Publishing and sharing Updated 6 minutes ago 2 min read

Run the Security Review before you publish

Before you go live, run the built-in Security Review from the publish flow to catch common vulnerabilities — exposed secrets, unsafe HTML, and weak input handling — in your app.

OverSkill has a built-in Security Review you can run on your app before you publish it. It checks your app for the most common security mistakes so you can fix them before real users (and their data) ever touch it.

How to run it

  1. Open your app in the editor and click Publish.
  2. In the publish panel, find Security Review and click Run Scan.
  3. Wait a few seconds — it reads through your app and reports back what it found, ranked by severity (Critical, High, Medium, Low).
  4. Review the findings and fix anything important. For most issues you can just describe the fix to the AI (remove the hardcoded API key and load it from an environment variable) and it'll handle it.

What it looks for

The review focuses on the things that actually bite real apps:

  • Exposed secrets — API keys, tokens, or passwords accidentally left in your code.
  • Unsafe HTML / cross-site scripting (XSS) — places where untrusted content could run as code in a visitor's browser.
  • Authentication & token handling — whether sign-in tokens are stored and checked safely.
  • Input validation — forms and data that aren't checked before they're used.
  • Data-exposure risks — sensitive information that could leak through the page or logs.

The safety gate

If the review finds a critical issue, the publish flow will warn you and ask you to confirm before going live. You can still choose to publish, but the goal is to make sure a critical problem is a deliberate decision, never a surprise.

A few things to know

  • The review is on-demand — you run it when you want, as part of publishing. It isn't a continuous, always-on scanner.
  • It's a strong first line of defense, not a guarantee. No automated review catches everything, so treat a clean result as the common mistakes are handled, not nothing can ever go wrong. Keep good habits: never hardcode secrets, validate input, and don't expose data you wouldn't want public.
  • Running it doesn't change or deploy anything by itself — it only reads your app and reports back.

The short version

Before you publish: open the publish panel, click Run Scan under Security Review, fix anything critical, then ship with confidence.

Was this helpful?

Thanks for the signal — it helps us improve the docs.

More in Publishing and sharing

Preview vs live: how publishing works

Your changes are visible to you instantly. They're visible to your users when you publish. Here's the difference.

Connecting your own domain

Use your own web address — like myapp.com — instead of the default one.

Still need help?

If this didn't answer your question, our team is one click away.

Sign in to open a ticket Back to help center