From vanguard-frontier-agentic
Statically reviews Vue Router navigation guards, redirect flows, and template bindings for client-side authorization bypass, open redirects, XSS, redirect loops, and route misconfiguration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:vue-router-navigation-security-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review Vue Router navigation guards, redirect flows, dynamic link bindings, and route
Review Vue Router navigation guards, redirect flows, dynamic link bindings, and route
configuration for the security-critical defect classes specific to client-side routing as a
security surface — not general route-tree architecture, not component design, and not the
state-store or SSR-hydration concerns owned by sibling skills. This skill exists to keep the
review anchored to five documented defect classes: (a) a beforeEach/beforeEnter guard used
as the sole authorization boundary with no server-side enforcement behind it, (b) open redirect
via route.query.redirect/returnUrl passed unvalidated into router.push()/
window.location, (c) javascript:/data: scheme injection via a dynamic :to/:href
binding, (d) route.params/route.query interpolated into v-html/innerHTML (reflected XSS
through the router), and (e) next(unvalidatedPath)/guard-returned redirects creating loops or
bypasses, overly-broad catch-all routes, and history-mode server misconfiguration. It does not
re-litigate general route-tree/code-splitting architecture, Pinia/Vuex store security, or SSR
cross-request pollution in every response.
Use this skill when the user asks to:
router.beforeEach/beforeEnter guard (or a Nuxt definePageMeta/route-middleware
equivalent) that gates access to a route,<router-link :to="..."> or dynamic :href binding is safe from scheme
injection,route.params/route.query reaching a v-html or .innerHTML sink is
exploitable,history-mode
server-fallback exposure,Do not use this skill for:
routing-navigation-review instead (and note it targets React
Router/Next.js, not Vue Router),vue-state-store-security-review instead,v-html/dynamic-URL injection
unrelated to router data — use vue-ssr-security-review instead; this skill's injection scope
is specifically route.params/route.query reaching a sink, not every v-html in the app,frontend-auth-session-security-review instead; this skill covers
only the router-mediated open-redirect mechanism (route.query.redirect/returnUrl), not
session/token architecture generally,resolve-library-id (matched result: /vuejs/router,
Vue Router's own source-and-docs repository) before citing any guard-mechanism, redirect-API,
or dynamic-matching claim.query-docs against /vuejs/router to corroborate: navigation-guard return semantics
(beforeEach/beforeEnter returning false/a location/undefined, and the legacy next
argument's call-exactly-once contract), the documented to.name !== 'Login' self-exclusion
pattern, redirect function shapes (redirect: to => ({ path, query })), route.params/
route.query exposure with no built-in escaping, router.push's acceptance of bare string
paths, createWebHistory()'s server-fallback requirement, and the /:pathMatch(.*)*
catch-all pattern. These are all repo evidence claims — cite the specific guide file
(navigation-guards, redirect-and-alias, dynamic-matching, history-mode) alongside the claim.inference, grounded in general server-side-enforcement security practice
(documentation-based via OWASP), layered on the repo evidence fact that guards are
browser-executed callbacks.v-html bypasses Vue's default template auto-escaping is general Vue
template-compiler behavior, not a Vue-Router API — ground it in the Vue security guide
(documentation-based, listed in this skill's official_docs), not in /vuejs/router.package.json first to confirm the Vue Router major version in use — guard signatures
(return-value guards vs. the legacy next third argument), redirect object shape, and
catch-all syntax (/:pathMatch(.*)* in v4 vs. legacy * in v3) differ across majors; do not
apply v4 API names to a v3 codebase or vice versa.official_docs URLs in this skill's
metadata.json and label the claim documentation-based, unverified against current release.beforeEach/beforeEnter guard exists" by itself. The finding requires the
absence of confirmed server-side enforcement on the endpoint the protected route depends on
— look for evidence (a 401/403 check, a BFF layer, an API contract note) before concluding
it's missing, and state explicitly what you found or didn't find.http:/https:/mailto:) for dynamic link bindings.v-html/.innerHTML sink fed by route.params/route.query unless a named
sanitizer call is visibly present on that exact traced path — a sanitizer existing elsewhere
in the codebase does not clear this bar.to.name !== 'Login' or equivalent). Its absence is a HIGH redirect-loop finding, not
a style nit — Vue Router's docs treat it as required.routes array in registration order before clearing a catch-all route; a
broad/catch-all pattern registered before a route that should require auth can shadow it.Load these only when needed:
beforeEach/beforeEnter guard, a guard-returned redirect, a
catch-all route, or history-mode configuration.:to/:href binding, or a
v-html/innerHTML sink fed by route.params/route.query.Return, at minimum:
v-html/
innerHTML sink(s) in scope,client-guard-as-sole-authz / open-redirect / scheme-injection / reflected-xss /
redirect-loop / catch-all-misconfig / history-mode-server-misconfig), the concrete
data-flow trace (the guard-to-endpoint gap, or the full origin-to-sink path naming every hop),
and a fix sketch matching Vue Router's documented pattern,repo evidence, documentation-based, or inference), with
structural-risk findings explicitly labeled as structural risk, not confirmed-exploited,npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticReviews route-tree structure, data-fetching placement, code-splitting boundaries, and navigation accessibility in React Router and Next.js apps. Useful for authorization audits, deep-link fixes, and focus-management conformance.
Provides Vue Router 4 best practices for navigation guards, route params, lifecycle interactions, and gotchas like infinite loops, stale data, and deprecated next(). Useful for Vue SPAs with routing issues.
Provides Vue Router 4 best practices for navigation guards, route params, lifecycle interactions, and gotchas like infinite loops, stale data, and deprecated next(). Useful for Vue SPAs with routing issues.