security-audit

Installation
SKILL.md

Security Audit

Perform a security audit of the backend codebase, focusing on vulnerabilities that could be exploited by external attackers. Check every category below systematically.

Audit Categories

1. SQL & Query Performance (DoS via slow queries)

Scan all files in src/query-builders/ and any raw SQL in src/controllers/ or src/utils/.

For each query, check:

  • CTE materialization: Does any ORDER BY on a CTE wrapper force full materialization before LIMIT is applied? PostgreSQL must fully materialize and sort before it can limit, turning a lazy evaluation into a full scan.
  • Missing LIMIT: Are there queries that return unbounded results? An attacker who controls data volume (e.g., pushing keys to a Stellar contract) can force massive result sets.
  • Recursive CTEs without termination guards: Could a recursive query run indefinitely or for an attacker-controlled number of iterations?
  • Sequential scalar subqueries: Does the query pattern cause N+1-style execution where N is attacker-controlled?
  • Missing indexes: Are WHERE/ORDER BY clauses hitting columns without indexes? Check against the Prisma schema.

For each issue found, explain:

Installs
1
GitHub Stars
1
First Seen
Jun 22, 2026
security-audit — stellar/laboratory-backend