Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews Backstage Scaffolder templates for safety: RBAC gates, input validation, blast radius, and secret exposure in outputs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:backstage-scaffolder-template-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review Backstage Scaffolder `Template` kind resources for action blast-radius, input parameter injection risk, RBAC permission gate coverage, integration secret scope, catalog entity poisoning via `catalog:register`, and plaintext secret exposure in `output:` stanzas. Backstage Scaffolder gives developers a curated UI to trigger powerful backend actions — without RBAC gates and input validation...
Review Backstage Scaffolder Template kind resources for action blast-radius, input parameter injection risk, RBAC permission gate coverage, integration secret scope, catalog entity poisoning via catalog:register, and plaintext secret exposure in output: stanzas. Backstage Scaffolder gives developers a curated UI to trigger powerful backend actions — without RBAC gates and input validation, every authenticated developer effectively has write access to whatever the Scaffolder integration credentials can reach.
steps: action that provisions real cloud infrastructure (Terraform, Crossplane CRD apply, CloudFormation deploy, kubectl apply) with no RBAC permission gate as a CRITICAL finding.publish:github.repoUrl, file-path actions, or shell-exec actions as a HIGH finding — path traversal and injection are realistic.publish:github with visibility: public as the default or without an allowedHosts constraint as a HIGH finding.output: stanzas exposing plaintext generated credentials, connection strings, or API keys in the Backstage UI as a HIGH finding.@backstage/plugin-permission-backend policies for infrastructure-provisioning templates as a HIGH finding — any authenticated Backstage user can trigger them.catalog:register accepting arbitrary user-supplied YAML without server-side entity schema validation as a MEDIUM finding — catalog poisoning overwrites ownership and lifecycle metadata.Load these only when needed:
metadata.name) and evidence levelsteps: action type and its provisioning blast radiusmaxLength, pattern, enum)output: stanza exposure assessmentnpx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticPerforms an automated white-box security review of Atlassian Forge apps with structured rules, static analysis, and evidence-driven reporting.
Guides selection of templating formats including Handlebars, Cookiecutter, Copier, Maven, and Harness via comparison matrix, workflows, and best practices for project scaffolding.
Blocks unsafe code before commit with secret scanning, OWASP Top 10 detection, dependency audits (npm/pip/cargo), and permission checks. Hard security gate on critical findings.