security-review

Ensures code adheres to security best practices, identifying vulnerabilities in authentication, input handling, and sensitive data management.

Install this skill

62/100

Security score

The security-review skill was audited on Mar 8, 2026 and we found 18 security issues across 5 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 114

Template literal with variable interpolation in command context

SourceSKILL.md

114	const query = `SELECT * FROM users WHERE email = '${userEmail}'`

medium line 148

Template literal with variable interpolation in command context

SourceSKILL.md

148	`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)

medium line 257

Template literal with variable interpolation in command context

SourceSKILL.md

257	`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)

medium line 437

Template literal with variable interpolation in command context

SourceSKILL.md

437	headers: { Authorization: `Bearer ${userToken}` }

low line 430

Fetch to external URL

SourceSKILL.md

430	const response = await fetch('/api/protected')

low line 436

Fetch to external URL

SourceSKILL.md

436	const response = await fetch('/api/admin', {

low line 444

Fetch to external URL

SourceSKILL.md

444	const response = await fetch('/api/users', {

low line 454

Fetch to external URL

SourceSKILL.md

454	fetch('/api/endpoint')

low line 33

Access to .env file

SourceSKILL.md

33	const apiKey = process.env.OPENAI_API_KEY

low line 34

Access to .env file

SourceSKILL.md

34	const dbUrl = process.env.DATABASE_URL

medium line 45

Access to .env file

SourceSKILL.md

45	- [ ] `.env.local` 已包含在 .gitignore 中

low line 352

Buffer.from base64 decode

SourceSKILL.md

352	Buffer.from(signature, 'base64'),

low line 353

Buffer.from base64 decode

SourceSKILL.md

353	Buffer.from(publicKey, 'base64')

low line 222

External URL reference

SourceSKILL.md

222	connect-src 'self' https://api.example.com;

low line 488

External URL reference

SourceSKILL.md

488	- [OWASP Top 10](https://owasp.org/www-project-top-ten/)

low line 489

External URL reference

SourceSKILL.md

489	- [Next.js Security](https://nextjs.org/docs/security)

low line 490

External URL reference

SourceSKILL.md

490	- [Supabase Security](https://supabase.com/docs/guides/auth)

low line 491

External URL reference

SourceSKILL.md

491	- [Web Security Academy](https://portswigger.net/web-security)

Scanned on Mar 8, 2026

View Security Dashboard

Install this skill with one command

/learn @xu-xiang/security-review

GitHub Stars 87

Rate this skill

Categorydevelopment

UpdatedMarch 29, 2026

openclaw backend security-engineer backend-developer devops-sre development

xu-xiang/everything-claude-code-zh