Skip to content

Prem95/ship-check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
references
references
 
 
README.md
README.md
 
 
SKILL.md
SKILL.md
 
 

Repository files navigation

ship-check

A Claude Code skill that audits your codebase for the 30 most common security, performance, and reliability mistakes that ship in indie and AI-generated projects.

What it checks

Security (Critical)

  1. No rate limiting on API routes
  2. Auth tokens stored in localStorage
  3. No input sanitization on forms
  4. Hardcoded API keys in frontend
  5. Stripe webhooks without signature verification
  6. Sessions that never expire
  7. Password reset links that don't expire
  8. No CORS policy
  9. Admin routes without role checks
  10. No request size limits
  11. Secrets committed to git history
  12. No idempotency on payment endpoints
  13. Missing security headers (CSP, HSTS, X-Frame-Options)
  14. No request timeouts on outbound HTTP calls
  15. No file type/size validation on uploads
  16. Weak or no password hashing

Performance (High)

  1. No database indexing on queried fields
  2. No pagination on database queries
  3. Images uploaded directly to server (no CDN)
  4. Emails sent synchronously in request handlers
  5. No database connection pooling

Reliability (Medium-High)

  1. No error boundaries in UI
  2. No environment variable validation at startup
  3. No health check endpoint
  4. No logging in production
  5. No backup strategy for database
  6. No TypeScript on AI-generated code
  7. No graceful shutdown handling
  8. No audit trail on sensitive operations
  9. Unhandled promise rejections

Usage

Install the skill in Claude Code, then run:

/ship-check

Or trigger naturally with phrases like "audit my app", "is this production ready", "security check", or "before I launch".

The skill detects your stack, greps through all 30 items (security-critical first), and outputs a severity-grouped report with specific file:line references and concrete fix suggestions for your codebase.

Output

## Ship Check Report

**Stack**: Next.js + Supabase + Stripe
**Checked**: 20 items | **Issues**: 7 found

### CRITICAL
- **No rate limiting** — `app/api/generate/route.ts:14` has no rate limit middleware
  Fix: Add @upstash/ratelimit to this route

### HIGH
...

### Already Handled
- **Auth tokens** — Using httpOnly cookies via Supabase Auth

### Not Applicable
- **Admin routes** — No admin panel exists

Credits

Based on the viral thread by @Hartdrawss — 20 mistakes that mass-ship in AI-generated code.

License

MIT

About

Claude Code skill: 30-point security, performance & reliability audit for indie/AI-generated codebases. Based on @Hartdrawss thread.

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors