Confirm successful installation by checking the skill directory location:
.cursor/skills/security
Restart Cursor to activate security. Access via /security in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Security best practices and automated security testing for all projects.
Core Principle
Security is not optional. Every project must pass security checks before merge. Assume all input is malicious, all secrets will leak if committed, and all dependencies have vulnerabilities.
Required Security Setup
1. Gitignore (Non-Negotiable)
Every project must have these in .gitignore:
# Environment files - NEVER commit.env.env.*!.env.example# Secrets*.pem*.key*.p12*.pfxcredentials.jsonsecrets.json*-credentials.jsonservice-account*.json# IDE and OS.idea/.vscode/settings.json.DS_StoreThumbs.db# Dependenciesnode_modules/__pycache__/*.pyc.venv/venv/# Build outputsdist/build/*.egg-info/# Logs that might contain sensitive data*.loglogs/
2. Environment Variables
Create .env.example with all required vars (no values):
# .env.example - Copy to .env and fill in values# Server-side only (NEVER prefix with VITE_ or NEXT_PUBLIC_)DATABASE_URL=ANTHROPIC_API_KEY=SUPABASE_SERVICE_ROLE_KEY=# Client-side safe (public, non-sensitive)VITE_SUPABASE_URL=VITE_SUPABASE_ANON_KEY=
Frontend Environment Variables (Critical!)
NEVER put secrets in client-exposed env vars:
Framework
Client-Exposed Prefix
Server-Only
Vite
VITE_*
No prefix
Next.js
NEXT_PUBLIC_*
No prefix
Create React App
REACT_APP_*
N/A (no server)
// WRONG - Secret exposed to browser bundle!const apiKey =import.meta.env.VITE_ANTHROPIC_API_KEY;// CORRECT - Only public values client-sideconst supabaseUrl =import.meta.env.VITE_SUPABASE_URL;// CORRECT - Secrets stay server-side only// In API route or server function:const apiKey = process.env.ANTHROPIC_API_KEY;
Vercel Environment Variables:
In Vercel dashboard, secrets without VITE_ prefix are server-only
Only VITE_* vars are bundled into client code
Always verify in browser devtools β Sources β your bundle that secrets aren't exposed
# Add to dev dependenciespip install safety bandit
# Commandssafety check # Check dependencies for vulnerabilitiesbandit -r src/ # Static security analysis
Security Check Script
Create scripts/security-check.sh:
#!/bin/bashset-eecho"Running security checks..."# Check for secrets in staged filesecho"Checking for secrets..."ifcommand-v detect-secrets &> /dev/null;then detect-secrets scan --baseline .secrets.baseline
fi# Check .env is not stagedifgitdiff--cached --name-only |grep-E'^\.env$|^\.env\.'|grep-v'\.example$';thenecho"ERROR: .env file is staged for commit!"exit1fi# Check for common secret patterns in staged filesSTAGED_FILES=$(gitdiff--cached --name-only --diff-filter=ACM)ifecho"$STAGED_FILES"|xargsgrep-l-E'(password|secret|api_key|apikey|token|private_key)\s*[:=]\s*["\047][^"\047]+["\047]'2>/dev/null;thenecho"ERROR: Possible secrets found in staged files!"exit1fi# Language-specific checksif[-f"package.json"];thenecho"Checking npm dependencies..."npm audit --audit-level=high ||echo"Warning: npm audit found issues"fiif[-f"pyproject.toml"]||[-f"requirements.txt"];thenecho"Checking Python dependencies..."ifcommand-v safety &> /dev/null;then safety check ||echo"Warning: safety found issues"fifi
β
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
