ClawHub

Node.js Security Audit

Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 336 · 3 current installs · 3 all-time installs
by@npfaerber
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Node.js security audit, OWASP checks, CORS, XSS, path traversal, hardcoded secrets, headers, rate-limiting, etc.) align with the SKILL.md content. All recommended checks and code snippets are relevant to a source-level security review and nothing in the metadata asks for unrelated credentials or tools.
Instruction Scope
The SKILL.md is limited to static/source checks (grep patterns, code snippets, heuristics) and a report template. It assumes access to the project source tree and instructs running grep and reviewing code. Caution: the provided grep patterns and a suggestion to call process.exit(1) are prescriptive and may cause outages if applied blindly (e.g., enforcing process.env.SECRET at runtime). The document does not instruct exfiltration or network scanning or sending data to external endpoints.
Install Mechanism
No install spec or code files — instruction-only. This is lowest-risk from an installation/execution perspective.
Credentials
The skill requests no environment variables or credentials. It references process.env in example fixes (encouraging use of env vars for secrets), which is appropriate and proportional for the stated purpose.
Persistence & Privilege
always is false and there is no request for persistent or elevated platform presence. Autonomous invocation is allowed by default but not combined with other red flags.
Scan Findings in Context
[no-findings] expected: The regex-based scanner had no code files to analyze because this is an instruction-only skill; absence of findings is expected and not evidence of safety.
Assessment
This skill is a coherent checklist and safe to inspect or use as guidance, but treat it as advisory rather than an automated tool. Before running commands: (1) run grep/heuristics from the project repository root to avoid scanning unrelated directories; (2) review any suggested runtime changes (e.g., exiting if a SECRET is missing) — they can cause outages if applied without testing; (3) expect false positives from simple grep patterns and complement this checklist with established tools (npm audit, Snyk/OSS scanners, semgrep for code patterns, and OWASP ZAP for dynamic testing). If you will let an agent run these checks automatically, run them in a sandbox or CI environment rather than directly against production systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
auditvk97bb68rzdn06qn2p4w4gw2pvn821ykelatestvk97bb68rzdn06qn2p4w4gw2pvn821ykenodejsvk97bb68rzdn06qn2p4w4gw2pvn821ykeowaspvk97bb68rzdn06qn2p4w4gw2pvn821ykesecurityvk97bb68rzdn06qn2p4w4gw2pvn821yke

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Node.js Security Audit

Structured security audit for Node.js HTTP servers and web applications.

Audit Checklist

Critical (Must Fix Before Deploy)

Hardcoded Secrets

  • Search for: API keys, passwords, tokens in source code
  • Pattern: grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env"
  • Fix: Move to env vars, fail if missing: if (!process.env.SECRET) process.exit(1);

XSS in Dynamic Content

  • Search for: innerHTML, template literals injected into DOM, unsanitized user input in responses
  • Fix: Use textContent, or escape: str.replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":"&#39;"}[c]))

SQL/NoSQL Injection

  • Search for: String concatenation in queries, eval(), Function() with user input
  • Fix: Parameterized queries, input validation

High (Should Fix)

CORS Misconfiguration

  • Search for: Access-Control-Allow-Origin: *
  • Fix: Allowlist specific origins: const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().value

Auth Bypass

  • Check: Every route that should require auth actually checks it
  • Common miss: Static file routes, agent/webhook endpoints, health checks that expose data

Path Traversal

  • Check: path.normalize() + startsWith(allowedDir) on all file-serving routes
  • Extra: Resolve symlinks with fs.realpathSync() and re-check

Medium (Recommended)

Security Headers

const HEADERS = {
  'X-Frame-Options': 'SAMEORIGIN',
  'X-Content-Type-Options': 'nosniff',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses

Rate Limiting

const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
  const now = Date.now(), e = attempts.get(ip);
  if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
  return ++e.count > LIMIT;
}

Input Validation

  • Body size limits: if (bodySize > 1048576) { req.destroy(); return; }
  • JSON parse in try/catch
  • Type checking on expected fields

Low (Consider)

Dependency Audit: npm audit Error Leakage: Don't send stack traces to clients in production Cookie Security: HttpOnly; Secure; SameSite=Strict

Report Format

## Security Audit: [filename]

### Critical
1. **[Category]** Description — File:Line — Fix: ...

### High
...

### Medium
...

### Low
...

### Summary
X critical, X high, X medium, X low

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…