← 返回 Skills 市场
Frontend Security Review
作者
Bovin Phang
· GitHub ↗
· v2.4.0
· MIT-0
49
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install fec-security-review
功能描述
Use when reviewing frontend security risks such as XSS, CSRF, sensitive data exposure, unsafe DOM APIs, untrusted user input, authentication/token handling,...
使用说明 (SKILL.md)
前端安全审查
Purpose
识别前端代码中的客户端安全风险,并给出可执行修复建议。
Procedure
- 先确认审查面:用户输入、动态 HTML、URL 跳转、认证态、RBAC、文件上传、支付/删除等敏感操作、第三方脚本和依赖。
- 搜索高危模式:
dangerouslySetInnerHTML、v-html、innerHTML、document.write、动态 script、未校验 redirect、明文 token。 - 按风险类型审查:XSS、CSP、敏感数据、CSRF、依赖、输入校验、文件上传、开放重定向、认证授权和第三方脚本。
- 用边界模型判断责任:客户端只能改善体验和减少误用,鉴权、授权、上传信任和敏感操作必须由服务端最终裁决。
- 高危问题标记为阻塞合并;前端校验只能改善体验,不能作为唯一安全边界。
- 输出分级安全报告;报告格式见 references/report-template.md。
Detailed References
- Load references/security-checklist.md for XSS, CSP, sensitive data, CSRF, dependency, and input validation details.
- Load references/report-template.md when writing the security review report.
Constraints
- 不要为了方便开发而绕过安全机制。
- 不要依赖前端校验作为唯一安全防线。
- 不要信任任何来自客户端的数据。
- 发现高危问题时必须标记为阻塞合并。
- 与通用代码质量 review 分工:本 skill 关注威胁、攻击面和数据泄露。
- 不把依赖审计结果机械等同为可利用漏洞;需要结合运行路径、暴露面和修复成本判断。
- 不把隐藏按钮、前端路由守卫或本地角色字段当作授权边界;API、SSR loader、server action 和敏感操作必须有服务端裁决。
Expected Output
输出 CRITICAL/HIGH/MEDIUM/LOW 分级安全审查报告,每个问题关联具体文件和行号,给出修复建议;报告保存为 reports/security-review-YYYY-MM-DD-HHmmss.md。
安全使用建议
Install this if you want an agent to review frontend code for common client-side security risks and write a local report. Treat its findings as review assistance, especially for frontend issues, and use a broader application-security review for backend, infrastructure, malware, or production incident analysis.
能力标签
能力评估
Purpose & Capability
The stated purpose and instructions align: review frontend/client-side risks such as XSS, CSRF, token handling, unsafe DOM APIs, file upload, dependencies, and third-party scripts, then produce remediation guidance.
Instruction Scope
The English description and body are frontend-focused, but the Chinese trigger words are generic enough that a runtime could route some broad security-review requests to it. The skill itself repeatedly frames its scope around frontend/client-side review.
Install Mechanism
The package contains Markdown and JSON files only, with no declared dependencies, install scripts, executable files, or runtime code.
Credentials
Reading project source and sensitive security-relevant areas is proportionate for a security review workflow; the artifact instructs analysis and reporting, not credential use or external transmission.
Persistence & Privilege
The only persistence is saving a security report under a reports path. There is no background process, privilege escalation, account mutation, or automatic network behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install fec-security-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/fec-security-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.4.0
- Skill renamed to "fec-security-review" and triggers clarified.
- Comprehensive front-end security audit procedure and risk categories defined.
- References added for detailed XSS, CSP, sensitive data, CSRF, dependency, and validation checks.
- Standard report template and security checklist files introduced.
- Updated output expectations for report grading and file naming.
- Outdated skill-card.md file removed.
元数据
常见问题
Frontend Security Review 是什么?
Use when reviewing frontend security risks such as XSS, CSRF, sensitive data exposure, unsafe DOM APIs, untrusted user input, authentication/token handling,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 49 次。
如何安装 Frontend Security Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install fec-security-review」即可一键安装,无需额外配置。
Frontend Security Review 是免费的吗?
是的,Frontend Security Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Frontend Security Review 支持哪些平台?
Frontend Security Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Frontend Security Review?
由 Bovin Phang(@bovinphang)开发并维护,当前版本 v2.4.0。
推荐 Skills