Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

lazygophers/plugins/languages/javascript/skills/security

Name: plugins/languages/javascript/skills/security
Author: lazygophers

plugins/languages/javascript/skills/security/SKILL.md

npx skillsauth add lazygophers/ccplugin plugins/languages/javascript/skills/security

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

JavaScript Web 安全规范

适用 Agents

| Agent | 说明 | | ----- | ---- | | dev | JavaScript 开发专家 | | debug | JavaScript 调试专家 |

XSS 防护

// DOMPurify 清理 HTML（必须用于任何用户输入的 HTML）
import DOMPurify from 'dompurify';

const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;

// textContent 替代 innerHTML（纯文本场景）
element.textContent = userInput; // 自动转义

// React 自动转义（安全）
<div>{userInput}</div>

// React dangerouslySetInnerHTML（必须先清理）
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />

// 禁止：直接设置用户输入
element.innerHTML = userInput; // XSS 漏洞

Zod 运行时验证

import { z } from 'zod';

// API 响应验证
const UserSchema = z.object({
  id: z.string().uuid(),
  name: z.string().min(1).max(100),
  email: z.string().email(),
  role: z.enum(['admin', 'user', 'guest']),
});

async function fetchUser(id) {
  const response = await fetch(`/api/users/${id}`);
  const data = await response.json();
  return UserSchema.parse(data); // 运行时验证，无效数据抛出异常
}

// 表单输入验证
const LoginSchema = z.object({
  email: z.string().email('Invalid email'),
  password: z.string().min(8, 'At least 8 characters'),
});

function handleSubmit(formData) {
  const result = LoginSchema.safeParse(formData);
  if (!result.success) {
    return { errors: result.error.flatten().fieldErrors };
  }
  return login(result.data);
}

// 环境变量验证
const EnvSchema = z.object({
  API_URL: z.string().url(),
  API_KEY: z.string().min(1),
  NODE_ENV: z.enum(['development', 'production', 'test']),
});

const env = EnvSchema.parse(process.env);

CSP（Content Security Policy）

// HTTP 头配置（推荐）
// Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

// Meta 标签配置
<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  connect-src 'self' https://api.example.com;
  font-src 'self' https://fonts.gstatic.com;
">

// Vite 开发服务器 CSP
// vite.config.js
export default {
  server: {
    headers: {
      'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-eval';"
    }
  }
};

CORS 配置

// Vite 代理（开发环境）
export default {
  server: {
    proxy: {
      '/api': {
        target: 'https://api.example.com',
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/api/, ''),
      }
    }
  }
};

// Express CORS 配置（生产环境）
import cors from 'cors';

app.use(cors({
  origin: ['https://example.com', 'https://app.example.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  credentials: true,
  maxAge: 86400, // 预检请求缓存 24h
}));

依赖安全审计

# pnpm 安全审计
pnpm audit
pnpm audit --fix

# npm 安全审计
npm audit
npm audit fix

# 自动化：CI 中集成审计
# .github/workflows/audit.yml
# - run: pnpm audit --audit-level=high

其他安全实践

// CSRF 防护：SameSite Cookie
document.cookie = 'session=abc; SameSite=Strict; Secure; HttpOnly';

// 敏感数据不存 localStorage
// 使用 httpOnly cookie 存储 token

// URL 参数验证
const url = new URL(userProvidedUrl);
if (!['http:', 'https:'].includes(url.protocol)) {
  throw new Error('Invalid protocol');
}

// 避免 eval 和 Function 构造器
// eval(userInput); // 禁止
// new Function(userInput); // 禁止

Red Flags

| 现象 | 问题 | 严重程度 | |------|------|---------| | innerHTML = userInput | XSS 漏洞 | 高 | | 无 Zod 验证 API 响应 | 不可信数据直接使用 | 高 | | 无 CSP 头 | 缺少内容安全策略 | 中 | | eval() / new Function() | 代码注入风险 | 高 | | token 存 localStorage | 应使用 httpOnly cookie | 中 | | 无 CORS 限制 | origin: '*' 允许任意来源 | 中 | | 无依赖审计 | 可能包含已知漏洞 | 中 |

检查清单

[ ] 使用 DOMPurify 清理所有用户提供的 HTML
[ ] Zod 验证 API 响应、表单输入、环境变量
[ ] 配置 CSP 头限制资源加载
[ ] 配置 CORS 限制跨域请求来源
[ ] 无 eval() 或 new Function()
[ ] 敏感数据使用 httpOnly cookie
[ ] CI 集成 pnpm audit 依赖审计
[ ] URL 参数验证 protocol

lazygophers/plugins/languages/javascript/skills/security

plugins/languages/javascript/skills/security/SKILL.md

JavaScript Web安全规范：XSS跨站脚本防护、CSP内容安全策略、CORS跨域配置、Zod运行时输入验证、npm依赖安全审计。处理安全漏洞修复、输入校验、权限控制、安全加固时加载。

3 stars

tools

Updated Apr 25, 2026

$ install --global

skillsauth

npx skillsauth add lazygophers/ccplugin plugins/languages/javascript/skills/security

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 25, 2026, 11:46 AM12.7s1 file scanned

SKILL.md

description:: JavaScript Web安全规范：XSS跨站脚本防护、CSP内容安全策略、CORS跨域配置、Zod运行时输入验证、npm依赖安全审计。处理安全漏洞修复、输入校验、权限控制、安全加固时加载。
user-invocable:: true
context:: fork
model:: sonnet
memory:: project

JavaScript Web 安全规范

适用 Agents

| Agent | 说明 | | ----- | ---- | | dev | JavaScript 开发专家 | | debug | JavaScript 调试专家 |

XSS 防护

// DOMPurify 清理 HTML（必须用于任何用户输入的 HTML）
import DOMPurify from 'dompurify';

const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;

// textContent 替代 innerHTML（纯文本场景）
element.textContent = userInput; // 自动转义

// React 自动转义（安全）
<div>{userInput}</div>

// React dangerouslySetInnerHTML（必须先清理）
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />

// 禁止：直接设置用户输入
element.innerHTML = userInput; // XSS 漏洞

Zod 运行时验证

import { z } from 'zod';

// API 响应验证
const UserSchema = z.object({
  id: z.string().uuid(),
  name: z.string().min(1).max(100),
  email: z.string().email(),
  role: z.enum(['admin', 'user', 'guest']),
});

async function fetchUser(id) {
  const response = await fetch(`/api/users/${id}`);
  const data = await response.json();
  return UserSchema.parse(data); // 运行时验证，无效数据抛出异常
}

// 表单输入验证
const LoginSchema = z.object({
  email: z.string().email('Invalid email'),
  password: z.string().min(8, 'At least 8 characters'),
});

function handleSubmit(formData) {
  const result = LoginSchema.safeParse(formData);
  if (!result.success) {
    return { errors: result.error.flatten().fieldErrors };
  }
  return login(result.data);
}

// 环境变量验证
const EnvSchema = z.object({
  API_URL: z.string().url(),
  API_KEY: z.string().min(1),
  NODE_ENV: z.enum(['development', 'production', 'test']),
});

const env = EnvSchema.parse(process.env);

CSP（Content Security Policy）

// HTTP 头配置（推荐）
// Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

// Meta 标签配置
<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  connect-src 'self' https://api.example.com;
  font-src 'self' https://fonts.gstatic.com;
">

// Vite 开发服务器 CSP
// vite.config.js
export default {
  server: {
    headers: {
      'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-eval';"
    }
  }
};

CORS 配置

// Vite 代理（开发环境）
export default {
  server: {
    proxy: {
      '/api': {
        target: 'https://api.example.com',
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/api/, ''),
      }
    }
  }
};

// Express CORS 配置（生产环境）
import cors from 'cors';

app.use(cors({
  origin: ['https://example.com', 'https://app.example.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  credentials: true,
  maxAge: 86400, // 预检请求缓存 24h
}));

依赖安全审计

# pnpm 安全审计
pnpm audit
pnpm audit --fix

# npm 安全审计
npm audit
npm audit fix

# 自动化：CI 中集成审计
# .github/workflows/audit.yml
# - run: pnpm audit --audit-level=high

其他安全实践

// CSRF 防护：SameSite Cookie
document.cookie = 'session=abc; SameSite=Strict; Secure; HttpOnly';

// 敏感数据不存 localStorage
// 使用 httpOnly cookie 存储 token

// URL 参数验证
const url = new URL(userProvidedUrl);
if (!['http:', 'https:'].includes(url.protocol)) {
  throw new Error('Invalid protocol');
}

// 避免 eval 和 Function 构造器
// eval(userInput); // 禁止
// new Function(userInput); // 禁止

Red Flags

检查清单

[ ] 使用 DOMPurify 清理所有用户提供的 HTML
[ ] Zod 验证 API 响应、表单输入、环境变量
[ ] 配置 CSP 头限制资源加载
[ ] 配置 CORS 限制跨域请求来源
[ ] 无 eval() 或 new Function()
[ ] 敏感数据使用 httpOnly cookie
[ ] CI 集成 pnpm audit 依赖审计
[ ] URL 参数验证 protocol

Related Skills

lazygophers/golang-db

development

VerifiedTrustedCommunity

Go 数据库规范——GORM Model 命名 ModelXxx、表名单数、枚举 uint8 + 常量、索引 idx_ 前缀 + deleted_at leading column、禁 time.Time 统一 int64 unix、禁指针/nullable 字段、TEXT/BLOB/JSON 禁 default、AutoMigrate 禁改主键。设计 DB model、写 GORM tag、建索引、做 migration 审查时触发。

4SKILL.mdUpdated Jun 5, 2026

lazygophers/golang-db

lazygophers/golang-api

development

VerifiedTrustedCommunity

Go HTTP API 规范——响应始终 200 + body code 字段、路由 /api/* 全 POST 单段 <Action><Model>、中间件逐路由注册禁 Group(prefix,mw...)、handler 仅返回 (rsp,error)、认证走 header。设计 HTTP API、写路由/handler/中间件时触发。

4SKILL.mdUpdated Jun 5, 2026

lazygophers/golang-api

lazygophers/golang-structure

development

VerifiedTrustedCommunity

Go 项目结构规范——三层架构（API → Impl → State）、全局状态模式、internal/ 私有包、cmd/ 仅 main.go、go.work 多模块、禁止 Repository 接口和 DI 容器、struct 公共字段开头全 omitempty、handler var rsp 顶声明、禁 legacy migration。设计项目骨架、新建目录、组织包、做架构评审时触发。

4SKILL.mdUpdated Apr 24, 2026

lazygophers/golang-structure

lazygophers/golang-naming

development

VerifiedTrustedCommunity

Go 命名规范——Id/Uid 字段（非 ID）、IsActive/HasMFA 布尔前缀、CreatedAt 时间字段、接收者统一用 p、包名全小写无下划线、泛型类型参数描述性命名、集合字段 xxx_list 禁 xxxs 复数、Enum 0 值 XxxNil 禁 Unknown、禁 Status 统一 State、Set/Update 语义区分。定义结构体字段、函数、变量、包、接收者名、泛型、枚举时触发。

4SKILL.mdUpdated Apr 24, 2026

lazygophers/golang-naming

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/lazygophers/ccplugin.git

# Copy into Claude Code skills folder (global)
cp -r ccplugin/plugins/languages/javascript/skills/security ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

lazygophers/ccplugin

3 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

lazygophers/plugins/languages/javascript/skills/security

$ install --global

Security Scan Results

SKILL.md

JavaScript Web 安全规范

适用 Agents

相关 Skills

XSS 防护

Zod 运行时验证

CSP（Content Security Policy）

CORS 配置

依赖安全审计

其他安全实践

Red Flags

检查清单

Related Skills

lazygophers/golang-db

lazygophers/golang-api

lazygophers/golang-structure

lazygophers/golang-naming

lazygophers/plugins/languages/javascript/skills/security

$ install --global

Security Scan Results

SKILL.md

JavaScript Web 安全规范

适用 Agents

相关 Skills

XSS 防护

Zod 运行时验证

CSP（Content Security Policy）

CORS 配置

依赖安全审计

其他安全实践

Red Flags

检查清单

Related Skills

lazygophers/golang-db

lazygophers/golang-api

lazygophers/golang-structure

lazygophers/golang-naming