Skill Instructions
Use this skill when a change touches backend routes, auth/session logic, file handling, imports/exports, or external input.
Objective
Prevent common security regressions with fast, practical checks during implementation.
Required Checks
- •Validate and sanitize external input at API boundaries.
- •Enforce auth/authz server-side for protected actions.
- •Ensure secrets/tokens are never hardcoded or logged.
- •Avoid information leakage in error responses.
- •Keep permission-sensitive operations explicit and auditable.
MedAssist Focus Areas
- •Route handlers in
backend/src/routes/. - •Auth-related code in
backend/src/plugins/and auth routes. - •Data import/export and sharing endpoints.
- •File/image upload and serving paths.
Anti-Patterns
- •Trusting frontend-only checks.
- •Accepting unchecked query/body/path input.
- •Returning raw internal errors to clients.
- •Weak defaults for sensitive operations.
Response Format
Report:
- •Security-sensitive files reviewed
- •Findings by severity (critical/major/minor)
- •Concrete remediation actions
- •Residual risk (if any)