltration

SourceSKILL.md
331Situation: Webhook handler does heavy processing. Takes 30+ seconds. QStash times out.
medium line 335

Webhook reference - potential data exfiltration

SourceSKILL.md
335- Webhook timeouts in QStash dashboard
low line 368

Webhook reference - potential data exfiltration

SourceSKILL.md
368// Webhook receives trigger
medium line 525

Webhook reference - potential data exfiltration

SourceSKILL.md
525Situation: Critical payment webhook uses defaults. 3 retries over minutes. Payment
low line 545

Webhook reference - potential data exfiltration

SourceSKILL.md
545url: 'https://myapp.com/api/payment-webhook',
medium line 780

Webhook reference - potential data exfiltration

SourceSKILL.md
780### Webhook signature verification
medium line 784

Webhook reference - potential data exfiltration

SourceSKILL.md
784Message: QStash webhook handlers must verify signatures using Receiver
medium line 883

Webhook reference - potential data exfiltration

SourceSKILL.md
883### Reliable Webhooks
low line 890

Webhook reference - potential data exfiltration

SourceSKILL.md
8901. Receive webhooks from Stripe (stripe-integration)
high line 499

Ngrok tunnel reference

SourceSKILL.md
499# Option 1: ngrok/localtunnel
medium line 501

Ngrok tunnel reference

SourceSKILL.md
501ngrok http 3000
medium line 502

Ngrok tunnel reference

SourceSKILL.md
502# Use the ngrok URL for QStash testing
high line 818

Ngrok tunnel reference

SourceSKILL.md
818Fix action: Use a public URL (e.g., your deployed domain or ngrok for testing)
medium line 82

Access to .env file

SourceSKILL.md
82token: process.env.QSTASH_TOKEN!,
medium line 117

Access to .env file

SourceSKILL.md
117token: process.env.QSTASH_TOKEN!,
medium line 149

Access to .env file

SourceSKILL.md
149currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY!,
medium line 150

Access to .env file

SourceSKILL.md
150nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY!,
medium line 187

Access to .env file

SourceSKILL.md
187token: process.env.QSTASH_TOKEN!,
medium line 226

Access to .env file

SourceSKILL.md
226token: process.env.QSTASH_TOKEN!,
medium line 257

Access to .env file

SourceSKILL.md
257token: process.env.QSTASH_TOKEN!,
low line 300

Access to .env file

SourceSKILL.md
300currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY!,
low line 301

Access to .env file

SourceSKILL.md
301nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY!,
low line 508

Access to .env file

SourceSKILL.md
508if (process.env.NODE_ENV === 'development') {
medium line 794

Access to .env file

SourceSKILL.md
794Fix action: Configure both keys: new Receiver({ currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY, nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY })
medium line 802

Access to .env file

SourceSKILL.md
802Fix action: Use process.env.QSTASH_TOKEN
medium line 810

Access to .env file

SourceSKILL.md
810Fix action: Use process.env.QSTASH_CURRENT_SIGNING_KEY and process.env.QSTASH_NEXT_SIGNING_KEY
low line 87

External URL reference

SourceSKILL.md
87url: 'https://myapp.com/api/process',
low line 96

External URL reference

SourceSKILL.md
96url: 'https://myapp.com/api/reminder',
low line 103

External URL reference

SourceSKILL.md
103url: 'https://myapp.com/api/scheduled',
low line 122

External URL reference

SourceSKILL.md
122destination: 'https://myapp.com/api/cron/daily-report',
low line 192

External URL reference

SourceSKILL.md
192url: 'https://myapp.com/api/critical-task',
low line 194

External URL reference

SourceSKILL.md
194callback: 'https://myapp.com/api/qstash-callback',
low line 195

External URL reference

SourceSKILL.md
195failureCallback: 'https://myapp.com/api/qstash-failed',
low line 233

External URL reference

SourceSKILL.md
233{ url: 'https://inventory.myapp.com/api/process' },
low line 234

External URL reference

SourceSKILL.md
234{ url: 'https://shipping.myapp.com/api/process' },
low line 235

External URL reference

SourceSKILL.md
235{ url: 'https://analytics.myapp.com/api/track' },
low line 262

External URL reference

SourceSKILL.md
262url: 'https://myapp.com/api/charge',
low line 269

External URL reference

SourceSKILL.md
269url: 'https://myapp.com/api/notify',
low line 370

External URL reference

SourceSKILL.md
370url: 'https://myapp.com/api/heavy-process',
low line 420

External URL reference

SourceSKILL.md
420url: 'https://myapp.com/api/process',
low line 452

External URL reference

SourceSKILL.md
452url: 'https://myapp.com/api/charge',
low line 459

External URL reference

SourceSKILL.md
459url: 'https://myapp.com/api/notify',
low line 509

External URL reference

SourceSKILL.md
509await fetch('http://localhost:3000/api/process', {
low line 545

External URL reference

SourceSKILL.md
545url: 'https://myapp.com/api/payment-webhook',
low line 553

External URL reference

SourceSKILL.md
553url: 'https://myapp.com/api/analytics',
low line 567

External URL reference

SourceSKILL.md
567url: 'https://myapp.com/api/critical',
low line 569

External URL reference

SourceSKILL.md
569failureCallback: 'https://myapp.com/api/dead-letter',
low line 596

External URL reference

SourceSKILL.md
596url: 'https://myapp.com/api/process',
low line 602

External URL reference

SourceSKILL.md
602url: 'https://myapp.com/api/process',
low line 643

External URL reference

SourceSKILL.md
643url: 'https://myapp.com/api/send-email',
low line 645

External URL reference

SourceSKILL.md
645callback: 'https://myapp.com/api/email-callback',
low line 646

External URL reference

SourceSKILL.md
646failureCallback: 'https://myapp.com/api/email-failed',
low line 706

External URL reference

SourceSKILL.md
706destination: 'https://myapp.com/api/daily-report',
low line 718

External URL reference

SourceSKILL.md
718destination: 'https://myapp.com/api/daily-report',
low line 771

External URL reference

SourceSKILL.md
771endpoints: [{ url: 'https://old-service.myapp.com/api/process' }],
low line 858

External URL reference

SourceSKILL.md
858Fix action: Add destination: 'https://your-app.com/api/endpoint' to schedule options
Scanned on May 12, 2026
View Security Dashboard
Installation guide →
GitHub Stars 21.5K
Rate this skill
Categorydevelopment
UpdatedMay 20, 2026
frontenddesignsupabasestripereactdocxapidatabasetestingdevopsbackenddevops-srebackend-developergrowth-marketersupabaseverceldevelopmentmarketing
sickn33/antigravity-awesome-skills