ReddRadar
Agent skill
pitfalls-security
Security patterns for session keys, caching, logging, and environment variables. Use when implementing authentication, caching sensitive data, or setting up logging. Triggers on: session key, private key, cache, logging, secrets, environment variable.
Install this agent skill to your Project
npx add-skill https://github.com/aiskillstore/marketplace/tree/main/skills/barissozen/pitfalls-security
SKILL.md
Security Pitfalls
Common pitfalls and correct patterns for security.
When to Use
- Implementing session key management
- Caching data (especially sensitive)
- Setting up structured logging
- Handling environment variables
- Reviewing security-sensitive code
Workflow
Step 1: Check Key Storage
Verify no private keys stored in plaintext.
Step 2: Verify Cache Safety
Ensure sensitive data not cached inappropriately.
Step 3: Check Logging
Confirm no secrets in logs.
Session Key Security
// ❌ NEVER store private keys
localStorage.setItem('privateKey', key); // CATASTROPHIC
// ✅ Use session keys with limited permissions
interface SessionKey {
address: Address;
permissions: Permission[];
expiresAt: Date;
maxPerTrade: bigint;
}
// ✅ AES-256-GCM for any stored credentials
import { createCipheriv, randomBytes } from 'crypto';
const iv = randomBytes(16);
const cipher = createCipheriv('aes-256-gcm', key, iv);
// ✅ Audit logging for all key operations
await auditLog.create({
action: 'SESSION_KEY_CREATED',
userId,
metadata: { permissions, expiresAt },
});
Environment Variables
// Frontend (Vite)
const apiUrl = import.meta.env.VITE_API_URL; // ✅ VITE_ prefix required
// ❌ process.env.API_URL won't work in frontend
// Backend
const dbUrl = process.env.DATABASE_URL;
// ❌ NEVER log secrets
console.log('Config:', config); // May contain secrets!
// ✅ Log safely
console.log('Config loaded for:', config.environment);
Caching Strategies
// ✅ Server-side cache for expensive computations
const priceCache = new Map<string, { value: number; expires: number }>();
function getCachedPrice(token: string): number | null {
const cached = priceCache.get(token);
if (cached && cached.expires > Date.now()) {
return cached.value;
}
return null;
}
// ✅ TTL based on data freshness needs
const CACHE_TTL = {
tokenPrice: 10_000, // 10s - prices change fast
poolReserves: 5_000, // 5s - critical for swaps
gasPrice: 15_000, // 15s
userBalance: 30_000, // 30s
tokenMetadata: 3600_000, // 1 hour - rarely changes
};
// ❌ Never cache user-specific sensitive data
cache.set(`user:${userId}:privateKey`, key); // NEVER!
Structured Logging
// ✅ Structured logging (JSON format)
const logger = {
info: (message: string, context?: object) => {
console.log(JSON.stringify({
level: 'info',
message,
timestamp: new Date().toISOString(),
...context,
}));
},
error: (message: string, error: Error, context?: object) => {
console.error(JSON.stringify({
level: 'error',
message,
error: error.message,
stack: error.stack,
timestamp: new Date().toISOString(),
...context,
}));
},
};
// ✅ Include context
logger.info('Trade executed', {
userId: 'user123',
txHash: '0x...',
chain: 'ethereum',
profit: '12.34',
});
// ❌ NEVER log secrets
logger.info('Config', { apiKey: process.env.API_KEY }); // NEVER!
Audit Logging
// ✅ Audit logging for sensitive operations
await auditLog.create({
action: 'TRADE_EXECUTED',
userId,
before: previousState,
after: newState,
timestamp: new Date(),
metadata: { txHash, chain },
});
Quick Checklist
- No private keys in localStorage
- Session keys have expiry and limits
- AES-256-GCM for stored credentials
- Audit logging for sensitive operations
- No secrets in console.log
- Sensitive data not cached inappropriately
- VITE_ prefix for frontend env vars
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
aiskillstore/marketplace
perigon-backend
Perigon ASP.NET Core + EF Core + Aspire conventions
aiskillstore/marketplace
perigon-agent
Pointers for Copilot/agents to apply Perigon conventions
aiskillstore/marketplace
perigon-angular
Angular 21+ standalone/Material/signal conventions for Perigon WebApp
aiskillstore/marketplace
fastapi-mastery
Comprehensive FastAPI development skill covering REST API creation, routing, request/response handling, validation, authentication, database integration, middleware, and deployment. Use when working with FastAPI projects, building APIs, implementing CRUD operations, setting up authentication/authorization, integrating databases (SQL/NoSQL), adding middleware, handling WebSockets, or deploying FastAPI applications. Triggered by requests involving .py files with FastAPI code, API endpoint creation, Pydantic models, or FastAPI-specific features.
aiskillstore/marketplace
context7-efficient
Token-efficient library documentation fetcher using Context7 MCP with 86.8% token savings through intelligent shell pipeline filtering. Fetches code examples, API references, and best practices for JavaScript, Python, Go, Rust, and other libraries. Use when users ask about library documentation, need code examples, want API usage patterns, are learning a new framework, need syntax reference, or troubleshooting with library-specific information. Triggers include questions like "Show me React hooks", "How do I use Prisma", "What's the Next.js routing syntax", or any request for library/framework documentation.
aiskillstore/marketplace
browser-use
Browser automation using Playwright MCP. Navigate websites, fill forms, click elements, take screenshots, and extract data. Use when tasks require web browsing, form submission, web scraping, UI testing, or any browser interaction.
Didn't find tool you were looking for?