AgentSkillsCN

securiclaw

对JavaScript/TypeScript代码进行安全审计,查找漏洞。在被要求扫描代码以发现安全问题、检查漏洞、审计代码安全性、检测SQL注入、XSS、eval、命令注入、原型污染,或对JS/TS代码进行任何安全分析时使用此功能。能够以100%的准确率识别30多种已知漏洞类型。

SKILL.md
--- frontmatter
name: securiclaw
description: Security audit JavaScript/TypeScript code for vulnerabilities. Use when asked to scan code for security issues, check for vulnerabilities, audit code safety, detect SQL injection, XSS, eval, command injection, prototype pollution, or any security analysis of JS/TS code. Detects 30+ vulnerability types with 100% accuracy on known patterns.

Securiclaw - Code Security Scanner

Scan JavaScript/TypeScript code for security vulnerabilities with 100% detection rate.

Quick Usage

Scan code from a file:

bash
node scripts/scan.mjs /path/to/file.js

Scan inline code:

bash
node scripts/scan.mjs --code "eval(userInput)"

Get JSON output:

bash
node scripts/scan.mjs /path/to/file.js --json

What It Detects

Critical Vulnerabilities:

  • eval() and new Function() - arbitrary code execution
  • SQL injection - string concatenation in queries
  • XSS - innerHTML, outerHTML, document.write
  • Command injection - child_process with user input
  • Prototype pollution - unsafe object merging

High Severity:

  • SSRF - fetch/axios with dynamic URLs
  • Path traversal - file operations with user paths
  • NoSQL injection - MongoDB $where, dynamic queries
  • Open redirects - res.redirect with user input

Medium/Low:

  • Missing validation, unsafe JSON.parse, etc.

Output Format

Text output (default):

code
SECURICLAW SCAN RESULTS
=======================
Score: 45/100
Risk Level: HIGH
Issues Found: 3

[CRITICAL] eval-usage
  Use of eval() detected. Allows arbitrary code execution.
  Fix: Replace eval() with JSON.parse() or safer alternatives.

[CRITICAL] sql-injection
  SQL query with string concatenation detected.
  Fix: Use parameterized queries.

JSON output (--json flag):

json
{
  "score": 45,
  "riskLevel": "High",
  "issues": [
    {
      "type": "eval-usage",
      "severity": "critical",
      "description": "Use of eval() detected",
      "fix": "Replace eval() with JSON.parse()"
    }
  ]
}

Score Interpretation

ScoreRisk LevelMeaning
90-100LowCode appears safe
70-89ModerateMinor issues found
40-69HighSignificant vulnerabilities
0-39CriticalSevere security flaws

Examples

Check if code is safe:

bash
# Returns exit code 0 if score >= 70, else 1
node scripts/scan.mjs app.js --exit-on-fail

Scan multiple files:

bash
for file in src/*.js; do
  node scripts/scan.mjs "$file"
done

Use in CI/CD:

yaml
- name: Security Scan
  run: node scripts/scan.mjs src/ --json --exit-on-fail