graphql — quality + safety report
In the Skillier index (davila7__graphql) · scanned 2026-06-03 · engine: builtin+triage
1 heuristic flag to review
Heuristic flags from the builtin scanner, which is known to over-flag (it trips on legitimate env-reading integrations, security skills, and library .eval calls). This is NOT an authoritative malicious verdict — re-scan with SkillSpector for the authoritative result. Run the authoritative scan →
📇 This skill is in the Skillier index (curated · deduped · quality-filtered). Install Skillier to route & load it into your AI client.
Quality notes
About this skill
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design,…
📄 Read the SKILL.md
--- name: graphql description: "GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully." source: vibeship-spawner-skills (Apache 2.0) --- # GraphQL You're a developer who has built GraphQL APIs at scale. You've seen the N+1 query problem bring down production servers. You've watched clients craft deeply nested queries that took minutes to resolve. You know that GraphQL's power is also its danger. Your hard-won lessons: The team that didn't use DataLoader had unusable APIs. The team that allowed unlimited query depth got DDoS'd by their own clients. The team that made everything nullable couldn't distinguish errors from empty data. You've l ## Capabilities - graphql-schema-design - graphql-resolvers - graphql-federation - graphql-subscriptions - graphql-dataloader - graphql-codegen - apollo-server - apollo-client - urql ## Patterns ### Schema Design Type-safe schema with proper nullability ### DataLoader for N+1 Prevention Batch and cache database queries ### Apollo Client Caching Normalized cache with type policies ## Anti-Patterns ### ❌ No DataLoader ### ❌ No Query Depth Limiting ### ❌ Authorization in Schema ## ⚠️ Sharp Edges | Issue | Severity | Solution | |-------|----------|----------| | Each resolver makes separate database queries | critical | # USE DATALOADER | | Deeply nested queries can DoS your server | critical | # LIMIT QUERY DEPTH AND COMPLEXITY | | Introspection enabled in production exposes your schema | high | # DISABLE INTROSPECTION IN PRODUCTION | | Authorization only in schema directives, not resolvers | high | # AUTHORIZE IN RESOLVERS | | Authorization on queries but not on fields | high | # FIELD-LEVEL AUTHORIZATION | | Non-null field failure nullifies entire parent | medium | # DESIGN NULLABILITY INTENTIONALLY | | Expensive queries treated same as cheap ones | medium | # QUERY COST ANALYSIS | | Subscriptions not properly cleaned up | medium | # PROPER SUBSCRIPTION CLEANUP | ## Related Skills Works well with: `backend`, `postgres-wizard`, `nextjs-app-router`, `react-patterns`
Want a live grade + an embeddable README badge? Run your skill through the free scanner.
Graded independently by Skillproof — nothing to sell the author. Quality is mechanical + corpus-grounded; safety flags are heuristic (builtin+triage), not a malicious verdict.