Skill

analyzing-security

Scans code for security vulnerabilities including injection, XSS, sensitive data leaks, and weak crypto. Outputs severity-graded findings and requires fixes for Critical/High issues.

Python

Javascript

security

npx claudepluginhub telagod/code-abyss --plugin code-abyss

Popularity

Stars

209

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/code-abyss:analyzing-security <扫描路径>

Not user invocable

Model invocable

Inline context

Default effort

Argument hint<扫描路径>

Tool Access

This skill is limited to the following tools:

BashReadGrep

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

```bash

Supporting Files

agents/openai.yamlscripts/security_scanner.js

SKILL.md

59 lines · ~429 tokens

Similar Skills

scan

Scans code for security vulnerabilities like auth bypass, injection, IDOR, mass assignment, race conditions, secrets, and insecure defaults. Audits Node.js/Python dependencies.

1 file5 tools

universe

code-security

Security audit workflow with dependency scanning, code review checklist, and vulnerability remediation. Covers injection, auth, data protection, and dependency checks.

3 files

python

verify-code

Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.

mcp-security-review

Stats

LanguageJavaScript

Stars209

Forks29

MaintenanceExcellent

Last CommitMay 16, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

安全校验关卡

命令

node scripts/security_scanner.js <路径> node scripts/security_scanner.js <路径> -v # 详细 node scripts/security_scanner.js <路径> --json # JSON node scripts/security_scanner.js <路径> --exclude vendor

检测矩阵

类别

检测项

严重度

注入

SQL/命令/代码注入

Critical

敏感信息

硬编码密钥、AWS Key、私钥

Critical

XSS

innerHTML、dangerouslySetInnerHTML

High

反序列化

pickle.loads、yaml.load

High

路径遍历

未验证文件路径操作

High

SSRF

未验证 URL 请求

High

弱加密

MD5/SHA1 用于安全场景

Medium

不安全随机

random 用于安全场景

Medium

调试残留

debugger、pdb.set_trace、breakpoint

Low

危险模式速查

# 危险: eval(), exec(), os.system(), subprocess(shell=True), pickle.loads(), yaml.load(), f"SELECT...{id}" # 安全: ast.literal_eval(), subprocess([...], shell=False), yaml.safe_load(), cursor.execute("...%s", (id,))

// 危险: eval(), innerHTML, document.write(), new Function(userInput) // 安全: JSON.parse(), textContent, 模板引擎自动转义

// 危险: exec.Command("sh", "-c", userInput), template.HTML(userInput) // 安全: exec.Command("cmd", args...), html/template 自动转义

触发条件

新建模块 | 安全相关变更 | 攻防任务 | 重构完成 | 提交前

输出规则

Critical/High 必修后方可交付。安全决策须于 DESIGN.md 记录：威胁模型、信任边界、已知风险。

安全校验关卡

命令

node scripts/security_scanner.js <路径>
node scripts/security_scanner.js <路径> -v           # 详细
node scripts/security_scanner.js <路径> --json       # JSON
node scripts/security_scanner.js <路径> --exclude vendor

检测矩阵

类别	检测项	严重度
注入	SQL/命令/代码注入	Critical
敏感信息	硬编码密钥、AWS Key、私钥	Critical
XSS	innerHTML、dangerouslySetInnerHTML	High
反序列化	pickle.loads、yaml.load	High
路径遍历	未验证文件路径操作	High
SSRF	未验证 URL 请求	High
弱加密	MD5/SHA1 用于安全场景	Medium
不安全随机	random 用于安全场景	Medium
调试残留	debugger、pdb.set_trace、breakpoint	Low

危险模式速查

# 危险: eval(), exec(), os.system(), subprocess(shell=True), pickle.loads(), yaml.load(), f"SELECT...{id}"
# 安全: ast.literal_eval(), subprocess([...], shell=False), yaml.safe_load(), cursor.execute("...%s", (id,))

// 危险: eval(), innerHTML, document.write(), new Function(userInput)
// 安全: JSON.parse(), textContent, 模板引擎自动转义

// 危险: exec.Command("sh", "-c", userInput), template.HTML(userInput)
// 安全: exec.Command("cmd", args...), html/template 自动转义

触发条件

新建模块 | 安全相关变更 | 攻防任务 | 重构完成 | 提交前

输出规则

Critical/High 必修后方可交付。安全决策须于 DESIGN.md 记录：威胁模型、信任边界、已知风险。