From find-cve-agent
Detects method clobbering in JS/TS where user-controlled keys overwrite built-in methods like toString, valueOf, hasOwnProperty in parsers, causing crashes or logic bypass.
npx claudepluginhub byamb4/find-cve-agentThis skill uses the workspace's default tool permissions.
Audit CSV/form/query string parsers that create plain objects from untrusted input where the attacker can control property names (keys), not just values.
Detects prototype pollution in JavaScript/TypeScript code by auditing object merge, clone, assign operations and untrusted input handling. Guides impact assessment for CVSS scoring.
Detects and fixes prototype pollution (CWE-1321) in JavaScript/TypeScript code using deep merges, lodash merge/set, Object.assign with dynamic keys, or recursive copies on user input.
Detects and exploits prototype pollution in JavaScript/Node.js apps via URL/JSON payloads for XSS, RCE, and auth bypass. For security testing web APIs and client-side code.
Share bugs, ideas, or general feedback.
Audit CSV/form/query string parsers that create plain objects from untrusted input where the attacker can control property names (keys), not just values.
When a parser creates a plain object {} from user input, the attacker can set keys like toString, valueOf, hasOwnProperty to non-function values. Any code that later calls these methods on the object will throw a TypeError.
Important: JSON.parse can do the same thing. You MUST show why the library-specific clobbering is worse than what JSON.parse enables. Show a REAL crash path, not just theoretical property overwrite.
| Key | Normal Type | Effect When Clobbered |
|---|---|---|
toString | Function | obj + "" throws TypeError |
valueOf | Function | obj == x or coercion throws TypeError |
hasOwnProperty | Function | obj.hasOwnProperty(k) throws TypeError |
constructor | Function | Type checks fail |
__proto__ | Object | Prototype pollution (see prototype-pollution skill) |
__defineGetter__ | Function | Legacy getter/setter manipulation |
__defineSetter__ | Function | Legacy getter/setter manipulation |
__lookupGetter__ | Function | Legacy getter/setter introspection |
toJSON | undefined | JSON.stringify(obj) throws TypeError |
then | undefined | await obj or Promise.resolve(obj) treats obj as thenable |
grep -rn "\[key\]\s*=" . --include="*.js" --include="*.ts"
grep -rn "\[header\]\|\[field\]\|\[name\]\|\[prop\]" .
grep -rn "result\[\|output\[\|obj\[\|data\[\|parsed\[" .
Common sources of attacker-controlled keys:
grep -rn "Object\.create(null)" . # Null prototype = safe
grep -rn "hasOwnProperty\|toString\|valueOf" . | grep -i "filter\|block\|skip"
grep -rn "Object\.keys\|Map\|new Map" .
You MUST show one of:
obj.toString() or obj.hasOwnProperty() on the parsed resultobj.hasOwnProperty(x) for security decisionsawait or Promise.resolve() on the parsed object# Find code that calls methods on parsed objects
grep -rn "\.toString()\|\.valueOf()\|\.hasOwnProperty(" .
grep -rn "JSON\.stringify(" . # Uses toJSON
grep -rn "await\|Promise\.resolve" . # Uses then