ClawHub

Node.js Security Audit

v1.0.0

Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing...

0· 655·4 current·4 all-time
by@npfaerber
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Node.js security audit, OWASP checks, CORS, XSS, path traversal, hardcoded secrets, headers, rate-limiting, etc.) align with the SKILL.md content. All recommended checks and code snippets are relevant to a source-level security review and nothing in the metadata asks for unrelated credentials or tools.
Instruction Scope
The SKILL.md is limited to static/source checks (grep patterns, code snippets, heuristics) and a report template. It assumes access to the project source tree and instructs running grep and reviewing code. Caution: the provided grep patterns and a suggestion to call process.exit(1) are prescriptive and may cause outages if applied blindly (e.g., enforcing process.env.SECRET at runtime). The document does not instruct exfiltration or network scanning or sending data to external endpoints.
Install Mechanism
No install spec or code files — instruction-only. This is lowest-risk from an installation/execution perspective.
Credentials
The skill requests no environment variables or credentials. It references process.env in example fixes (encouraging use of env vars for secrets), which is appropriate and proportional for the stated purpose.
Persistence & Privilege
always is false and there is no request for persistent or elevated platform presence. Autonomous invocation is allowed by default but not combined with other red flags.
Scan Findings in Context
[no-findings] expected: The regex-based scanner had no code files to analyze because this is an instruction-only skill; absence of findings is expected and not evidence of safety.
Assessment
This skill is a coherent checklist and safe to inspect or use as guidance, but treat it as advisory rather than an automated tool. Before running commands: (1) run grep/heuristics from the project repository root to avoid scanning unrelated directories; (2) review any suggested runtime changes (e.g., exiting if a SECRET is missing) — they can cause outages if applied without testing; (3) expect false positives from simple grep patterns and complement this checklist with established tools (npm audit, Snyk/OSS scanners, semgrep for code patterns, and OWASP ZAP for dynamic testing). If you will let an agent run these checks automatically, run them in a sandbox or CI environment rather than directly against production systems.

Like a lobster shell, security has layers — review code before you run it.

auditvk97bb68rzdn06qn2p4w4gw2pvn821ykelatestvk97bb68rzdn06qn2p4w4gw2pvn821ykenodejsvk97bb68rzdn06qn2p4w4gw2pvn821ykeowaspvk97bb68rzdn06qn2p4w4gw2pvn821ykesecurityvk97bb68rzdn06qn2p4w4gw2pvn821yke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments