security-privacylisted
Install: claude install-skill GDvega/super-android-kotlin-firebase-skill
# Purpose
Reduce real security and privacy risks in Android/Firebase apps.
# When to use
- Auditing sensitive data handling.
- Reviewing Firebase rules.
- Checking secrets, logs or permissions.
- Adding biometric or local encryption flows.
# Inputs to inspect
- Data classification and threat model.
- Rules files and storage paths.
- Logs, analytics and Crashlytics usage.
- Permissions and local storage.
# Required workflow
1. Classify data and trust boundaries.
2. Search for secrets and sensitive logs.
3. Review Firebase rules and Android permissions.
4. Propose least-privilege fixes.
5. Add tests or manual verification steps.
# Rules
- Never exfiltrate or print secrets.
- No open production rules.
- Do not rely on client-only authorization.
- Do not log PII, tokens or sensitive health/financial data.
- Use encryption only with a clear threat model.
# Related existing skills
## Local skills to invoke
- firebase-core
- firestore
- firebase-auth
- code-review-refactor
- testing
## External companion skills to use when installed
Do not assume these companion skills are installed. Prefer the local skills above first, then consult [Companion Skills](../../docs/COMPANION_SKILLS.md) for install and verification commands.
- firebase/agent-skills — use for deeper Firebase product, Firestore, Security Rules or emulator workflow guidance when installed.
# Files commonly touched
- `firestore.rules`
- `database.rules.json`
- `storage.rules`
- `AndroidManifest.xml`
- `logg