api-error-handling

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This is a legitimate error-handling design guide that is mostly consistent with its purpose, but it contains a critical security policy flaw: it mandates showing error messages to end users (via SweetAlert2) and encourages extraction of raw PDOException messages for display. That combination creates a realistic risk of sensitive information leakage (DB values, emails, constraint names, internal messages) and misconfiguration in production. The unspecified external dependency ('Vibe Security Skill') is another moderate supply-chain/trust concern. There is no sign of active malware or obfuscation, but the documented patterns raise moderate-to-high security risk for real deployments unless strict sanitization, environment-based gating (never show DB messages in production), and vetting of external dependencies are enforced. LLM verification: This skill is functionally aligned with its stated purpose (API error handling + frontend display). It is not itself malicious, but contains design choices and explicit directives that increase the risk of sensitive data leakage and unsafe API semantics: specifically, mandating that all errors be shown to end users via SweetAlert2 while also instructing to extract raw PDOException/SQLSTATE messages is a conflict that can lead to exposing database internals, identifiers, or stack traces. The undo