Skip to content
TaskBounty

Security prompts for AI-built apps

Built it with Lovable, Bolt, Cursor, Replit, or v0? Paste these into your AI builder before you ship. They catch the launch risks AI tools most often miss. Free to copy and share.

Pre-launch security review (paste into your AI builder)

Review this app for launch readiness before real users touch it. Look for, and list (do not change anything yet):
1. Exposed secrets or API keys committed to the repo or shipped to the client bundle.
2. Authentication/authorization gaps: unprotected routes, missing server-side checks, client-only guards.
3. Missing rate limiting or abuse protection on public endpoints.
4. Unsafe direct database access from the client (e.g. service-role keys in the browser, missing row-level security).
5. Overly permissive CORS.
6. Webhook handlers that don't verify signatures.
For each finding, show the file and a minimal fix, ordered by severity. Then ask me before applying any change.

Add a least-privilege CI security workflow

Generate a GitHub Actions workflow at .github/workflows/security.yml that runs on pull_request and push to the default branch and:
- Pins every third-party action to a full commit SHA (not a tag or branch).
- Sets an explicit least-privilege top-level `permissions:` block (contents: read by default).
- Runs `npm audit --audit-level=critical` (or the equivalent for my package manager) and fails on critical advisories.
Keep it minimal and well-commented. Explain each permission you grant.

Quick "before I share it" gut check

Before I share this app publicly, list the top 5 things that could go wrong if a stranger used it (data exposure, account takeover, cost abuse, etc.), and the smallest change that fixes each. Be specific to this codebase.

Generate the TaskBounty launch check step

My repo is available locally. Walk me through running `npx taskbounty-check@latest .` before launch, then explain which findings it can verify automatically (GitHub Actions hygiene, dependency update automation) versus which risks (secrets, auth, payments, webhooks, runtime behavior) still need a manual review. Do not upload source code or workflow contents anywhere.

Want it checked for real?

The prompts above run inside your AI tool. For an independent review of your public repo's GitHub Actions and CI hygiene, run the free AI App Security Check. Private repo? Source stays on your machine with the confidential review.

Local check

Check a repo from your terminal

No network by default
npx taskbounty-check@latest .

Runs locally and checks GitHub Actions + CI hygiene. It writes a local report and does not upload source code or workflow contents.

Want it inside your workflow? Copy the Cursor, Claude, Codex, and GitHub Actions snippets.

Get your repo onto GitHub first

The public check reads a GitHub repository. Here's how each tool syncs:

  • Lovable: Click "Connect to GitHub" in your project, then push. Your repo lands at github.com/<you>/<project>.
  • Bolt: Use "Deploy → GitHub" (or export and push) to create the repo.
  • Replit: Open the Git pane → "Create a Git repo" → connect GitHub and push.
  • Cursor: You're already in a local Git repo — push it to GitHub with `git remote add origin … && git push`.
  • v0: Use "Export" → "Push to GitHub".