code-inspector
Conducts comprehensive audits on Node.js/Express applications, focusing on security, performance, and code quality for SaaS systems.
Install this skill
Security score
The code-inspector skill was audited on Feb 9, 2026 and we found 24 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Eval function call - arbitrary code execution
| 34 | | A03 | Injection | \$where, eval(), new Function | ๐ด CRรTICO | Sanitizaรงรฃo, prepared statements | |
Template literal with variable interpolation in command context
| 61 | ```javascript |
Template literal with variable interpolation in command context
| 242 | ```bash |
Template literal with variable interpolation in command context
| 309 | const cacheKey = `ranking:${ligaId}:${rodadaNum}`; |
Template literal with variable interpolation in command context
| 614 | .update(`${participanteId}-${ligaId}-${valor}-${descricao}-${Date.now()}`) |
Template literal with variable interpolation in command context
| 667 | console.warn(`[RETRY] Tentativa ${attempt}/${maxRetries} falhou, retry em ${delay}ms`); |
Template literal with variable interpolation in command context
| 673 | throw new Error(`HTTP ${response.status}: ${await response.text()}`); |
Template literal with variable interpolation in command context
| 676 | console.error(`[RETRY] Todas ${maxRetries} tentativas falharam`, error); |
Template literal with variable interpolation in command context
| 681 | console.warn(`[RETRY] Erro na tentativa ${attempt}, retry em ${delay}ms`, error.message); |
Template literal with variable interpolation in command context
| 816 | return { status: 'ok', latency: `${latency}ms` }; |
Template literal with variable interpolation in command context
| 1021 | console.log(`\n๐ ${file}`); |
Template literal with variable interpolation in command context
| 1023 | console.log(` โ ๏ธ ${f.name}: complexity=${f.complexity}, lines=${f.lines}`); |
Template literal with variable interpolation in command context
| 1097 | ```bash |
Template literal with variable interpolation in command context
| 1225 | ```bash |
Template literal with variable interpolation in command context
| 1741 | const query = `SELECT * FROM users WHERE email = '${req.body.email}'`; |
Template literal with variable interpolation in command context
| 1919 | link.download = `${elementId}-${Date.now()}.png`; |
Fetch to external URL
| 275 | const fresh = await fetch('/api/participante').then(r => r.json()); |
Fetch to external URL
| 814 | await fetch('https://api.cartolafc.globo.com/auth/time/info', { timeout: 3000 }); |
Fetch to external URL
| 1891 | const fresh = await fetch('/api/data').then(r => r.json()); |
Access to .env file
| 53 | grep -rn "password\s*[:=]\s*['\"][^'\"]*['\"]" --include="*.js" | grep -v "process\.env\|\.example" |
Access to .env file
| 126 | grep -rn "password\s*[:=]\s*['\"][^'\"]*['\"]" --include="*.js" | grep -v "process\.env\|\.example\|\.sample" | wc -l |
Access to .env file
| 790 | env: process.env.NODE_ENV |
Access to .env file
| 1253 | secrets=$(grep -rn "password\s*[:=]\s*['\"]" --include="*.js" 2>/dev/null | grep -v "process\.env\|\.example" | wc -l) |
External URL reference
| 814 | await fetch('https://api.cartolafc.globo.com/auth/time/info', { timeout: 3000 }); |