fullstack-dev
Guides users through full-stack app development, covering backend architecture, frontend integration, and REST API creation.
Install this skill
Security score
The fullstack-dev skill was audited on May 27, 2026 and we found 32 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 266 | if (!value) throw new Error(`Missing required env var: ${name}`); // fail fast |
Template literal with variable interpolation in command context
| 317 | super(`${resource} not found: ${id}`, 'NOT_FOUND', 404); |
Template literal with variable interpolation in command context
| 426 | super(body?.detail || body?.message || `API error ${status}`); |
Template literal with variable interpolation in command context
| 433 | const res = await fetch(`${BASE_URL}${path}`, { |
Template literal with variable interpolation in command context
| 437 | ...(token ? { Authorization: `Bearer ${token}` } : {}), |
Template literal with variable interpolation in command context
| 614 | console.log(`Order created for user ${user.id} with total ${order.total}`); |
Template literal with variable interpolation in command context
| 669 | const cached = await redis.get(`user:${id}`); |
Template literal with variable interpolation in command context
| 675 | await redis.set(`user:${id}`, JSON.stringify(user), 'EX', 900); // 15min TTL |
Template literal with variable interpolation in command context
| 714 | const key = `uploads/${crypto.randomUUID()}-${filename}`; |
Template literal with variable interpolation in command context
| 727 | `/api/uploads/presign?filename=${file.name}&type=${file.type}` |
Template literal with variable interpolation in command context
| 770 | res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`); |
Template literal with variable interpolation in command context
| 783 | const source = new EventSource(`/api/events?userId=${userId}`); |
Template literal with variable interpolation in command context
| 833 | queryFn: () => apiClient.get<Order>(`/api/orders/${orderId}`), |
Curl to non-GitHub URL
| 81 | curl http://localhost:3000/health |
Curl to non-GitHub URL
| 82 | curl http://localhost:3000/api/<resource> |
Fetch to external URL
| 741 | const res = await fetch('/api/upload', { method: 'POST', body: formData }); |
Access to .env file
| 132 | - [ ] `.env.example` committed (no real secrets) |
Access to .env file
| 259 | port: parseInt(process.env.PORT || '3000', 10), |
Access to .env file
| 261 | auth: { jwtSecret: requiredEnv('JWT_SECRET'), expiresIn: process.env.JWT_EXPIRES_IN || '1h' }, |
Access to .env file
| 265 | const value = process.env[name]; |
Access to .env file
| 281 | env_file = ".env" |
Access to .env file
| 292 | ✅ Commit .env.example with dummy values |
Access to .env file
| 295 | ❌ Never commit .env files |
Access to .env file
| 296 | ❌ Never scatter process.env / os.environ throughout code |
Access to .env file
| 422 | const BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3001'; |
Access to .env file
| 716 | Bucket: process.env.S3_BUCKET, Key: key, |
Access to .env file
| 986 | | 2 | `process.env` scattered everywhere | Centralized typed config | |
External URL reference
| 81 | curl http://localhost:3000/health |
External URL reference
| 82 | curl http://localhost:3000/api/<resource> |
External URL reference
| 422 | const BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3001'; |
External URL reference
| 526 | --input http://localhost:3001/api/openapi.json \ |
External URL reference
| 705 | Server → { uploadUrl: "https://s3.../presigned", fileKey: "uploads/abc123.jpg" } |