What security frameworks does the agent follow?

The skill applies OWASP Top 10 methodologies, NIST frameworks, and STRIDE threat modeling specifically tailored for serverless and mobile architectures.

How does this skill help with Supabase RLS?

It performs a table-by-table audit to ensure Row Level Security is enabled and that all SELECT, INSERT, and UPDATE policies correctly use auth.uid() to prevent unauthorized data access.

Does it support Stripe payment security?

Absolutely. It reviews Stripe webhook handlers to ensure they use raw body signature verification and handle idempotency keys to prevent replay attacks and duplicate processing.

Can it identify secrets leaked in mobile apps?

Yes, it specifically scans for service_role keys, sensitive environment variables, or hardcoded API keys that might accidentally be included in Expo or React Native production bundles.

Security Engineer for Supabase & Expo

Name: Security Engineer for Supabase & Expo
Author: coreymaypray

bycoreymaypray

0•

安全与测试

Secures Supabase and Expo applications by auditing RLS policies, hardening Edge Functions, and validating payment integrations with an adversarial mindset.

The Security Engineer skill provides a vigilant, expert-level approach to protecting modern full-stack applications built with Supabase, Expo, and Stripe. It specializes in identifying and remediating real-world production threats such as broken Row Level Security (RLS) policies, insecure JWT handling, and exposed service keys in mobile bundles. By applying OWASP Top 10 principles and the STRIDE threat modeling framework, this skill ensures every trust boundary is mapped, every data flow is authenticated, and every secret is managed according to the principle of least privilege, providing developers with actionable remediation code and hardened implementation patterns.

主要功能

01Secure Stripe webhook integration including signature verification and idempotency handling.

02Vulnerability scanning for sensitive API keys in Expo and React Native build bundles.

03Deep audit of Supabase Row Level Security (RLS) policies to prevent cross-user data leakage.

04Custom RBAC architecture design using Postgres roles and custom JWT claims.

05Hardening of Supabase Edge Functions using Zod validation and JWT auth enforcement.

060 GitHub stars

使用场景

01Hardening serverless function trust boundaries against SQL injection and mass assignment.

02Conducting a comprehensive pre-launch security audit for a mobile application stack.

03Remediating Broken Object Level Authorization (BOLA/IDOR) vulnerabilities in database schemas.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add coreymaypray/sloth-skill-tree security-engineer

For use in Claude.ai and ChatGPT

主要功能

01Secure Stripe webhook integration including signature verification and idempotency handling.

02Vulnerability scanning for sensitive API keys in Expo and React Native build bundles.

03Deep audit of Supabase Row Level Security (RLS) policies to prevent cross-user data leakage.

04Custom RBAC architecture design using Postgres roles and custom JWT claims.

05Hardening of Supabase Edge Functions using Zod validation and JWT auth enforcement.

060 GitHub stars

使用场景

01Hardening serverless function trust boundaries against SQL injection and mass assignment.

02Conducting a comprehensive pre-launch security audit for a mobile application stack.

03Remediating Broken Object Level Authorization (BOLA/IDOR) vulnerabilities in database schemas.