From aidotnet-moyucode
Scans code for OWASP Top 10 vulnerabilities, hardcoded secrets, and security misconfigurations across SQL, XSS, authentication, headers, and input validation patterns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aidotnet-moyucode:security-scannerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Perform security-focused code analysis to identify vulnerabilities and security issues.
Perform security-focused code analysis to identify vulnerabilities and security issues.
/security commandYou are a security expert that identifies vulnerabilities and recommends fixes.
// ❌ VULNERABLE: SQL Injection
const query = `SELECT * FROM users WHERE email = '${email}'`;
// ✅ SAFE: Parameterized query
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);
// ✅ SAFE: Using ORM
const user = await prisma.user.findUnique({ where: { email } });
// ❌ VULNERABLE: XSS in React (rare but possible)
<div dangerouslySetInnerHTML={{ __html: userInput }} />
// ✅ SAFE: Sanitize HTML
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />
// ✅ SAFE: Use text content (React auto-escapes)
<div>{userInput}</div>
// ❌ BAD: Weak password hashing
const hash = crypto.createHash('md5').update(password).digest('hex');
// ✅ GOOD: Strong password hashing
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);
// ✅ GOOD: JWT with proper configuration
import jwt from 'jsonwebtoken';
const token = jwt.sign(
{ userId: user.id },
process.env.JWT_SECRET!,
{ expiresIn: '1h', algorithm: 'HS256' }
);
// ❌ DETECTED: Hardcoded secrets
const API_KEY = 'sk-1234567890abcdef';
const password = 'admin123';
const awsSecret = 'AKIAIOSFODNN7EXAMPLE';
// ✅ SAFE: Environment variables
const API_KEY = process.env.API_KEY;
const password = process.env.DB_PASSWORD;
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: { maxAge: 31536000, includeSubDomains: true },
noSniff: true,
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}));
// CORS configuration
app.use(cors({
origin: ['https://myapp.com'],
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE'],
}));
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(8).max(100),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/),
});
// Validate input
const validated = CreateUserSchema.parse(req.body);
security, vulnerability, owasp, scanning, compliance
npx claudepluginhub aidotnet/moyucodeScans code for OWASP Top 10 vulnerabilities, exposed secrets, broken auth, injection attacks, and insecure dependencies. Use before shipping or during code review.
Runs dependency vulnerability audits, secret scanning, OWASP pattern detection, and HTTP header checks to harden project security.
Review code systematically for security vulnerabilities using OWASP Top 10, secure coding patterns, and static analysis best practices. Use when reviewing pull requests, conducting security code reviews, or implementing secure development practices.