← Back to Skills Marketplace
bovinphang

Frontend Security Review

by Bovin Phang · GitHub ↗ · v2.4.0 · MIT-0
cross-platform ✓ Security Clean
49
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fec-security-review
Description
Use when reviewing frontend security risks such as XSS, CSRF, sensitive data exposure, unsafe DOM APIs, untrusted user input, authentication/token handling,...
README (SKILL.md)

前端安全审查

Purpose

识别前端代码中的客户端安全风险,并给出可执行修复建议。

Procedure

  1. 先确认审查面:用户输入、动态 HTML、URL 跳转、认证态、RBAC、文件上传、支付/删除等敏感操作、第三方脚本和依赖。
  2. 搜索高危模式:dangerouslySetInnerHTMLv-htmlinnerHTMLdocument.write、动态 script、未校验 redirect、明文 token。
  3. 按风险类型审查:XSS、CSP、敏感数据、CSRF、依赖、输入校验、文件上传、开放重定向、认证授权和第三方脚本。
  4. 用边界模型判断责任:客户端只能改善体验和减少误用,鉴权、授权、上传信任和敏感操作必须由服务端最终裁决。
  5. 高危问题标记为阻塞合并;前端校验只能改善体验,不能作为唯一安全边界。
  6. 输出分级安全报告;报告格式见 references/report-template.md

Detailed References

Constraints

  • 不要为了方便开发而绕过安全机制。
  • 不要依赖前端校验作为唯一安全防线。
  • 不要信任任何来自客户端的数据。
  • 发现高危问题时必须标记为阻塞合并。
  • 与通用代码质量 review 分工:本 skill 关注威胁、攻击面和数据泄露。
  • 不把依赖审计结果机械等同为可利用漏洞;需要结合运行路径、暴露面和修复成本判断。
  • 不把隐藏按钮、前端路由守卫或本地角色字段当作授权边界;API、SSR loader、server action 和敏感操作必须有服务端裁决。

Expected Output

输出 CRITICAL/HIGH/MEDIUM/LOW 分级安全审查报告,每个问题关联具体文件和行号,给出修复建议;报告保存为 reports/security-review-YYYY-MM-DD-HHmmss.md

Usage Guidance
Install this if you want an agent to review frontend code for common client-side security risks and write a local report. Treat its findings as review assistance, especially for frontend issues, and use a broader application-security review for backend, infrastructure, malware, or production incident analysis.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The stated purpose and instructions align: review frontend/client-side risks such as XSS, CSRF, token handling, unsafe DOM APIs, file upload, dependencies, and third-party scripts, then produce remediation guidance.
Instruction Scope
The English description and body are frontend-focused, but the Chinese trigger words are generic enough that a runtime could route some broad security-review requests to it. The skill itself repeatedly frames its scope around frontend/client-side review.
Install Mechanism
The package contains Markdown and JSON files only, with no declared dependencies, install scripts, executable files, or runtime code.
Credentials
Reading project source and sensitive security-relevant areas is proportionate for a security review workflow; the artifact instructs analysis and reporting, not credential use or external transmission.
Persistence & Privilege
The only persistence is saving a security report under a reports path. There is no background process, privilege escalation, account mutation, or automatic network behavior.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fec-security-review
  3. After installation, invoke the skill by name or use /fec-security-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.4.0
- Skill renamed to "fec-security-review" and triggers clarified. - Comprehensive front-end security audit procedure and risk categories defined. - References added for detailed XSS, CSP, sensitive data, CSRF, dependency, and validation checks. - Standard report template and security checklist files introduced. - Updated output expectations for report grading and file naming. - Outdated skill-card.md file removed.
Metadata
Slug fec-security-review
Version 2.4.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Frontend Security Review?

Use when reviewing frontend security risks such as XSS, CSRF, sensitive data exposure, unsafe DOM APIs, untrusted user input, authentication/token handling,... It is an AI Agent Skill for Claude Code / OpenClaw, with 49 downloads so far.

How do I install Frontend Security Review?

Run "/install fec-security-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Frontend Security Review free?

Yes, Frontend Security Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Frontend Security Review support?

Frontend Security Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Frontend Security Review?

It is built and maintained by Bovin Phang (@bovinphang); the current version is v2.4.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments