← ClaudeAtlas

prisma-orm-securitylisted

Security audit specific to Prisma ORM usage including raw query escape hatches ($queryRaw, $executeRaw, $queryRawUnsafe), mass assignment via spreading user input into create/update, missing tenant scoping on findFirst/findMany, IDOR through Prisma query construction, schema-level access control gaps, and Prisma Accelerate/Pulse security considerations. Use this skill whenever the user mentions Prisma, prisma/client, schema.prisma, $queryRaw, the prisma.modelName.create / update / findMany pattern, or asks "audit my Prisma queries", "Prisma security review", "raw query safety", "Prisma mass assignment". Trigger when the codebase contains @prisma/client, schema.prisma, or any prisma. query calls.
hlsitechio/claude-skills-security · ★ 1 · API & Backend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Prisma ORM Security Audit Audit Prisma ORM usage for vulnerabilities specific to its query model, raw query escape hatches, and common patterns developers get wrong. ## When this skill applies - Reviewing code using `@prisma/client` - Auditing `$queryRaw` / `$executeRaw` / `$queryRawUnsafe` calls - Reviewing mass assignment patterns in `create` / `update` / `upsert` - Checking tenant scoping across queries - Reviewing `schema.prisma` for missing constraints or indexes that have security implications Use other skills for: generic IDOR/BOLA patterns (`saas-security-pack/saas-code-security-review/references/idor-bola-patterns.md`), tenant isolation (`saas-security-pack/saas-tenant-isolation`), backend framework specifics (`nestjs-security`, `nodejs-express-security`, `nextjs-security`). ## Workflow Follow `../_shared/audit-workflow.md`. Prisma-specific notes below. ### Phase 1: Stack detection ```bash grep -E '"@prisma/client":' package.json find . -name 'schema.prisma' -not -path '*/node_modules/*' prisma --version 2>/dev/null ``` ### Phase 2: Inventory ```bash # Raw query usage grep -rnE '\$queryRaw|\$executeRaw|\$queryRawUnsafe|\$executeRawUnsafe' src/ # Model accesses grep -rnE 'prisma\.[a-zA-Z]+\.(create|update|upsert|delete|findFirst|findMany|findUnique)' src/ | head -50 # Spread patterns (mass assignment risk) grep -rnE 'data:\s*{?\s*\.\.\.' src/ | head -30 # Transaction / interactiveTransaction grep -rnE '\$transaction|interactiveTransaction' src/ # Soft-