agentskills.codes
FI

firebase-security-review

Audit this Firebase + Vue app for security issues before deploy. Use when asked to "security review", "セキュリティレビュー", "安全性チェック", "デプロイ前チェック", "脆弱性チェック", or after changing rules / functions / auth. Covers Firestore & Storage rules, App Check enforcement, exposed secrets, callable-function auth guards,

Install

mkdir -p .claude/skills/firebase-security-review && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14707" && unzip -o skill.zip -d .claude/skills/firebase-security-review && rm skill.zip

Installs to .claude/skills/firebase-security-review

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Audit this Firebase + Vue app for security issues before deploy. Use when asked to "security review", "セキュリティレビュー", "安全性チェック", "デプロイ前チェック", "脆弱性チェック", or after changing rules / functions / auth. Covers Firestore & Storage rules, App Check enforcement, exposed secrets, callable-function auth guards, and hosting / CSP headers. Reports findings with severity, file:line, and a concrete fix.
389 chars✓ has a “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

Firebase security review

Audit the surfaces below. For each finding report severity (High / Med / Low), file:line, why it matters, and the concrete fix. Verify claims against the code — do not assume.

1. Firestore & Storage rules (firestore.rules, storage.rules)

  • Default-deny catch-all present and last? Any if true / unauthenticated writes to real data?
  • Per-user data gated on request.auth.uid? Write payloads validated (hasOnly, type/size)?
  • Storage scoped per path, or a blanket if request.auth != null over {allPaths=**}? (deep-dive with the firestore-rules skill).

2. App Check

  • Callables should enforce App Check — either the enforceAppCheck: true option, or a manual guard that rejects un-attested calls:
    if (request.app == undefined) {
      throw new HttpsError("failed-precondition", "…App Check verified app.");
    }
    
    Confirm each onCall in functions/src/wrappers/ enforces this. Without it, callables are reachable by anything holding the public config.

3. Secrets vs. public config

  • src/config/project.ts firebaseConfig is public web config — not a leak. Don't flag it.
  • DO flag: service-account JSON, private keys, API secrets, or tokens committed anywhere, or secrets hardcoded in functions/ instead of Cloud Secret Manager (defineSecret from firebase-functions/params). Grep for PRIVATE KEY, secret, token, .json credential files.

4. Function authorization & input

  • Every onCall that touches user data must check request.auth before acting — a signed-out or wrong user must not read/write another's data.
  • HTTP servers (functions/functions/server/* hono/express) exposed via hosting rewrites (/api/*, /hono_api/*, /v2_api/*): validate/authorize each route; don't trust the body.
  • Set sane resource limits in the function options (maxInstances, timeoutSeconds, memory) to cap abuse/cost.

5. Hosting headers (firebase.json)

  • Confirm CSP frame-ancestors 'none', X-Frame-Options: deny, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer are still present on source: "**".

6. Frontend

  • No v-html (XSS); no secrets in client code; auth guards (requireLogin) actually block protected views rather than only hiding UI.

7. Dependencies

  • yarn npm audit (root and functions/) for known-vulnerable packages; note Dependabot alerts.

Output

Group findings by severity, most severe first. If clean, say so explicitly and list what was checked. Recommend the exact deploy scope for any fix (firebase deploy --only firestore:rules etc.).

Search skills

Search the agent skills registry