AI coding agents don't think about security. They generate code that works, ship it, and move on. This skill makes them paranoid - in a good way.
Here's what happens when you ask an AI to build an API endpoint:
// AI-generated code - compiles fine, fails audit
app.get('/user/:id', async (req, res) => {
const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);
res.json(user);
});No input validation. SQL injection. No auth check. The AI optimized for "fewest lines of code" instead of "won't get hacked."
This skill intercepts those patterns and fixes them.
12 modules covering OWASP Top 10 and JavaScript-specific issues:
| Module | What it prevents |
|---|---|
| injection.md | SQL injection, command injection, NoSQL injection |
| xss-output.md | Cross-site scripting, missing output encoding |
| auth-access.md | Broken access control, BOLA, session issues |
| crypto-secrets.md | Weak hashing, hardcoded API keys, Math.random() for tokens |
| input-validation.md | Missing zod/yup validation, file upload attacks |
| prototype-pollution.md | Object.assign attacks, deep merge vulnerabilities |
| typescript-safety.md | Type coercion bugs, runtime validation gaps |
| nextjs-security.md | Middleware bypass (CVE-2025-29927), Server Actions, SSRF |
| rsc-security.md | RSC deserialization (React2Shell), DoS attacks, Server Action abuse |
| api-infra.md | Missing rate limits, CORS misconfiguration, security headers |
| dependencies.md | Supply chain attacks, NPM malware, PhantomRaven patterns |
| nodejs-runtime.md | ReDoS, async hooks exhaustion, HTTP/2 DoS, child_process dangers |
- Never concatenate strings into queries. Use parameterized queries or an ORM.
- Never
Math.random()for tokens. Usecrypto.randomUUID(). - Never trust middleware alone for auth. Check ownership in the handler.
- Always validate at API boundaries with zod or similar.
- Never
eval()ornew Function()with user input.
The skill has code examples showing what breaks and what doesn't.
| Platform | Status |
|---|---|
| Claude Code | Works |
| OpenAI Codex | Works |
| Google Antigravity | Works |
| Warp | Works |
| VS Code Copilot | Works |
This skill follows the Agent Skills open standard. Works with any compatible AI tool.
Clone to your skills directory:
git clone https://github.com/subhashdasyam/security-antipatterns-javascript ~/.claude/skills/security-antipatterns-javascriptOr clone to .claude/skills/ in a specific project.
mkdir -p ~/.codex/skills
ln -s $(pwd) ~/.codex/skills/security-antipatterns-javascriptmkdir -p ~/.antigravity/skills
ln -s $(pwd) ~/.antigravity/skills/security-antipatterns-javascriptCopy to ~/.warp/skills/ or configure skill path in settings.
Copy skill folder to .github/skills/ in your project.
Symlink or copy this folder to your tool's skills directory. Standard format - it should just work.
Kicks in when you're generating:
- Express or Fastify routes
- Next.js API routes or Server Actions
- React Server Components (RSC)
- Database queries (Prisma, Drizzle, raw SQL, MongoDB)
- Authentication logic
- File upload handlers
- Package installations or dependency management
- Anything touching user input
MIT