Skills fullstack-dev

🖥️

fullstack-dev

Name: fullstack-dev
Author: MiniMax-AI

Medium Risk ⚙️ External commands🌐 Network access🔑 Env variables📁 Filesystem access

Build production-ready full-stack applications

Building full-stack applications requires coordinating backend APIs, authentication, databases, and frontend integration. This skill provides a structured workflow and best practices for creating robust, production-ready applications with proper error handling and testing.

Supports: Claude Codex Code(CC)

⚠️ 61 Poor

Download the skill ZIP

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

Toggle on and start using

Test it

Using "fullstack-dev". Build a todo API with Express and React frontend

Expected outcome:

Created full-stack todo application with Express backend (JWT auth, PostgreSQL) and React frontend. Backend includes /api/todos CRUD endpoints, /api/auth/login with refresh token flow, and proper error handling. Frontend includes TodoApp component with API client wrapper that handles 401 automatic refresh.

Using "fullstack-dev". Add SSE real-time updates to existing Node.js app

Expected outcome:

Implemented Server-Sent Events in existing Express app. Created /api/events endpoint with connection management, added client-side EventSource integration, and handled reconnection with exponential backoff. Frontend displays live updates without manual refresh.

Security Audit

Medium Risk

v1 • 4/16/2026

Scanned 9 files (3841 lines). Static analyzer flagged 721 potential issues but most are false positives. All flagged patterns are in markdown documentation showing legitimate code examples for build/test commands, auth flows, and config patterns. No malicious intent found. Skill is safe for publication with standard warnings.

Files scanned

3,841

Lines analyzed

findings

Total audits

High Risk Issues (1)

SKILL.md:72-1016 references/api-design.md:1-445 references/auth-flow.md:1-166 references/db-schema.md:1-707

High Volume of Pattern Matches in Documentation

The static analyzer flagged 721 potential security issues across the skill files. Upon evaluation, the majority of these are false positives triggered by documentation patterns (markdown code blocks showing shell commands, API examples, and config patterns). The skill contains no executable malicious code - all flagged patterns appear in markdown documentation context.

Medium Risk Issues (3)

SKILL.md:72-83 SKILL.md:128-142

Shell Command Documentation

Skill contains documentation for running build/test commands (npm run build, curl tests). These are example commands for the MANDATORY WORKFLOW section, not actual command execution. The skill is a guide/reference document, not executable code.

SKILL.md:259-265 SKILL.md:716 references/environment-management.md:49

Environment Variable Documentation

Skill references environment variable patterns (process.env.DB_HOST, os.environ) for configuration best practices. This is educational content about how to properly configure applications, not credential exfiltration.

SKILL.md:433 SKILL.md:783 SKILL.md:817

Network Request Patterns in Documentation

Skill includes examples of API calls (fetch, axios patterns) and WebSocket/SSE implementations for real-time features. These are legitimate code examples for building full-stack applications.

Low Risk Issues (3)

SKILL.md:81-82 SKILL.md:422 references/api-design.md:175

Hardcoded URLs in Documentation

References to localhost URLs and example endpoints (http://localhost:3000/health) in documentation. These are standard development examples.

references/api-design.md:2-3 references/db-schema.md:3 SKILL.md:3-8

Cryptography Pattern References

Skill references cryptographic algorithms (MD5, SHA1, bcrypt, etc.) in the context of security best practices and what NOT to use. Educational content, not actual insecure implementations.

references/db-schema.md:118-141 references/testing-strategy.md:3-48

System Reconnaissance Keywords in Context

Static analyzer flagged terms like 'scan', 'probe', 'discover' in the context of database schema design and testing strategies. These are standard software engineering terms, not reconnaissance tools.

Risk Factors

⚙️ External commands (5)

SKILL.md:72-83 SKILL.md:122-142 references/api-design.md:33-424 references/auth-flow.md:9-164 references/release-checklist.md:11-229

🌐 Network access (5)

SKILL.md:81-82 SKILL.md:433 SKILL.md:729-741 SKILL.md:783-817 references/auth-flow.md:75-164

🔑 Env variables (4)

SKILL.md:259-265 SKILL.md:422 SKILL.md:716 references/environment-management.md:49

📁 Filesystem access (1)

SKILL.md:705

Detected Patterns

Heuristic: Code Execution + Network + Credential Access Combination

Audited by: claude

Quality Score

Architecture

100

Maintainability

Content

Community

Security

Spec Compliance

What You Can Build

Scaffolding a new full-stack application

When starting a new project, use the mandatory workflow to define stack, architecture, and auth strategy before writing any code. This ensures all components work together from the start.

Adding authentication to an existing API

Integrate JWT bearer flow with automatic token refresh into existing Express or Django APIs. Follow the auth middleware ordering patterns to ensure proper protection.

Implementing real-time updates

Add Server-Sent Events or WebSocket support to existing applications for live notifications, collaborative features, or dashboard updates without polling overhead.

Try These Prompts

Scaffold new full-stack project

Build a new full-stack application using {backend_stack} and {frontend_stack}. I need REST API endpoints for {resource_name} with CRUD operations, JWT authentication, and proper error handling.

Add authentication to API

Add JWT authentication to my existing {framework} API. Include login/logout endpoints, access token (15min) and refresh token (7d httpOnly cookie) flow, and middleware to protect existing routes.

Implement real-time notifications

Add real-time notifications to my application using {sse_or_websocket}. Users should receive updates when {event_type} happens without page refresh.

Design database schema

Design a database schema for {domain} with {table_count} tables. Include proper indexes for common queries, foreign key relationships, and migration scripts for {db_type}.

Best Practices

Always define architectural decisions (stack, API style, auth strategy) before writing code - document these in a decisions.json file
Implement error handling with typed error hierarchies - never expose raw error messages to clients in production
Use the mandatory verification workflow - run build checks, smoke tests, and integration tests before claiming completion

Avoid

Do not skip authentication middleware ordering - always validate JWT before checking permissions, not after
Avoid hardcoding URLs or credentials in code - use environment variables with validation at startup
Do not implement real-time features with polling when SSE or WebSocket is more appropriate - polling wastes resources

Frequently Asked Questions

What stack does this skill support?

This skill supports any backend (Express/Node.js, Django/Python, Go) and frontend (React, Vue, Next.js) combination. The principles apply universally though examples may show specific frameworks.

Does this skill include hosting or deployment?

No, this skill focuses on development patterns and code structure. For deployment, consider dedicated DevOps skills for Docker, Kubernetes, or specific cloud platforms.

How does authentication work across frontend and backend?

The skill documents JWT bearer flow with short-lived access tokens (15 minutes) and long-lived refresh tokens (7 days) stored in httpOnly cookies. The frontend API client handles automatic token refresh on 401 responses.

When should I use SSE vs WebSocket?

Use SSE for one-way server-to-client updates (notifications, live data). Use WebSocket for bidirectional communication (chat, collaborative editing, gaming). SSE is simpler and works over HTTP/2 automatically.

Does this skill cover database-specific optimization?

The skill covers general database patterns (schema design, migrations, indexing) but does not include database-specific tuning. For performance optimization, consult database-specific documentation after basic setup.

How do I test the backend and frontend together?

Use the Step 4 verification workflow: run backend build (npm run build in /server), start the server, test endpoints with curl, then verify frontend can connect via CORS and API base URL configuration.