Confirm successful installation by checking the skill directory location:
.cursor/skills/capacitor-security
Restart Cursor to activate capacitor-security. Access via /capacitor-security in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
# Only critical and high severitynpx capsec scan --severity high
# Specific categoriesnpx capsec scan --categories secrets,network,storage
# Exclude test filesnpx capsec scan --exclude"**/test/**,**/*.spec.ts"
Security Rules Reference
Secrets Detection (SEC)
Rule
Severity
Description
SEC001
Critical
Hardcoded API Keys & Secrets
SEC002
High
Exposed .env File
What Capsec Detects:
AWS Access Keys
Google API Keys
Firebase Keys
Stripe Keys
GitHub Tokens
JWT Secrets
Database Credentials
30+ secret patterns
Fix Example:
// BAD - Hardcoded API keyconstAPI_KEY='sk_live_abc123xyz';// GOOD - Use environment variablesimport{ Env }from'@capgo/capacitor-env';constAPI_KEY=await Env.get({ key:'API_KEY'});
Storage Security (STO)
Rule
Severity
Description
STO001
High
Unencrypted Sensitive Data in Preferences
STO002
High
localStorage Usage for Sensitive Data
STO003
Medium
SQLite Database Without Encryption
STO004
Medium
Filesystem Storage of Sensitive Data
STO005
Low
Insecure Data Caching
STO006
High
Keychain/Keystore Not Used for Credentials
Fix Example:
// BAD - Plain preferences for tokensimport{ Preferences }from'@capacitor/preferences';await Preferences.set({ key:'auth_token', value: token });// GOOD - Use secure storageimport{ NativeBiometric }from'@capgo/capacitor-native-biometric';await NativeBiometric.setCredentials({ username: email, password: token, server:'api.myapp.com',});
Network Security (NET)
Rule
Severity
Description
NET001
Critical
HTTP Cleartext Traffic
NET002
High
SSL/TLS Certificate Pinning Missing
NET003
High
Capacitor Server Cleartext Enabled
NET004
Medium
Insecure WebSocket Connection
NET005
Medium
CORS Wildcard Configuration
NET006
Medium
Insecure Deep Link Validation
NET007
Low
Capacitor HTTP Plugin Misuse
NET008
High
Sensitive Data in URL Parameters
Fix Example:
// BAD - HTTP in productionconst config: CapacitorConfig ={ server:{ cleartext:true,// Never in production!},};// GOOD - HTTPS onlyconst config: CapacitorConfig ={ server:{ cleartext:false,// Only allow specific domains allowNavigation:['https://api.myapp.com'],},};
Capacitor-Specific (CAP)
Rule
Severity
Description
CAP001
High
WebView Debug Mode Enabled
CAP002
Medium
Insecure Plugin Configuration
CAP003
Low
Verbose Logging in Production
CAP004
High
Insecure allowNavigation
CAP005
Critical
Native Bridge Exposure
CAP006
Critical
Eval Usage with User Input
CAP007
Medium
Missing Root/Jailbreak Detection
CAP008
Low
Insecure Plugin Import
CAP009
Medium
Live Update Security
CAP010
High
Insecure postMessage Handler
Fix Example:
// BAD - Debug mode in productionconst config: CapacitorConfig ={ ios:{ webContentsDebuggingEnabled:true,// Remove in production!}, android:{ webContentsDebuggingEnabled:true,// Remove in production!},};// GOOD - Only in developmentconst config: CapacitorConfig ={ ios:{ webContentsDebuggingEnabled: process.env.NODE_ENV==='development',},};
Android Security (AND)
Rule
Severity
Description
AND001
High
Android Cleartext Traffic Allowed
AND002
Medium
Android Debug Mode Enabled
AND003
Medium
Insecure Android Permissions
AND004
Low
Android Backup Allowed
AND005
High
Exported Components Without Permission
AND006
Medium
WebView JavaScript Enabled Without Safeguards
AND007
Critical
Insecure WebView addJavascriptInterface
AND008
Critical
Hardcoded Signing Key
Fix AndroidManifest.xml:
<!-- BAD --><applicationandroid:usesCleartextTraffic="true"><!-- GOOD --><applicationandroid:usesCleartextTraffic="false"android:allowBackup="false"android:networkSecurityConfig="@xml/network_security_config">
<!-- BAD - Disables ATS --><key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict><!-- GOOD - Specific exceptions only --><key>NSAppTransportSecurity</key><dict><key>NSExceptionDomains</key><dict><key>legacy-api.example.com</key><dict
β
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
