Claude Code Plugins

Community-maintained marketplace

Feedback

vulnerability-scanner

@armanzeroeight/fastagent-plugins
19
0

Scans code for security vulnerabilities, identifies CVE patterns, and provides severity ratings with remediation guidance. Use when scanning for security issues, code vulnerabilities, or OWASP top 10 problems.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name vulnerability-scanner
description Scans code for security vulnerabilities, identifies CVE patterns, and provides severity ratings with remediation guidance. Use when scanning for security issues, code vulnerabilities, or OWASP top 10 problems.

Vulnerability Scanner

Quick Start

Scan a codebase for common vulnerabilities:

# For JavaScript/TypeScript
npx eslint --plugin security .

# For Python
bandit -r . -f json

# For general patterns
grep -rn "eval\|exec\|system\|shell" --include="*.py" --include="*.js"

Instructions

Step 1: Identify Project Type

Detect the technology stack:

  • Check for package.json (Node.js)
  • Check for requirements.txt or pyproject.toml (Python)
  • Check for go.mod (Go)
  • Check for Cargo.toml (Rust)

Step 2: Run Static Analysis

JavaScript/TypeScript:

npx eslint --plugin security --ext .js,.ts,.jsx,.tsx .

Python:

pip install bandit
bandit -r . -f json -o bandit-report.json

Go:

go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Step 3: Check for Common Patterns

Scan for dangerous patterns:

Pattern Risk Languages
eval() Code injection JS, Python
exec() Command injection Python
shell=True Command injection Python
dangerouslySetInnerHTML XSS React
SQL string concatenation SQL injection All
pickle.loads() Deserialization Python

Step 4: Categorize Findings

Assign severity based on:

  • Critical: Remote code execution, authentication bypass
  • High: SQL injection, XSS, SSRF
  • Medium: Information disclosure, CSRF
  • Low: Missing headers, verbose errors

Step 5: Generate Report

Format findings:

## Security Scan Results

### Critical (0)
[None found]

### High (2)
1. **SQL Injection** - src/db/queries.js:45
   - Pattern: String concatenation in SQL query
   - Fix: Use parameterized queries

2. **XSS Vulnerability** - src/components/Comment.jsx:23
   - Pattern: dangerouslySetInnerHTML with user input
   - Fix: Sanitize input with DOMPurify

Common Vulnerability Patterns

Injection Flaws

// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

Cross-Site Scripting (XSS)

// BAD: Direct HTML insertion
element.innerHTML = userInput;

// GOOD: Text content or sanitization
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);

Advanced

For detailed information, see: