Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Performs security reviews on TypeScript/Node.js apps against OWASP Top 10, checking XSS, injection, CSRF, JWT/OAuth2 flaws, CVEs, secrets exposure. Use for audits before deployment in Express, NestJS, Next.js.
npx claudepluginhub giuseppe-trisciuoglio/developer-kit --plugin developer-kit-typescriptHow this skill is triggered — by the user, by Claude, or both
Slash command
/developer-kit-typescript:typescript-security-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security review for TypeScript/Node.js applications. Evaluates code against OWASP Top 10, framework-specific patterns, and production-readiness criteria. Findings are classified by severity (Critical, High, Medium, Low) with remediation examples. Delegates to the `typescript-security-expert` agent for deep analysis.
Runs security audits: dependency vulnerabilities (npm/pnpm/yarn/Ruby/Python), secret scanning, OWASP patterns (eval/innerHTML/SQL inj), auth reviews (CORS/rate limiting/JWT). Harden projects.
Review code systematically for security vulnerabilities using OWASP Top 10, secure coding patterns, and static analysis best practices. Use when reviewing pull requests, conducting security code reviews, or implementing secure development practices.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Share bugs, ideas, or general feedback.
Security review for TypeScript/Node.js applications. Evaluates code against OWASP Top 10, framework-specific patterns, and production-readiness criteria. Findings are classified by severity (Critical, High, Medium, Low) with remediation examples. Delegates to the typescript-security-expert agent for deep analysis.
Identify Scope: Determine which files and modules are under review. Prioritize authentication, authorization, data handling, API endpoints, and configuration files. Use grep to find security-sensitive patterns (eval, exec, innerHTML, password handling, JWT operations).
Checkpoint: Verify at least 3 security-sensitive files/modules identified before proceeding.
Check Authentication & Authorization: Review JWT implementation (signing algorithm, expiration, refresh tokens), OAuth2/OIDC integration, session management, password hashing (bcrypt/argon2), and multi-factor authentication. Verify protected routes enforce authentication.
Checkpoint: Use grep to confirm all route handlers have auth guards or middleware applied.
Scan for Injection Vulnerabilities: Check for SQL/NoSQL injection in database queries, command injection in exec/spawn, template injection, and LDAP injection. Verify parameterized queries and input validation.
Checkpoint: Use grep to confirm all database queries use parameterization — no string concatenation with user input.
Review Input Validation: Check API inputs validated with Zod, Joi, or class-validator. Verify schema completeness — proper type constraints, length limits, format validation. Check for validation bypass paths.
Checkpoint: Verify all public API endpoints have corresponding validation schemas.
Assess XSS Prevention: Review React components for dangerouslySetInnerHTML usage, check Content Security Policy headers, verify HTML sanitization for user-generated content. See references/xss-prevention.md for detailed patterns.
Checkpoint: Use grep to confirm any dangerouslySetInnerHTML usage has sanitization via DOMPurify or equivalent.
Check Secrets Management: Scan for hardcoded credentials, API keys, secrets in source code. Verify .env files are gitignored, secrets accessed through proper management services.
Checkpoint: Run grep -r "password\|secret\|api.*key\|token" --include="*.ts" to identify potential secrets in code.
Review Dependency Security: Run npm audit or check package-lock.json for known vulnerabilities. Identify outdated dependencies with CVEs. Check for unnecessary dependencies.
Checkpoint: Verify npm audit results are reviewed and critical vulnerabilities addressed.
Evaluate Security Headers & Configuration: Check helmet.js or manual security header configuration. Review CORS policy, rate limiting, HTTPS enforcement, cookie security flags (HttpOnly, Secure, SameSite), and CSP. See references/security-headers.md for configuration examples.
Checkpoint: Use grep to confirm helmet or equivalent security headers are applied globally.
Produce Security Report: Generate structured report with severity-classified findings, remediation guidance with code examples, and security posture summary.
Feedback Loop: If Critical or High vulnerabilities found, re-scan related modules for similar patterns before finalizing. Use grep to identify if the same vulnerability pattern exists elsewhere.
// ❌ Critical: Weak JWT configuration
import jwt from 'jsonwebtoken';
const SECRET = 'mysecret123'; // Hardcoded weak secret
function generateToken(user: User) {
return jwt.sign({ id: user.id, role: user.role }, SECRET);
// Missing expiration, weak secret, no algorithm specification
}
// ✅ Secure: Proper JWT configuration
import jwt from 'jsonwebtoken';
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET || JWT_SECRET.length < 32) {
throw new Error('JWT_SECRET must be set and at least 32 characters');
}
function generateToken(user: User): string {
return jwt.sign(
{ sub: user.id }, // Minimal claims, no sensitive data
JWT_SECRET,
{
algorithm: 'HS256',
expiresIn: '15m',
issuer: 'my-app',
audience: 'my-app-client',
}
);
}
function verifyToken(token: string): JwtPayload {
return jwt.verify(token, JWT_SECRET, {
algorithms: ['HS256'], // Restrict accepted algorithms
issuer: 'my-app',
audience: 'my-app-client',
}) as JwtPayload;
}
// ❌ Critical: SQL injection vulnerability
async function findUser(email: string) {
const result = await db.query(
`SELECT * FROM users WHERE email = '${email}'`
);
return result.rows[0];
}
// ✅ Secure: Parameterized query
async function findUser(email: string) {
const result = await db.query(
'SELECT id, name, email FROM users WHERE email = $1',
[email]
);
return result.rows[0];
}
// ✅ Secure: ORM with type-safe queries (Drizzle example)
async function findUser(email: string) {
return db.select({
id: users.id,
name: users.name,
email: users.email,
})
.from(users)
.where(eq(users.email, email))
.limit(1);
}
See references/xss-prevention.md for XSS patterns and references/security-headers.md for security headers configuration.
Structure all security review findings as follows:
Overall security assessment score (1-10) with key observations and risk level.
Issues that can be exploited to compromise the system, steal data, or cause unauthorized access.
Security misconfigurations, missing protections, or vulnerabilities requiring near-term remediation.
Issues that reduce security posture but have mitigating factors or limited exploitability.
Security improvements, hardening recommendations, and defense-in-depth enhancements.
Well-implemented security patterns and practices to acknowledge.
Prioritized action items with code examples for the most critical fixes.
HttpOnly, Secure, SameSite=Strictnpm audit in CI pipelines to catch dependency vulnerabilitiesSee the references/ directory for detailed security documentation:
references/owasp-typescript.md — OWASP Top 10 mapped to TypeScript/Node.js patternsreferences/common-vulnerabilities.md — Common vulnerability patterns and remediationreferences/dependency-security.md — Dependency scanning and supply chain securityreferences/xss-prevention.md — XSS prevention patterns for React and server-sidereferences/security-headers.md — Security headers and CORS configuration examplesreferences/input-validation.md — Input validation patterns with Zod and class-validator