← 返回 Skills 市场

Node.js Security Audit

Name: Node.js Security Audit
Author: npfaerber

作者 npfaerber · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

736

总下载

当前安装

版本数

在 OpenClaw 中安装

/install nodejs-security-audit

功能描述

Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing...

使用说明 (SKILL.md)

Node.js Security Audit

Structured security audit for Node.js HTTP servers and web applications.

Audit Checklist

Critical (Must Fix Before Deploy)

Hardcoded Secrets

Search for: API keys, passwords, tokens in source code
Pattern: grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env"
Fix: Move to env vars, fail if missing: if (!process.env.SECRET) process.exit(1);

XSS in Dynamic Content

Search for: innerHTML, template literals injected into DOM, unsanitized user input in responses
Fix: Use textContent, or escape: str.replace(/[&\x3C>"']/g, c => ({'&':'&','\x3C':'<','>':'>','"':'"',"'":"'"}[c]))

SQL/NoSQL Injection

Search for: String concatenation in queries, eval(), Function() with user input
Fix: Parameterized queries, input validation

High (Should Fix)

CORS Misconfiguration

Search for: Access-Control-Allow-Origin: *
Fix: Allowlist specific origins: const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().value

Auth Bypass

Check: Every route that should require auth actually checks it
Common miss: Static file routes, agent/webhook endpoints, health checks that expose data

Path Traversal

Check: path.normalize() + startsWith(allowedDir) on all file-serving routes
Extra: Resolve symlinks with fs.realpathSync() and re-check

Medium (Recommended)

Security Headers

const HEADERS = {
  'X-Frame-Options': 'SAMEORIGIN',
  'X-Content-Type-Options': 'nosniff',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses

Rate Limiting

const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
  const now = Date.now(), e = attempts.get(ip);
  if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
  return ++e.count > LIMIT;
}

Input Validation

Body size limits: if (bodySize > 1048576) { req.destroy(); return; }
JSON parse in try/catch
Type checking on expected fields

Low (Consider)

Dependency Audit: npm audit Error Leakage: Don't send stack traces to clients in production Cookie Security: HttpOnly; Secure; SameSite=Strict

Report Format

## Security Audit: [filename]

### Critical
1. **[Category]** Description — File:Line — Fix: ...

### High
...

### Medium
...

### Low
...

### Summary
X critical, X high, X medium, X low

安全使用建议

This skill is a coherent checklist and safe to inspect or use as guidance, but treat it as advisory rather than an automated tool. Before running commands: (1) run grep/heuristics from the project repository root to avoid scanning unrelated directories; (2) review any suggested runtime changes (e.g., exiting if a SECRET is missing) — they can cause outages if applied without testing; (3) expect false positives from simple grep patterns and complement this checklist with established tools (npm audit, Snyk/OSS scanners, semgrep for code patterns, and OWASP ZAP for dynamic testing). If you will let an agent run these checks automatically, run them in a sandbox or CI environment rather than directly against production systems.

功能分析

Type: OpenClaw Skill Name: nodejs-security-audit Version: 1.0.0 The skill bundle defines a Node.js security audit process, providing a checklist and remediation advice for common vulnerabilities like hardcoded secrets, XSS, SQL injection, and CORS misconfigurations. The `SKILL.md` file instructs the AI agent to search for specific patterns using tools like `grep`, which is a standard practice for code auditing. There is no evidence of malicious intent, data exfiltration, unauthorized command execution beyond the stated auditing purpose, or prompt injection designed to subvert the agent for harmful activities. The `grep` command is used to *find* secrets, not to steal or exfiltrate them, and even includes exclusions for legitimate environment variable usage.

能力评估

✓ Purpose & Capability

The name/description (Node.js security audit, OWASP checks, CORS, XSS, path traversal, hardcoded secrets, headers, rate-limiting, etc.) align with the SKILL.md content. All recommended checks and code snippets are relevant to a source-level security review and nothing in the metadata asks for unrelated credentials or tools.

ℹ Instruction Scope

The SKILL.md is limited to static/source checks (grep patterns, code snippets, heuristics) and a report template. It assumes access to the project source tree and instructs running grep and reviewing code. Caution: the provided grep patterns and a suggestion to call process.exit(1) are prescriptive and may cause outages if applied blindly (e.g., enforcing process.env.SECRET at runtime). The document does not instruct exfiltration or network scanning or sending data to external endpoints.

✓ Install Mechanism

No install spec or code files — instruction-only. This is lowest-risk from an installation/execution perspective.

✓ Credentials

The skill requests no environment variables or credentials. It references process.env in example fixes (encouraging use of env vars for secrets), which is appropriate and proportional for the stated purpose.

✓ Persistence & Privilege

always is false and there is no request for persistent or elevated platform presence. Autonomous invocation is allowed by default but not combined with other red flags.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install nodejs-security-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /nodejs-security-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of nodejs-security-audit. - Audits Node.js HTTP servers for common vulnerabilities including OWASP Top 10 risks. - Checks for hardcoded secrets, XSS, SQL/NoSQL injection, CORS issues, auth bypass, and path traversal. - Verifies presence of security headers, rate limiting, and input validation. - Includes guidance for dependency audits, error leakage prevention, and cookie security. - Provides a structured checklist and example report format for audits.

元数据

Slug nodejs-security-audit

版本 1.0.0

许可证 —

累计安装 4

当前安装数 4

历史版本数 1

常见问题