express-api-developer

Facilitates Express.js backend API development with JWT authentication, RBAC, and ClickHouse integration for Vigil Guard.

Install this skill

or

34/100

Security score

The express-api-developer skill was audited on Feb 9, 2026 and we found 22 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 72

Template literal with variable interpolation in command context

SourceSKILL.md

72	fetch(`${BRANCH_SERVICES.A}/health`, { signal: AbortSignal.timeout(2000) }),

medium line 73

Template literal with variable interpolation in command context

SourceSKILL.md

73	fetch(`${BRANCH_SERVICES.B}/health`, { signal: AbortSignal.timeout(2000) }),

medium line 74

Template literal with variable interpolation in command context

SourceSKILL.md

74	fetch(`${BRANCH_SERVICES.C}/health`, { signal: AbortSignal.timeout(2000) })

medium line 229

Template literal with variable interpolation in command context

SourceSKILL.md

229	const response = await fetch(`${BRANCH_SERVICES.A}/analyze`, {

medium line 237

Template literal with variable interpolation in command context

SourceSKILL.md

237	throw new Error(`Heuristics service error: ${response.status}`);

medium line 261

Template literal with variable interpolation in command context

SourceSKILL.md

261	const response = await fetch(`${BRANCH_SERVICES.B}/analyze`, {

medium line 269

Template literal with variable interpolation in command context

SourceSKILL.md

269	throw new Error(`Semantic service error: ${response.status}`);

medium line 376

Template literal with variable interpolation in command context

SourceSKILL.md

376	const query = `SELECT * FROM users WHERE username = '${username}'`;

medium line 467

Curl to non-GitHub URL

SourceSKILL.md

467	curl -X POST http://localhost:8787/api/auth/login \

medium line 472

Curl to non-GitHub URL

SourceSKILL.md

472	curl http://localhost:8787/api/health/branches \

medium line 476

Curl to non-GitHub URL

SourceSKILL.md

476	curl -X POST http://localhost:8787/api/analyze/heuristics \

low line 320

Access to .env file

SourceSKILL.md

320	origin: process.env.NODE_ENV === 'production' ?

low line 321

Access to .env file

SourceSKILL.md

321	process.env.ALLOWED_ORIGINS.split(',') :

low line 352

Access to .env file

SourceSKILL.md

352	const SECRET = process.env.JWT_SECRET; // 32+ chars from .env

low line 57

External URL reference

SourceSKILL.md

57	A: 'http://heuristics-service:5005', // Heuristics (30% weight)

low line 58

External URL reference

SourceSKILL.md

58	B: 'http://semantic-service:5006', // Semantic (35% weight)

low line 59

External URL reference

SourceSKILL.md

59	C: 'http://prompt-guard-api:8000' // LLM Guard (35% weight)

low line 467

External URL reference

SourceSKILL.md

467	curl -X POST http://localhost:8787/api/auth/login \

low line 472

External URL reference

SourceSKILL.md

472	curl http://localhost:8787/api/health/branches \

low line 476

External URL reference

SourceSKILL.md

476	curl -X POST http://localhost:8787/api/analyze/heuristics \

low line 498

External URL reference

SourceSKILL.md

498	- Express docs: https://expressjs.com/

low line 499

External URL reference

SourceSKILL.md

499	- ClickHouse docs: https://clickhouse.com/docs

Scanned on Feb 9, 2026

View Security Dashboard

Installation guide →

GitHub Stars 106

Rate this skill

Categorydevelopment

UpdatedMay 21, 2026

openclaw backend api backend-developer product-manager technical-pm development product

majiayu000/claude-skill-registry