← Back to Skills Marketplace
736
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install nodejs-security-audit
Description
Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing...
README (SKILL.md)
Node.js Security Audit
Structured security audit for Node.js HTTP servers and web applications.
Audit Checklist
Critical (Must Fix Before Deploy)
Hardcoded Secrets
- Search for: API keys, passwords, tokens in source code
- Pattern:
grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env" - Fix: Move to env vars, fail if missing:
if (!process.env.SECRET) process.exit(1);
XSS in Dynamic Content
- Search for:
innerHTML, template literals injected into DOM, unsanitized user input in responses - Fix: Use
textContent, or escape:str.replace(/[&\x3C>"']/g, c => ({'&':'&','\x3C':'<','>':'>','"':'"',"'":"'"}[c]))
SQL/NoSQL Injection
- Search for: String concatenation in queries,
eval(),Function()with user input - Fix: Parameterized queries, input validation
High (Should Fix)
CORS Misconfiguration
- Search for:
Access-Control-Allow-Origin: * - Fix: Allowlist specific origins:
const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().value
Auth Bypass
- Check: Every route that should require auth actually checks it
- Common miss: Static file routes, agent/webhook endpoints, health checks that expose data
Path Traversal
- Check:
path.normalize()+startsWith(allowedDir)on all file-serving routes - Extra: Resolve symlinks with
fs.realpathSync()and re-check
Medium (Recommended)
Security Headers
const HEADERS = {
'X-Frame-Options': 'SAMEORIGIN',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses
Rate Limiting
const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
const now = Date.now(), e = attempts.get(ip);
if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
return ++e.count > LIMIT;
}
Input Validation
- Body size limits:
if (bodySize > 1048576) { req.destroy(); return; } - JSON parse in try/catch
- Type checking on expected fields
Low (Consider)
Dependency Audit: npm audit
Error Leakage: Don't send stack traces to clients in production
Cookie Security: HttpOnly; Secure; SameSite=Strict
Report Format
## Security Audit: [filename]
### Critical
1. **[Category]** Description — File:Line — Fix: ...
### High
...
### Medium
...
### Low
...
### Summary
X critical, X high, X medium, X low
Usage Guidance
This skill is a coherent checklist and safe to inspect or use as guidance, but treat it as advisory rather than an automated tool. Before running commands: (1) run grep/heuristics from the project repository root to avoid scanning unrelated directories; (2) review any suggested runtime changes (e.g., exiting if a SECRET is missing) — they can cause outages if applied without testing; (3) expect false positives from simple grep patterns and complement this checklist with established tools (npm audit, Snyk/OSS scanners, semgrep for code patterns, and OWASP ZAP for dynamic testing). If you will let an agent run these checks automatically, run them in a sandbox or CI environment rather than directly against production systems.
Capability Analysis
Type: OpenClaw Skill
Name: nodejs-security-audit
Version: 1.0.0
The skill bundle defines a Node.js security audit process, providing a checklist and remediation advice for common vulnerabilities like hardcoded secrets, XSS, SQL injection, and CORS misconfigurations. The `SKILL.md` file instructs the AI agent to search for specific patterns using tools like `grep`, which is a standard practice for code auditing. There is no evidence of malicious intent, data exfiltration, unauthorized command execution beyond the stated auditing purpose, or prompt injection designed to subvert the agent for harmful activities. The `grep` command is used to *find* secrets, not to steal or exfiltrate them, and even includes exclusions for legitimate environment variable usage.
Capability Assessment
Purpose & Capability
The name/description (Node.js security audit, OWASP checks, CORS, XSS, path traversal, hardcoded secrets, headers, rate-limiting, etc.) align with the SKILL.md content. All recommended checks and code snippets are relevant to a source-level security review and nothing in the metadata asks for unrelated credentials or tools.
Instruction Scope
The SKILL.md is limited to static/source checks (grep patterns, code snippets, heuristics) and a report template. It assumes access to the project source tree and instructs running grep and reviewing code. Caution: the provided grep patterns and a suggestion to call process.exit(1) are prescriptive and may cause outages if applied blindly (e.g., enforcing process.env.SECRET at runtime). The document does not instruct exfiltration or network scanning or sending data to external endpoints.
Install Mechanism
No install spec or code files — instruction-only. This is lowest-risk from an installation/execution perspective.
Credentials
The skill requests no environment variables or credentials. It references process.env in example fixes (encouraging use of env vars for secrets), which is appropriate and proportional for the stated purpose.
Persistence & Privilege
always is false and there is no request for persistent or elevated platform presence. Autonomous invocation is allowed by default but not combined with other red flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nodejs-security-audit - After installation, invoke the skill by name or use
/nodejs-security-audit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of nodejs-security-audit.
- Audits Node.js HTTP servers for common vulnerabilities including OWASP Top 10 risks.
- Checks for hardcoded secrets, XSS, SQL/NoSQL injection, CORS issues, auth bypass, and path traversal.
- Verifies presence of security headers, rate limiting, and input validation.
- Includes guidance for dependency audits, error leakage prevention, and cookie security.
- Provides a structured checklist and example report format for audits.
Metadata
Frequently Asked Questions
What is Node.js Security Audit?
Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing... It is an AI Agent Skill for Claude Code / OpenClaw, with 736 downloads so far.
How do I install Node.js Security Audit?
Run "/install nodejs-security-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Node.js Security Audit free?
Yes, Node.js Security Audit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Node.js Security Audit support?
Node.js Security Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Node.js Security Audit?
It is built and maintained by npfaerber (@npfaerber); the current version is v1.0.0.
More Skills