8.9 KiB
name, description, allowed-tools, version
| name | description | allowed-tools | version |
|---|---|---|---|
| reviewing-security | Automated tooling and detection patterns for JavaScript/TypeScript security vulnerabilities. Provides scan commands, vulnerability patterns, and severity mapping—not output formatting or workflow. | Bash, Read, Grep, Glob | 1.0.0 |
Security Review Skill
Purpose
This skill provides automated security scanning commands and vulnerability detection patterns. Use this as a reference for WHAT to check and HOW to detect security issues—not for output formatting or workflow.
Automated Security Scan
Run Semgrep security analysis (if available):
bash ~/.claude/plugins/marketplaces/claude-configs/review/scripts/review-security.sh
Returns: Security issues by severity, vulnerability types (XSS, injection, etc.), file:line locations, CWE/OWASP references
Vulnerability Detection Patterns
When automated tools unavailable or for deeper analysis, use Read/Grep/Glob to detect:
Input Validation Vulnerabilities
XSS (Cross-Site Scripting):
grep -rn "innerHTML.*=\|dangerouslySetInnerHTML\|document\.write" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx"
Look for: User input assigned to innerHTML, dangerouslySetInnerHTML usage, document.write with variables
SQL Injection:
grep -rn "query.*+\|query.*\${" --include="*.ts" --include="*.js"
Look for: String concatenation in SQL queries, template literals in queries without parameterization
Command Injection:
grep -rn "exec\|spawn\|execSync\|spawnSync" --include="*.ts" --include="*.js"
Look for: User input passed to exec/spawn, unsanitized command arguments
Path Traversal:
grep -rn "readFile.*req\|readFile.*params\|\.\./" --include="*.ts" --include="*.js"
Look for: File paths from user input, ../ in file operations
Code Injection:
grep -rn "eval\|new Function\|setTimeout.*string\|setInterval.*string" --include="*.ts" --include="*.js"
Look for: eval() usage, Function constructor, string-based setTimeout/setInterval
Authentication & Authorization Issues
Hardcoded Credentials:
grep -rn "password\s*=\s*['\"][^'\"]\+['\"]" --include="*.ts" --include="*.js"
grep -rn "api_key\s*=\s*['\"][^'\"]\+['\"]" --include="*.ts" --include="*.js"
grep -rn "secret\s*=\s*['\"][^'\"]\+['\"]" --include="*.ts" --include="*.js"
grep -rn "token\s*=\s*['\"][^'\"]\+['\"]" --include="*.ts" --include="*.js"
Look for: Hardcoded passwords, API keys, secrets, tokens in source code
Weak Authentication:
grep -rn "password\.length\|minLength.*password" --include="*.ts" --include="*.js"
Look for: Weak password requirements (<8 chars), missing complexity checks
Missing Authorization:
grep -rn "router\.\(get\|post\|put\|delete\)" --include="*.ts" --include="*.js"
Look for: Routes without authentication middleware, missing role checks
JWT Issues:
grep -rn "jwt\.sign.*algorithm.*none\|jwt\.verify.*algorithms.*\[\]" --include="*.ts" --include="*.js"
Look for: JWT with "none" algorithm, missing algorithm verification
Data Exposure Issues
Sensitive Data in Logs:
grep -rn "console\.log.*password\|console\.log.*token\|console\.log.*secret" --include="*.ts" --include="*.js"
Look for: Passwords, tokens, secrets in console.log statements
Secrets in Environment Files:
grep -rn "API_KEY\|SECRET\|PASSWORD\|TOKEN" .env .env.example
Look for: Actual secrets in .env files (should be in .env.example as placeholders only)
Client-Side Secrets:
grep -rn "process\.env\." --include="*.tsx" --include="*.jsx"
Look for: Environment variables accessed in client-side React components
Verbose Error Messages:
grep -rn "error\.stack\|error\.message.*res\.send\|throw.*Error.*password" --include="*.ts" --include="*.js"
Look for: Stack traces sent to client, error messages exposing system details
Cryptography Issues
Weak Algorithms:
grep -rn "createHash.*md5\|createHash.*sha1\|crypto\.MD5\|crypto\.SHA1" --include="*.ts" --include="*.js"
Look for: MD5, SHA1 usage for security-sensitive operations
Insecure Randomness:
grep -rn "Math\.random" --include="*.ts" --include="*.js"
Look for: Math.random() for tokens, session IDs, cryptographic keys
Hardcoded Encryption Keys:
grep -rn "encrypt.*key.*=.*['\"]" --include="*.ts" --include="*.js"
Look for: Encryption keys hardcoded in source
Improper Certificate Validation:
grep -rn "rejectUnauthorized.*false\|NODE_TLS_REJECT_UNAUTHORIZED.*0" --include="*.ts" --include="*.js"
Look for: Disabled SSL/TLS certificate validation
Dependency Vulnerabilities
Check for Known Vulnerabilities:
npm audit --json
# or
yarn audit --json
Look for: Packages with known CVEs, outdated dependencies with security patches
Check Package Integrity:
grep -rn "http://registry\|--ignore-scripts" package.json
Look for: Insecure registry URLs, disabled install scripts (security bypass)
Severity Mapping
Use these criteria when classifying security findings:
| Vulnerability Type | Severity | Rationale |
|---|---|---|
| SQL injection | critical | Database compromise, data theft |
| Command injection | critical | Remote code execution |
| Hardcoded credentials in production code | critical | Unauthorized access |
| Authentication bypass | critical | Complete security failure |
| XSS with user data | high | Account takeover, data theft |
| Missing authentication on sensitive routes | high | Unauthorized access to data |
| Secrets in logs | high | Credential exposure |
| Weak cryptography (MD5/SHA1 for passwords) | high | Password cracking |
| Path traversal | high | Arbitrary file access |
| Missing authorization checks | medium | Privilege escalation risk |
| Insecure randomness (Math.random for tokens) | medium | Token prediction |
| Verbose error messages | medium | Information disclosure |
| Outdated dependencies with CVEs | medium | Known vulnerability exposure |
| Weak password requirements | medium | Brute force risk |
| Missing HTTPS enforcement | medium | Man-in-the-middle risk |
| Disabled certificate validation | medium | MITM attacks possible |
| Secrets in .env.example | nitpick | Best practice violation |
| console.log with non-sensitive data | nitpick | Production noise |
Analysis Priority
- Run automated security scan first (Semgrep if available)
- Parse scan outputs for critical/high severity issues
- Check for hardcoded secrets (grep patterns above)
- Audit authentication/authorization in routes and middleware
- Inspect input validation at API boundaries
- Review cryptography usage for weak algorithms
- Check dependencies for known vulnerabilities
- Cross-reference findings (e.g., missing auth + XSS = higher priority)
If performing comprehensive Prisma code review covering security vulnerabilities and performance anti-patterns, use the reviewing-prisma-patterns skill from prisma-6 for systematic validation.
Common Vulnerability Examples
XSS Example
// VULNERABLE
element.innerHTML = userInput;
<div dangerouslySetInnerHTML={{ __html: data }} />;
// SECURE
element.textContent = userInput;
<div>{DOMPurify.sanitize(data)}</div>;
SQL Injection Example
// VULNERABLE
db.query("SELECT * FROM users WHERE id = " + userId);
db.query(\`SELECT * FROM users WHERE email = '\${email}'\`);
// SECURE
db.query("SELECT * FROM users WHERE id = ?", [userId]);
db.query("SELECT * FROM users WHERE email = $1", [email]);
If reviewing Prisma 6 SQL injection prevention patterns, use the preventing-sql-injection skill from prisma-6 for $queryRaw guidance.
Command Injection Example
// VULNERABLE
exec(\`ping \${userInput}\`);
// SECURE
execFile('ping', [userInput]);
Insecure Randomness Example
// VULNERABLE
const sessionId = Math.random().toString(36);
// SECURE
const sessionId = crypto.randomBytes(32).toString('hex');
Integration Notes
- This skill provides detection methods and severity mapping only
- Output formatting is handled by the calling agent
- Prioritize automated Semgrep scan results over manual inspection
- Manual patterns supplement automated findings
- All findings must map to specific file:line locations