security-audit

The skill focuses on a broad but coherent security audit scope for a web app and its backend, with appropriate emphasis on CSP, security headers, RLS, input sanitization, proper secret handling, and webhook security. No malicious activity is evident, and there are no evident download/install chains or credential harvesting mechanisms. Some risk-relevant patterns exist, notably CSP looseness (unsafe-inline/unsafe-eval), potential exposure of secrets in frontend guidance, and the need for thorough enforcement of RLS and rate limiting. Overall, the footprint is benign and aligned with the stated purpose, but the implementation would benefit from tightening CSP, validating secret management practices, and completing concrete enforcement details for rate limiting and per-endpoint protections.