Security
Run an ordered find-and-fix security pass on Cognite Flows (Vite/React) apps before shipping features that touch auth, secrets, or untrusted input.
Overview
Security is an agent skill most often used in Ship (also late Build on sensitive features) that maps a Flows app attack surface and fixes vulnerabilities in order—not just listing them.
Install
npx skills add https://github.com/cognitedata/builder-skills --skill securityWhat is this skill?
- MUST-run skill: every finding step is also a fix step—not report-only auditing
- Step 1 maps attack surface via main/App entry, vite.config, package.json, and auth/credential globs
- Covers auth guards on routes, external data ingress (CDF SDK, fetch, forms), and write-back paths
- Explicit triggers: XSS, injection, tokens, CORS, CSP, dependency audit, and credential handling
- Optional scope argument to audit a single file or directory vs the whole app
- Workflow is structured as ordered steps beginning with attack-surface mapping (Step 1)
Adoption & trust: 1k installs on skills.sh; 4 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You are about to ship—or already debugging—a Flows app with auth, CDF calls, or user input and need fixes applied, not a generic security report that leaves XSS or secret leaks in place.
Who is it for?
Cognite Flows / Vite React apps when credentials, tokens, or external data appear in the diff and you want the agent to patch as it audits.
Skip if: Non-Flows stacks with no React/Vite/CDF assumptions, or teams that only want passive scanning without Write/Shell remediation.
When should I use this skill?
User asks for security fix, hardening, vulnerability remediation, XSS, injection, credentials, auth, CORS, CSP, or dependency audit on a Flows app.
What do I get? / Deliverables
Attack surface is documented from entry and config files and identified issues are remediated in the codebase before merge or release.
- Remediated security issues across scoped files or whole app
- Documented route/auth and data-flow understanding from Step 1 mapping
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/Security is canonical because the skill is mandatory before release and on explicit vulnerability remediation—not optional doc polish. Security subphase matches remediation workflows (XSS, injection, CORS, CSP, dependency risk) rather than functional test cases alone.
Where it fits
Run whole-app audit after adding a new authenticated route that upserts data via CDF SDK.
Harden a feature branch when fetch proxies and token storage land in the same sprint.
Respond to a reported CORS or CSP misconfiguration in production-configured Vite headers.
How it compares
An in-repo fix workflow for indie Flows apps—not a passive MCP vulnerability feed or generic OWASP markdown without code changes.
Common Questions / FAQ
Who is security for?
Solo builders and small teams using Cognite builder-skills with Claude Code or Cursor to harden Flows web apps that integrate CDF SDK, routing, and Vite tooling.
When should I use security?
Use it in Ship before releasing features with user input or secrets; during Build when adding auth or CDF write paths; and whenever triggers like XSS, injection, CORS, CSP, or dependency audit appear in the request.
Is security safe to install?
Review the Security Audits panel on this Prism page; the skill allows Shell and Write for remediation—run in a trusted repo backup and verify diffs before merge.
SKILL.md
READMESKILL.md - Security
# Security Fix Find and fix security issues in **$ARGUMENTS** (or the whole app if no argument is given). Work through every step below in order. Every step that finds an issue must also fix it. --- ## Step 1 — Map the attack surface Read these files before checking anything: - `src/main.tsx` / `src/App.tsx` — entry point, routing, auth gating - `vite.config.ts` — dev server proxy, CORS, headers - `package.json` — list of third-party dependencies - Any file matching `**/auth*`, `**/login*`, `**/token*`, `**/credential*` Identify: - All pages/routes and whether each is behind an auth guard - All places where external data enters the app (CDF SDK calls, `fetch`, user form input) - All places where data is written back (CDF upsert, `fetch` POST/PUT/DELETE) --- ## Step 2 — Migrate all CDF access to the Cognite SDK All traffic to **Cognite Data Fusion (CDF)** must go through the **official Cognite SDK**. Find **any** HTTP, WebSocket, or other network call to CDF-like hosts or APIs that **bypasses** the SDK and rewrite it to use the SDK. ### Search for raw HTTP calls ```bash # Find fetch, axios, XMLHttpRequest, and other HTTP client usage grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \ -E "(fetch\(|axios\.|axios\(|XMLHttpRequest|\.ajax\(|http\.get\(|http\.post\(|request\()" src/ # Find raw URL construction that looks like CDF endpoints grep -rn --include="*.ts" --include="*.tsx" \ -E "(cognitedata\.com|cognite\.ai|/api/v1/projects|cdf\.|\.cognite\.)" src/ # Find custom Authorization or api-key headers grep -rn --include="*.ts" --include="*.tsx" \ -E "(Authorization|api-key|apikey|x-api-key)" src/ | grep -v "node_modules" ``` ### How to fix For each raw CDF call found, read the surrounding code to understand what CDF resource and operation it targets, then rewrite it using the appropriate SDK method. Remove the raw HTTP client import if it's no longer used. | Pattern | Action | |---------|--------| | `fetch()` or `axios` call to a CDF URL (`*.cognitedata.com`, `/api/v1/projects/*`) | **Rewrite** to use the Cognite SDK (`cognite.files.getDownloadUrls(...)`, `cognite.timeseries.retrieve(...)`, `client.instances.search(...)`, etc.) | | Custom `Authorization` header with a CDF token | **Remove** — the SDK handles auth automatically | | WebSocket connection to CDF endpoints | **Rewrite** to use SDK streaming methods | | Proxy endpoint that forwards to CDF internally | **Rewrite** the proxy to use the SDK internally | | `fetch()` to a non-CDF URL (static assets, documented third-party API) | **Leave** — but add a comment documenting why it's needed | After rewriting all CDF calls, remove any `axios` or `fetch`-related imports that are no longer used. ### What is acceptable - All CDF reads/writes through `sdk.files.*`, `sdk.timeseries.*`, `client.instances.*`, etc. - Non-CDF network calls that are: - To known static asset hosts (CDNs, image services) - To documented third-party APIs required by the product - Explicitly noted in the app's README or architecture docs --- ## Step 3 — Find and fix credential & secret hygiene Search for hard-coded credentials and sensitive values: ```bash # Look for anything that smells like a secret in source files grep -rn