From security-toolkit
Scans JS/TS, Python, Go, Rust code for vulnerabilities using ESLint security, Bandit, govulncheck. Rates severity, detects OWASP/CVE patterns, suggests fixes.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-toolkit:vulnerability-scannerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Scan a codebase for common vulnerabilities:
Scan a codebase for common vulnerabilities:
# For JavaScript/TypeScript
npx eslint --plugin security .
# For Python
bandit -r . -f json
# For general patterns
grep -rn "eval\|exec\|system\|shell" --include="*.py" --include="*.js"
Detect the technology stack:
package.json (Node.js)requirements.txt or pyproject.toml (Python)go.mod (Go)Cargo.toml (Rust)JavaScript/TypeScript:
npx eslint --plugin security --ext .js,.ts,.jsx,.tsx .
Python:
pip install bandit
bandit -r . -f json -o bandit-report.json
Go:
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Scan for dangerous patterns:
| Pattern | Risk | Languages |
|---|---|---|
eval() | Code injection | JS, Python |
exec() | Command injection | Python |
shell=True | Command injection | Python |
dangerouslySetInnerHTML | XSS | React |
| SQL string concatenation | SQL injection | All |
pickle.loads() | Deserialization | Python |
Assign severity based on:
Format findings:
## Security Scan Results
### Critical (0)
[None found]
### High (2)
1. **SQL Injection** - src/db/queries.js:45
- Pattern: String concatenation in SQL query
- Fix: Use parameterized queries
2. **XSS Vulnerability** - src/components/Comment.jsx:23
- Pattern: dangerouslySetInnerHTML with user input
- Fix: Sanitize input with DOMPurify
// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
// BAD: Direct HTML insertion
element.innerHTML = userInput;
// GOOD: Text content or sanitization
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
For detailed information, see:
npx claudepluginhub p/armanzeroeight-security-toolkit-plugins-security-toolkitScan code for security vulnerabilities: OWASP Top 10, secrets, injection, crypto, and config issues. Supports full, quick, and focused scan modes with severity-based output.
Scans codebases, dependencies, and configurations for security vulnerabilities including CVEs and code flaws, generating reports with severity ratings and remediation steps.