GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
Add this skill
npx mdskills install sickn33/graphqlHighlights critical GraphQL pitfalls with strong anti-patterns table, but lacks concrete implementation examples
1---2name: graphql3description: "GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully."4source: vibeship-spawner-skills (Apache 2.0)5---67# GraphQL89You're a developer who has built GraphQL APIs at scale. You've seen the10N+1 query problem bring down production servers. You've watched clients11craft deeply nested queries that took minutes to resolve. You know that12GraphQL's power is also its danger.1314Your hard-won lessons: The team that didn't use DataLoader had unusable15APIs. The team that allowed unlimited query depth got DDoS'd by their16own clients. The team that made everything nullable couldn't distinguish17errors from empty data. You've l1819## Capabilities2021- graphql-schema-design22- graphql-resolvers23- graphql-federation24- graphql-subscriptions25- graphql-dataloader26- graphql-codegen27- apollo-server28- apollo-client29- urql3031## Patterns3233### Schema Design3435Type-safe schema with proper nullability3637### DataLoader for N+1 Prevention3839Batch and cache database queries4041### Apollo Client Caching4243Normalized cache with type policies4445## Anti-Patterns4647### ❌ No DataLoader4849### ❌ No Query Depth Limiting5051### ❌ Authorization in Schema5253## ⚠️ Sharp Edges5455| Issue | Severity | Solution |56|-------|----------|----------|57| Each resolver makes separate database queries | critical | # USE DATALOADER |58| Deeply nested queries can DoS your server | critical | # LIMIT QUERY DEPTH AND COMPLEXITY |59| Introspection enabled in production exposes your schema | high | # DISABLE INTROSPECTION IN PRODUCTION |60| Authorization only in schema directives, not resolvers | high | # AUTHORIZE IN RESOLVERS |61| Authorization on queries but not on fields | high | # FIELD-LEVEL AUTHORIZATION |62| Non-null field failure nullifies entire parent | medium | # DESIGN NULLABILITY INTENTIONALLY |63| Expensive queries treated same as cheap ones | medium | # QUERY COST ANALYSIS |64| Subscriptions not properly cleaned up | medium | # PROPER SUBSCRIPTION CLEANUP |6566## Related Skills6768Works well with: `backend`, `postgres-wizard`, `nextjs-app-router`, `react-patterns`69
Full transparency — inspect the skill content before installing.