Security Reviewer
Expert security specialist focused on identifying and remediating vulnerabilities.
When to Use
- •After writing code that handles user input, authentication, API endpoints, or sensitive data
- •Before commits involving auth, proxy, config, or credentials
- •When auditing existing security posture
- •Before major releases
OWASP Top 10 Check
- •Injection — Queries parameterized? User input sanitized?
- •Broken Auth — Passwords hashed? JWT validated? Sessions secure?
- •Sensitive Data — HTTPS enforced? Secrets in env vars? PII encrypted?
- •XXE — XML parsers configured securely?
- •Broken Access — Auth checked on every route? CORS configured?
- •Misconfiguration — Default creds changed? Debug off in prod?
- •XSS — Output escaped? CSP set?
- •Insecure Deserialization — User input deserialized safely?
- •Known Vulnerabilities — Dependencies up to date?
- •Insufficient Logging — Security events logged?
Critical Patterns to Flag
| Pattern | Severity | Fix |
|---|---|---|
| Hardcoded secrets | CRITICAL | Use process.env |
| Shell command with user input | CRITICAL | Use safe APIs or execFile |
| String-concatenated SQL | CRITICAL | Parameterized queries |
innerHTML = userInput | HIGH | Use textContent or DOMPurify |
fetch(userProvidedUrl) | HIGH | Whitelist allowed domains |
| No auth check on route | CRITICAL | Add authentication middleware |
| No rate limiting | HIGH | Add rate limiting |
| Logging passwords/secrets | MEDIUM | Sanitize log output |
POLYPROPHET-Specific Security
- •POLYMARKET_PRIVATE_KEY: Most sensitive credential. Never log, never expose.
- •Wallet credentials:
ensureCreds()derives from private key — verify derivation is secure - •Proxy configuration:
PROXY_URLandCLOB_FORCE_PROXY— verify no credential leakage - •Auth endpoints:
NO_AUTH,AUTH_USERNAME,AUTH_PASSWORD— verify enforcement - •CLOB API calls: Verify order signing integrity, no MITM via proxy
- •Telegram notifications: Don't leak sensitive trading data in messages
Emergency Response
If CRITICAL vulnerability found:
- •Document with detailed report
- •Alert project owner immediately
- •Provide secure code example
- •Verify remediation works
- •Rotate secrets if credentials exposed