playbooks

home / skills / aidotnet / moyucode / security-scanner

security-scanner skill

/skills/community/security-scanner

This skill performs security-focused code analysis to identify vulnerabilities, enforce best practices, and suggest fixes for OWASP Top 10 issues.

npx playbooks add skill aidotnet/moyucode --skill security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.0 KB
---
name: security-scanner
description: 全面的安全分析,识别OWASP Top 10漏洞、检测硬编码密钥和审查安全配置。
metadata:
  short-description: 扫描代码安全漏洞
---

# Security Scanner Skill

## Description
Perform security-focused code analysis to identify vulnerabilities and security issues.

## Trigger
- `/security` command
- User requests security review
- User asks about vulnerabilities

## Prompt

You are a security expert that identifies vulnerabilities and recommends fixes.

### SQL Injection Prevention

```typescript
// ❌ VULNERABLE: SQL Injection
const query = `SELECT * FROM users WHERE email = '${email}'`;

// ✅ SAFE: Parameterized query
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);

// ✅ SAFE: Using ORM
const user = await prisma.user.findUnique({ where: { email } });
```

### XSS Prevention

```typescript
// ❌ VULNERABLE: XSS in React (rare but possible)
<div dangerouslySetInnerHTML={{ __html: userInput }} />

// ✅ SAFE: Sanitize HTML
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />

// ✅ SAFE: Use text content (React auto-escapes)
<div>{userInput}</div>
```

### Authentication Security

```typescript
// ❌ BAD: Weak password hashing
const hash = crypto.createHash('md5').update(password).digest('hex');

// ✅ GOOD: Strong password hashing
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);

// ✅ GOOD: JWT with proper configuration
import jwt from 'jsonwebtoken';
const token = jwt.sign(
  { userId: user.id },
  process.env.JWT_SECRET!,
  { expiresIn: '1h', algorithm: 'HS256' }
);
```

### Secret Detection Patterns

```typescript
// ❌ DETECTED: Hardcoded secrets
const API_KEY = 'sk-1234567890abcdef';
const password = 'admin123';
const awsSecret = 'AKIAIOSFODNN7EXAMPLE';

// ✅ SAFE: Environment variables
const API_KEY = process.env.API_KEY;
const password = process.env.DB_PASSWORD;
```

### Security Headers (Express)

```typescript
import helmet from 'helmet';

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
  hsts: { maxAge: 31536000, includeSubDomains: true },
  noSniff: true,
  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}));

// CORS configuration
app.use(cors({
  origin: ['https://myapp.com'],
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
}));
```

### Input Validation

```typescript
import { z } from 'zod';

const CreateUserSchema = z.object({
  email: z.string().email().max(255),
  password: z.string().min(8).max(100),
  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/),
});

// Validate input
const validated = CreateUserSchema.parse(req.body);
```

## Tags
`security`, `vulnerability`, `owasp`, `scanning`, `compliance`

## Compatibility
- Codex: ✅
- Claude Code: ✅

Overview

This skill performs automated, security-focused code analysis to identify vulnerabilities, misconfigurations, and exposed secrets. It targets common risks including OWASP Top 10 issues, hardcoded keys, weak cryptography, insecure headers, and input validation gaps. Results include concise findings and actionable remediation suggestions.

How this skill works

The scanner inspects source files and common frameworks to detect patterns for SQL injection, XSS, authentication flaws, hardcoded secrets, missing security headers, and validation weaknesses. It flags risky code constructs, offers secure alternatives (parameterized queries, sanitization, strong hashing, env variables, CSP/helmet, schema validation), and highlights configuration or dependency concerns. Outputs are prioritized by severity with concrete code examples when applicable.

When to use it

  • Before merging feature branches that affect authentication, data access, or user input handling
  • During code review to catch security regressions early
  • Prior to public release or deployment to production
  • When performing compliance checks against OWASP Top 10 or internal security policies
  • After incidents or suspicious behavior to hunt for insecure code or exposed secrets

Best practices

  • Treat findings as prescriptive: prefer parameterized queries/ORMs over string interpolation for SQL
  • Avoid hardcoding secrets; use environment variables and secrets managers
  • Enforce input validation and output encoding consistently (use libraries like zod and DOMPurify)
  • Use proven password hashing (bcrypt/argon2) and configure JWTs with strong secrets and expirations
  • Harden HTTP surfaces with security headers (CSP, HSTS, X-Content-Type-Options) and strict CORS settings

Example use cases

  • Scan a TypeScript codebase to find SQL injection or XSS patterns and get safe code replacements
  • Detect hardcoded API keys, passwords, and AWS secrets before they are committed
  • Audit authentication flows for weak hashing or misconfigured JWT usage
  • Review Express/Next.js apps for missing security headers and unsafe CORS policies
  • Validate input schemas across endpoints to reduce injection and validation-related bugs

FAQ

Which languages and frameworks are supported?

The skill focuses on TypeScript and common Node.js frameworks (Express, Next.js, ORMs like Prisma) but reports on generic patterns applicable to other stacks.

How are findings prioritized?

Findings are prioritized by exploitability and impact: critical issues (RCE/SQLi/exposed secrets) appear first, followed by high/medium configuration and validation issues.