nodejs-security-audit

Audit Node.js HTTP servers and web apps for security vulnerabilities. Checks OWASP Top 10, CORS, auth bypass, XSS, path traversal, hardcoded secrets, missing headers, rate limiting, and input validation. Use when reviewing server code before deployment or after changes.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "nodejs-security-audit" with this command: npx skills add npfaerber/nodejs-security-audit

Node.js Security Audit

Structured security audit for Node.js HTTP servers and web applications.

Audit Checklist

Critical (Must Fix Before Deploy)

Hardcoded Secrets

  • Search for: API keys, passwords, tokens in source code
  • Pattern: grep -rn "password\|secret\|token\|apikey\|api_key" --include="*.js" --include="*.ts" | grep -v node_modules | grep -v "process.env\|\.env"
  • Fix: Move to env vars, fail if missing: if (!process.env.SECRET) process.exit(1);

XSS in Dynamic Content

  • Search for: innerHTML, template literals injected into DOM, unsanitized user input in responses
  • Fix: Use textContent, or escape: str.replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":"&#39;"}[c]))

SQL/NoSQL Injection

  • Search for: String concatenation in queries, eval(), Function() with user input
  • Fix: Parameterized queries, input validation

High (Should Fix)

CORS Misconfiguration

  • Search for: Access-Control-Allow-Origin: *
  • Fix: Allowlist specific origins: const origin = ALLOWED.has(req.headers.origin) ? req.headers.origin : ALLOWED.values().next().value

Auth Bypass

  • Check: Every route that should require auth actually checks it
  • Common miss: Static file routes, agent/webhook endpoints, health checks that expose data

Path Traversal

  • Check: path.normalize() + startsWith(allowedDir) on all file-serving routes
  • Extra: Resolve symlinks with fs.realpathSync() and re-check

Medium (Recommended)

Security Headers

const HEADERS = {
  'X-Frame-Options': 'SAMEORIGIN',
  'X-Content-Type-Options': 'nosniff',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
};
// Apply to all responses

Rate Limiting

const attempts = new Map(); // ip -> { count, resetAt }
const LIMIT = 5, WINDOW = 60000;
function isLimited(ip) {
  const now = Date.now(), e = attempts.get(ip);
  if (!e || now > e.resetAt) { attempts.set(ip, {count:1, resetAt:now+WINDOW}); return false; }
  return ++e.count > LIMIT;
}

Input Validation

  • Body size limits: if (bodySize > 1048576) { req.destroy(); return; }
  • JSON parse in try/catch
  • Type checking on expected fields

Low (Consider)

Dependency Audit: npm audit Error Leakage: Don't send stack traces to clients in production Cookie Security: HttpOnly; Secure; SameSite=Strict

Report Format

## Security Audit: [filename]

### Critical
1. **[Category]** Description — File:Line — Fix: ...

### High
...

### Medium
...

### Low
...

### Summary
X critical, X high, X medium, X low

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Memory Poison Auditor

Audits OpenClaw memory files for injected instructions, brand bias, hidden steering, and memory poisoning patterns. Use when reviewing MEMORY.md, daily memor...

Registry SourceRecently Updated
024
Profile unavailable
Security

AgentShield Scanner

Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Use when: user asks to check a skill/plugin for safety, audit security, scan for...

Registry SourceRecently Updated
066
Profile unavailable
Security

DeepSafe Scan

Preflight security scanner for OpenClaw — scans deployment config, skills, memory/sessions for secrets, PII, prompt injection, and dangerous patterns. Runs 4...

Registry SourceRecently Updated
069
Profile unavailable