security

MUST be used whenever fixing security issues in a Flows app, or before shipping any feature that handles credentials, user input, or external data. This skill finds AND fixes security problems — it does not just report them. Do NOT skip this when the user asks for a security fix, security hardening, or vulnerability remediation — run every step in order. Triggers: security, security fix, security hardening, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit.

1.08x

Quality

83%

Does it follow best practices?

Impact

100%

1.08x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Evaluation results

100%

Secrets & Config Hardening

Credential hygiene and Vite security headers

Criteria

Without context

With context

VITE_* env refs in config

100%

.env.example created

100%

.env in .gitignore

100%

console.log token removed

100%

console.error token removed

100%

vite define secret removed

70%

100%

CSP header added

83%

100%

X-Frame-Options header added

100%

X-Content-Type-Options header added

100%

Summary report produced

100%

No secrets in outputs

100%

CDF Data Layer Modernization

Migrate raw CDF HTTP calls to Cognite SDK

Criteria

Without context

With context

assetService uses SDK list

100%

assetService uses SDK retrieve

100%

assetService uses SDK create

100%

timeseriesService datapoints via SDK

100%

timeseriesService list via SDK

100%

Authorization header removed

100%

api-key header removed

100%

axios import removed

100%

Non-CDF fetches retained

100%

Non-CDF fetch comments added

100%

Migration report produced

100%

18%

Frontend Security Hardening

DOM sanitization, Zod URL param validation, auth guards

Criteria

Without context

With context

DOMPurify import in ReportViewer

100%

ReportViewer htmlContent sanitized

100%

NotificationBanner message sanitized

100%

Zod schema for URL params

100%

safeParse used for URL params

100%

No 'as string/number' casts on params

100%

Nullish param handling

100%

Dashboard route auth-guarded

100%

Settings route auth-guarded

100%

AssetDetail route auth-guarded

100%

Hardening report produced

100%

Repository: cognitedata/builder-skills
Commit: d6af887

Evaluated: 7 days ago
Agent: Claude Code
Model: Claude Sonnet 4.6

Table of Contents

Secrets & Config Hardening CDF Data Layer Modernization Frontend Security Hardening

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.