Convex Security Check
Run a quick Convex-focused security pass on auth, exposed functions, args validation, and row-level access before shipping backend changes.
Overview
Convex Security Check is an agent skill most often used in Ship (also Build, Operate) that runs a quick security audit checklist for Convex authentication, function exposure, argument validation, and row-level access.
Install
npx skills add https://github.com/waynesutton/convexskills --skill convex-security-checkWhat is this skill?
- Quick security audit checklist framing for Convex backends.
- Covers authentication posture and whether functions are appropriately exposed.
- Argument validation review for queries, mutations, and related entry points.
- Row-level access control checks aligned with Convex data model expectations.
- Fits agent-assisted review before deploy rather than replacing formal penetration testing.
- 4 explicit audit areas: authentication, function exposure, argument validation, row-level access
Adoption & trust: 2.2k installs on skills.sh; 402 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You shipped Convex functions quickly and are unsure whether auth, validators, and table rules actually prevent cross-user data access.
Who is it for?
Indie full-stack developers on Convex who own backend functions and need a lightweight pre-ship security review inside their agent workflow.
Skip if: Non-Convex stacks, compliance-heavy regulated audits requiring formal attestations, or teams that already run full SAST/DAST pipelines as the sole gate.
When should I use this skill?
Quick Convex security audit needed covering authentication, function exposure, argument validation, and row-level access control before or after backend changes.
What do I get? / Deliverables
You get a structured Convex security checklist review highlighting auth gaps, overexposed functions, weak validation, and row-level access risks to fix before or right after deploy.
- Security checklist findings by area (auth, exposure, validation, access)
- Prioritized fix list for Convex functions and rules
- Notes on residual risks outside checklist scope
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Convex apps fail loudly in production when queries and mutations are overexposed—security review belongs in the ship gate for solo full-stack builders. Canonical shelf is ship/security because the skill is an audit checklist for authentication, function exposure, validation, and data access—not day-two Convex schema design or growth analytics.
Where it fits
After adding new mutations, verify argument validators and caller identity before merging.
Pre-release checklist: no public queries leaking private rows and auth rules match product intent.
Post-incident or permission refactor—re-audit function exposure and row-level access patterns.
How it compares
Convex-tailored security checklist skill—not a generic OWASP scanner integration or infrastructure IAM playbook.
Common Questions / FAQ
Who is convex-security-check for?
Solo and small-team builders using Convex for backend APIs and real-time data who want agent-guided security review focused on Convex function and access patterns.
When should I use convex-security-check?
Use it during ship security review before production deploy, while building new mutations or queries in build/backend, or during operate when you change permissions or investigate a data leak concern.
Is convex-security-check safe to install?
Use the Security Audits panel on this Prism page to assess upstream repo risk; the skill guides review of your codebase and does not replace your judgment on secrets handling and deployment credentials.
SKILL.md
READMESKILL.md - Convex Security Check
interface: icon_small: "./assets/small-logo.svg" icon_large: "./assets/large-logo.png" <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"> <g clip-path="url(#clip0_3_23)"> <g clip-path="url(#clip1_3_23)"> <path d="M10.0643 12.5735C12.3769 12.3166 14.5572 11.0843 15.7577 9.02756C15.1892 14.1148 9.62646 17.3302 5.08583 15.356C4.66743 15.1746 4.30728 14.8728 4.06013 14.4848C3.03973 12.8825 2.7043 10.8437 3.18626 8.99344C4.56327 11.37 7.3632 12.8267 10.0643 12.5735Z" fill="#F3B01C"/> <path d="M3.1018 7.50072C2.16436 9.66714 2.12376 12.2034 3.27303 14.2907C-0.771507 11.2479 -0.72737 4.7362 3.2236 1.72378C3.58904 1.44535 4.02333 1.2801 4.47881 1.25494C6.3519 1.15614 8.25501 1.88006 9.58963 3.22909C6.87799 3.25604 4.23695 4.99308 3.1018 7.50072Z" fill="#8D2676"/> <path d="M10.8974 3.89562C9.52924 1.98794 7.38779 0.68921 5.04156 0.649695C9.57686 -1.40888 15.1555 1.92867 15.7629 6.86314C15.8194 7.32119 15.7452 7.78824 15.5421 8.20138C14.6948 9.92223 13.1236 11.2569 11.2876 11.7508C12.6328 9.25579 12.4668 6.20748 10.8974 3.89562Z" fill="#EE342F"/> </g> </g> <defs> <clipPath id="clip0_3_23"> <rect width="16" height="16" fill="white"/> </clipPath> <clipPath id="clip1_3_23"> <rect width="16" height="16" fill="white"/> </clipPath> </defs> </svg> --- name: convex-security-check displayName: Convex Security Check description: Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling version: 1.0.0 author: Convex tags: [convex, security, authentication, authorization, checklist] --- # Convex Security Check A quick security audit checklist for Convex applications covering authentication, function exposure, argument validation, row-level access control, and environment variable handling. ## Documentation Sources Before implementing, do not assume; fetch the latest documentation: - Primary: https://docs.convex.dev/auth - Production Security: https://docs.convex.dev/production - Functions Auth: https://docs.convex.dev/auth/functions-auth - For broader context: https://docs.convex.dev/llms.txt ## Instructions ### Security Checklist Use this checklist to quickly audit your Convex application's security: #### 1. Authentication - [ ] Authentication provider configured (Clerk, Auth0, etc.) - [ ] All sensitive queries check `ctx.auth.getUserIdentity()` - [ ] Unauthenticated access explicitly allowed where intended - [ ] Session tokens properly validated #### 2. Function Exposure - [ ] Public functions (`query`, `mutation`, `action`) reviewed - [ ] Internal functions use `internalQuery`, `internalMutation`, `internalAction` - [ ] No sensitive operations exposed as public functions - [ ] HTTP actions validate origin/authentication #### 3. Argument Validation - [ ] All functions have explicit `args` validators - [ ] All functions have explicit `returns` validators - [ ] No `v.any()` used for sensitive data - [ ] ID validators use correct table names #### 4. Row-Level Access Control - [ ] Users can only access their own data - [ ] Admin functions check user roles - [ ] Shared resources have proper access checks - [ ] Deletion functions verify ownership #### 5. Environment Variables - [ ] API keys stored in environment variables - [ ] No secrets in code or schema - [ ] Different keys for dev/prod environments - [ ] Environment variables accessed only in actions ### Authentication Check ```typescript // convex/auth.ts import { query, mutation } from "./_generated/server"; import { v } from "convex/values"; import { ConvexError } from "convex/values"; // Helper to require authentication async function requireAuth(ctx: QueryCtx | MutationCtx) { const identity = await ctx.auth.getUserIdentity(); if (!identity) { throw new ConvexError("Authentication required"); } return identity; } // Secure query pattern export const getMyProfile = query({ args: {}, returns: v.union(v.object({