🚦 Pre-Launch Safety Check
Check your app for the security mistakes that leak data before you launch, explained in plain English. Flags API keys and secrets sitting in your code, a committed .env file, data with no login protecting it, database tables anyone can read, debug mode left on, wide-open sharing (CORS), hardcoded admin passwords, and public storage buckets. Built for non-technical founders shipping AI-built apps: every finding tells you what is wrong, why it matters, and how to fix it.
- Detect hardcoded API keys and committed .env files before pushing to GitHub.
- Identify database tables and routes missing authentication guards.
- Ensure debug modes and permissive CORS policies are disabled for launch.
$13
· or 65 creditsSecure checkout via Stripe
Included in download
- Detect hardcoded API keys and committed .env files before pushing to GitHub.
- Identify database tables and routes missing authentication guards.
- terminal automation included
- Ready for Cursor
Sample input
I'm about to deploy my Supabase and React app to Vercel. Can you check my code to make sure I didn't leave any doors open or leak any keys?
Sample output
⚠️ Pre-Launch Safety Report
[Critical] PLS001 - Exposed API Key
- File:
src/api.js:12 - Evidence:
const STRIPE_KEY = "sk_live_51M..." - Impact: Anyone can use your Stripe account.
- Fix: Move this to an environment variable in Vercel.
[High] PLS004 - Public DB Access
- File:
supabase/migrations/schema.sql - Evidence:
FOR SELECT USING (true); - Impact: Your entire user table is readable by the public.
- Fix: Enable RLS and add a
auth.uid()check.
Manual Checklist:
- [ ] Verify Vercel CORS settings limit access to your domain.
Check your app for the security mistakes that leak data before you launch, explained in plain English. Flags API keys and secrets sitting in your code, a committed .env file, data with no login protecting it, database tables anyone can read, debug mode left on, wide-open sharing (CORS), hardcoded admin passwords, and public storage buckets. Built for non-technical founders shipping AI-built apps: every finding tells you what is wrong, why it matters, and how to fix it.
$13
· or 65 creditsSecure checkout via Stripe
Also available in a bundle
Included in download
- Detect hardcoded API keys and committed .env files before pushing to GitHub.
- Identify database tables and routes missing authentication guards.
- terminal automation included
- Ready for Cursor
- Instant install
Sample input
I'm about to deploy my Supabase and React app to Vercel. Can you check my code to make sure I didn't leave any doors open or leak any keys?
Sample output
⚠️ Pre-Launch Safety Report
[Critical] PLS001 - Exposed API Key
- File:
src/api.js:12 - Evidence:
const STRIPE_KEY = "sk_live_51M..." - Impact: Anyone can use your Stripe account.
- Fix: Move this to an environment variable in Vercel.
[High] PLS004 - Public DB Access
- File:
supabase/migrations/schema.sql - Evidence:
FOR SELECT USING (true); - Impact: Your entire user table is readable by the public.
- Fix: Enable RLS and add a
auth.uid()check.
Manual Checklist:
- [ ] Verify Vercel CORS settings limit access to your domain.
About This Skill
What it does
The Pre-Launch Safety Check is a specialized audit tool designed to catch the "silent killers" of a new product launch: leaked API keys, unprotected databases, and accidental debug modes. It performs a local, read-only scan of your codebase to identify critical security oversights before they reach production.
Why use this skill
While generic AI prompts might miss subtle configuration errors, this skill uses a structured scanner to cross-reference your code against a database of known security anti-patterns. It translates complex vulnerabilities into "founder-friendly" English, explaining exactly what the risk is and providing the specific remediation steps needed to fix it without breaking your app.
Supported checks
- Hardcoded secrets and API keys (Stripe, AWS, OpenAI, etc.).
- Committed environment variables (.env files).
- Publicly accessible database routes and missing auth guards.
- Permissive Row Level Security (RLS) and CORS configurations.
- Production deployments with debug mode enabled.
- Exposed storage buckets and default admin credentials.
The output provides a prioritized list of findings, severity levels, and a manual checklist for items that require a human eye, such as business logic flaws.
Use Cases
- Detect hardcoded API keys and committed .env files before pushing to GitHub.
- Identify database tables and routes missing authentication guards.
- Ensure debug modes and permissive CORS policies are disabled for launch.
- Generate plain-English security reports for non-technical stakeholders.
Known Limitations
A plain-English pre-launch check for the most common, highest-impact mistakes. It is not a full security audit or a penetration test, and it is heuristic, so it flags likely problems and explains them rather than proving them. Have a professional review anything sensitive before you ship.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/pre-launch-safety-check -o /tmp/pre-launch-safety-check.zip && unzip -o /tmp/pre-launch-safety-check.zip -d ~/.claude/skills && rm /tmp/pre-launch-safety-check.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Allowed Hosts
File Scopes
Read-only. The patterns it checks load from an editable references/safety-rules.json, and every rule has a plain-language write-up in references/explanations.md. It reads no environment variables and writes nothing.
Works with any agent that can read a repo and run a local Python script (Claude Code, Cursor, Codex CLI, and other SKILL.md-compatible agents). Standard library only, no install step. Read-only, no network.
Creator
JustHandled Labs builds focused agent skills for the work nobody wants to do by hand. Each one is a single repeatable job done well: catching the security and data mistakes that quietly ship, keeping docs and tests honest, gating the commands an agent is about to run, sharpening writing, and handling the founder chores around launches, outreach, and brand setup. Not generic AI productivity. Specific workflows that are easy to run, review, and repeat. Maintained by H.J. Westerfield, with a background in communications, editing, project coordination, customer support, and practical AI systems. Tools for people who want useful automation without theatrical complexity.
Also available in a bundle
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
cinematic-sites
Turn any basic business URL into a high-end cinematic landing page with AI-generated 4K assets and GSAP animations.
sast-configuration
Automate the setup and optimization of Semgrep, SonarQube, and CodeQL for high-signal security testing.
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
ai-automation-qa-pack
Professional QA & UAT documentation generator for AI automation agencies and complex agent deployments.