Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

hoangnguyen0403/typescript-security

Name: typescript-security
Author: hoangnguyen0403

skills/typescript/typescript-security/SKILL.md

npx skillsauth add hoangnguyen0403/agent-skills-standard typescript-security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

TypeScript Security

Priority: P0 (CRITICAL)

Validate Input at Boundaries

Use Zod, Joi, or class-validator at API boundary. Always parse and validate user-controlled input before using. Use safeParse for error handling without throwing. Return 400 with structured errors on failure.

See references/REFERENCE.md for Zod validation schemas, secure cookie setup, and JWT auth patterns.

Prevent Injection and XSS

Sanitization: Use DOMPurify for HTML sanitization to prevent Cross-Site Scripting (XSS).
SQL Injection: Use Parameterized Queries (e.g., pool.query('... WHERE id = $1', [id])) or Type-safe ORMs (Prisma/TypeORM). Use Prisma.sql for raw queries.
Input Filtering: Sanitize user-controlled input before using it in file paths or OS commands (Command Injection).

Secure Authentication

Use Argon2id for password hashing. Implement JWT (via jsonwebtoken or jose) with HttpOnly and Secure cookies. Use RS256 for public/private key pairs and implement Refresh Token rotation.
Secrets: Store secrets in .env (e.g., JWT_SECRET) or Secret Managers. NEVER commit them to Git.
CORS: Configure CORS with Strict Origin Whitelisting. Avoid origin: '*'.
Encryption: Use crypto (Node.js) or Web Crypto API for sensitive data. Avoid legacy algorithms like MD5/SHA1.

Verification

After typing validation schemas (Zod/joi) or auth guards, call getDiagnostics (typescript-lsp) to confirm type narrowing correct before finalizing.

Anti-Patterns

No dynamic execution: Avoid eval, Function constructor, or string literals as timer callbacks — all execute runtime code and bypass TypeScript's type system.
No shell string interpolation: Never use execSync(\cmd ${userInput}`)or interpolate environment variables / config values intoexecSync/spawnSyncstrings. Shell metacharacters cause **command injection (OWASP A03)**. UseexecFileSync('git', ['arg1', arg2])` with a static command + separate args array instead.
No unvalidated SSRF origins: When a URL comes from env vars or config (e.g., FEEDBACK_API_URL), validate it against an allowed-origin allowlist before calling fetch() / axios.
No Plaintext: Never commit secrets.
No Trust: Validate everything server-side.

References

See references/REFERENCE.md for Zod validation, secure cookie setup, JWT auth, security headers, and RBAC patterns.

hoangnguyen0403/typescript-security

skills/typescript/typescript-security/SKILL.md

Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.

498 stars

development

Updated May 21, 2026

$ install --global

skillsauth

npx skillsauth add hoangnguyen0403/agent-skills-standard typescript-security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 21, 2026, 3:00 AM93.7s1 file scanned

SKILL.md

name:: typescript-security
description:: Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.

TypeScript Security

Priority: P0 (CRITICAL)

Validate Input at Boundaries

Use Zod, Joi, or class-validator at API boundary. Always parse and validate user-controlled input before using. Use safeParse for error handling without throwing. Return 400 with structured errors on failure.

See references/REFERENCE.md for Zod validation schemas, secure cookie setup, and JWT auth patterns.

Prevent Injection and XSS

Sanitization: Use DOMPurify for HTML sanitization to prevent Cross-Site Scripting (XSS).
SQL Injection: Use Parameterized Queries (e.g., pool.query('... WHERE id = $1', [id])) or Type-safe ORMs (Prisma/TypeORM). Use Prisma.sql for raw queries.
Input Filtering: Sanitize user-controlled input before using it in file paths or OS commands (Command Injection).

Secure Authentication

Use Argon2id for password hashing. Implement JWT (via jsonwebtoken or jose) with HttpOnly and Secure cookies. Use RS256 for public/private key pairs and implement Refresh Token rotation.
Secrets: Store secrets in .env (e.g., JWT_SECRET) or Secret Managers. NEVER commit them to Git.
CORS: Configure CORS with Strict Origin Whitelisting. Avoid origin: '*'.
Encryption: Use crypto (Node.js) or Web Crypto API for sensitive data. Avoid legacy algorithms like MD5/SHA1.

Verification

After typing validation schemas (Zod/joi) or auth guards, call getDiagnostics (typescript-lsp) to confirm type narrowing correct before finalizing.

Anti-Patterns

No dynamic execution: Avoid eval, Function constructor, or string literals as timer callbacks — all execute runtime code and bypass TypeScript's type system.
No shell string interpolation: Never use execSync(\cmd ${userInput}`)or interpolate environment variables / config values intoexecSync/spawnSyncstrings. Shell metacharacters cause **command injection (OWASP A03)**. UseexecFileSync('git', ['arg1', arg2])` with a static command + separate args array instead.
No unvalidated SSRF origins: When a URL comes from env vars or config (e.g., FEEDBACK_API_URL), validate it against an allowed-origin allowlist before calling fetch() / axios.
No Plaintext: Never commit secrets.
No Trust: Validate everything server-side.

References

See references/REFERENCE.md for Zod validation, secure cookie setup, JWT auth, security headers, and RBAC patterns.

Related Skills

hoangnguyen0403/specialist-pr-reviewer

development

VerifiedTrustedCommunity

Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.

498SKILL.mdUpdated May 23, 2026

hoangnguyen0403/specialist-pr-reviewer

hoangnguyen0403/typescript-tooling

tools

VerifiedTrustedCommunity

Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-tooling

hoangnguyen0403/typescript-language

development

VerifiedTrustedCommunity

Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-language

hoangnguyen0403/typescript-best-practices

development

VerifiedTrustedCommunity

Write idiomatic TypeScript patterns for clean, maintainable code. Use when writing or refactoring TypeScript classes, functions, modules, or async logic.

498SKILL.mdUpdated May 21, 2026

hoangnguyen0403/typescript-best-practices

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/hoangnguyen0403/agent-skills-standard.git

# Copy into Claude Code skills folder (global)
cp -r agent-skills-standard/skills/typescript/typescript-security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

hoangnguyen0403/agent-skills-standard

498 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT