Back to Skills

vulnerability-scanner

verified

Scans code for security vulnerabilities, identifies CVE patterns, and provides severity ratings with remediation guidance. Use when scanning for security issues, code vulnerabilities, or OWASP top 10 problems.

View on GitHub

Marketplace

fastagent-marketplace

armanzeroeight/fastagent-plugins

Plugin

security-toolkit

Security

Repository

armanzeroeight/fastagent-plugins
20stars

plugins/security-toolkit/skills/vulnerability-scanner/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/armanzeroeight/fastagent-plugins/blob/main/plugins/security-toolkit/skills/vulnerability-scanner/SKILL.md -a claude-code --skill vulnerability-scanner

Installation paths:

Claude
.claude/skills/vulnerability-scanner/
Powered by add-skill CLI

Instructions

# Vulnerability Scanner

## Quick Start

Scan a codebase for common vulnerabilities:

```bash
# For JavaScript/TypeScript
npx eslint --plugin security .

# For Python
bandit -r . -f json

# For general patterns
grep -rn "eval\|exec\|system\|shell" --include="*.py" --include="*.js"
```

## Instructions

### Step 1: Identify Project Type

Detect the technology stack:
- Check for `package.json` (Node.js)
- Check for `requirements.txt` or `pyproject.toml` (Python)
- Check for `go.mod` (Go)
- Check for `Cargo.toml` (Rust)

### Step 2: Run Static Analysis

**JavaScript/TypeScript:**
```bash
npx eslint --plugin security --ext .js,.ts,.jsx,.tsx .
```

**Python:**
```bash
pip install bandit
bandit -r . -f json -o bandit-report.json
```

**Go:**
```bash
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
```

### Step 3: Check for Common Patterns

Scan for dangerous patterns:

| Pattern | Risk | Languages |
|---------|------|-----------|
| `eval()` | Code injection | JS, Python |
| `exec()` | Command injection | Python |
| `shell=True` | Command injection | Python |
| `dangerouslySetInnerHTML` | XSS | React |
| SQL string concatenation | SQL injection | All |
| `pickle.loads()` | Deserialization | Python |

### Step 4: Categorize Findings

Assign severity based on:
- **Critical**: Remote code execution, authentication bypass
- **High**: SQL injection, XSS, SSRF
- **Medium**: Information disclosure, CSRF
- **Low**: Missing headers, verbose errors

### Step 5: Generate Report

Format findings:
```
## Security Scan Results

### Critical (0)
[None found]

### High (2)
1. **SQL Injection** - src/db/queries.js:45
   - Pattern: String concatenation in SQL query
   - Fix: Use parameterized queries

2. **XSS Vulnerability** - src/components/Comment.jsx:23
   - Pattern: dangerouslySetInnerHTML with user input
   - Fix: Sanitize input with DOMPurify
```

## Common Vulnerability Patterns

### Injection Flaws

```javascript
// BAD: SQL Injection
const query = `SELECT * F

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
2647 chars