security-review-advanced

Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.

8 stars

Best use case

security-review-advanced is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.

Teams using security-review-advanced should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-review-advanced/SKILL.md --create-dirs "https://raw.githubusercontent.com/marvinrichter/clarc/main/skills/security-review-advanced/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-review-advanced/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-review-advanced Compares

Feature / Agentsecurity-review-advancedStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Review — Anti-Patterns

This skill extends `security-review` with common security mistakes and how to fix them. Load `security-review` first.

## When to Activate

- JWT or session tokens stored in `localStorage` (XSS risk)
- API endpoints rely on frontend UI hiding buttons instead of server-side permission checks
- Error handlers return `error.stack` or raw database error messages to clients
- Input validation uses `replace()` to strip known bad strings (blacklist pattern)
- CI pipelines use `npm install` instead of `npm ci`

---

## Anti-Patterns

### Storing Tokens in localStorage

**Wrong:**

```typescript
// XSS can steal the token from any script on the page
localStorage.setItem('access_token', token);
const token = localStorage.getItem('access_token');
fetch('/api/data', { headers: { Authorization: `Bearer ${token}` } });
```

**Correct:**

```typescript
// Store refresh token in httpOnly cookie — JS cannot read it
res.cookie('refresh_token', refreshToken, { httpOnly: true, secure: true, sameSite: 'strict' });
// Store access token in memory only (lost on page refresh — that's fine)
let accessToken = responseBody.access_token;
```

**Why:** `localStorage` is accessible to any JavaScript on the page, making tokens trivially stealable via XSS.

---

### Trusting Client-Side Authorization Checks

**Wrong:**

```typescript
// Frontend hides the "Delete" button for non-admins — but the API accepts the request anyway
app.delete('/api/orders/:id', async (req, res) => {
  await db.orders.delete({ where: { id: req.params.id } });
  res.json({ success: true });
});
```

**Correct:**

```typescript
app.delete('/api/orders/:id', requireAuth, requirePermission('orders:delete'), async (req, res) => {
  await db.orders.delete({ where: { id: req.params.id } });
  res.json({ success: true });
});
```

**Why:** Attackers call APIs directly — hiding UI elements is not access control.

---

### Reflecting Full Error Details to the Client

**Wrong:**

```typescript
catch (error) {
  res.status(500).json({ error: error.message, stack: error.stack, query: error.query });
}
```

**Correct:**

```typescript
catch (error) {
  logger.error('Unhandled error', { error, userId: req.user?.id });
  res.status(500).json({ error: 'An unexpected error occurred. Please try again.' });
}
```

**Why:** Stack traces and raw DB error messages reveal internal structure that attackers use to craft targeted exploits.

---

### Using Blacklist Validation Instead of Whitelist

**Wrong:**

```typescript
// Blocks known bad values — attackers find variants
function sanitizeInput(input: string) {
  return input.replace(/<script>/gi, '').replace(/javascript:/gi, '');
}
```

**Correct:**

```typescript
import { z } from 'zod';
// Define exactly what is allowed — everything else is rejected
const schema = z.object({
  username: z.string().regex(/^[a-zA-Z0-9_]{3,30}$/),
  bio: z.string().max(500),
});
```

**Why:** Blacklists are always incomplete; whitelists define a finite safe set and reject everything outside it.

---

### Using `npm install` in CI Pipelines

**Wrong:**

```yaml
# Can silently upgrade dependencies, introducing unvetted changes
- run: npm install
```

**Correct:**

```yaml
# Installs exactly what's in the lock file — fails if lock file is out of sync
- run: npm ci
```

**Why:** `npm install` can update the lock file mid-CI run, making builds non-reproducible and bypassing dependency review.

---

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Next.js Security](https://nextjs.org/docs/security)
- [Supabase Security](https://supabase.com/docs/guides/auth)
- [Web Security Academy](https://portswigger.net/web-security)

**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.

## Reference

- `security-review` — OWASP Top 10, secrets management, SQL injection, XSS, CSRF, input validation checklist
- `auth-patterns` — JWT, OAuth 2.0, RBAC, session management
- `gdpr-privacy` — PII classification, retention patterns, RTBF implementation

Related Skills

typescript-patterns-advanced

8
from marvinrichter/clarc

Advanced TypeScript — mapped types, template literal types, conditional types, infer, type guards, decorators, async patterns, testing with Vitest/Jest, and performance. Extends typescript-patterns.

tdd-workflow-advanced

8
from marvinrichter/clarc

TDD anti-patterns — writing code before tests, testing implementation details instead of behavior, using waitForTimeout as a sync strategy, chaining tests that share state, mocking the system under test instead of its dependencies.

swift-patterns-advanced

8
from marvinrichter/clarc

Advanced Swift patterns — property wrappers, result builders, Combine basics, opaque & existential types, macro system, advanced generics, and performance optimization. Extends swift-patterns.

supply-chain-security

8
from marvinrichter/clarc

Software supply chain security: SBOM generation (CycloneDX/SPDX with syft/grype), SLSA framework levels, Sigstore/cosign artifact signing, dependency hash pinning, reproducible builds, VEX documents, and SSDF compliance.

springboot-security

8
from marvinrichter/clarc

Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.

serverless-patterns-advanced

8
from marvinrichter/clarc

Advanced Serverless patterns — Lambda idempotency (Lambda Powertools + DynamoDB persistence layer), Lambda cost model (pricing formula, break-even vs containers), and CloudWatch Insights observability queries for cold starts, duration, and errors.

security-scan

8
from marvinrichter/clarc

Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.

security-review-web3

8
from marvinrichter/clarc

Security patterns for Web3 and blockchain applications — Solana wallet signature verification, transaction validation, smart contract interaction security, and checklist for DeFi/NFT features.

rust-testing-advanced

8
from marvinrichter/clarc

Advanced Rust testing anti-patterns and corrections — cfg(test) placement, expect() over unwrap(), mockall expectation ordering, executor mixing (#[tokio::test] vs block_on), PgPool isolation with

rust-patterns-advanced

8
from marvinrichter/clarc

Advanced Rust patterns — zero-cost abstractions, proc macros, unsafe FFI, WASM, Axum web architecture, trait objects vs generics, and performance profiling.

python-testing-advanced

8
from marvinrichter/clarc

Advanced Python testing — async testing with pytest-asyncio, exception/side-effect testing, test organization, common patterns (API, database, class methods), pytest configuration, and CLI reference. Extends python-testing.

python-patterns-advanced

8
from marvinrichter/clarc

Advanced Python patterns — concurrency (threading, multiprocessing, async/await), hexagonal architecture with FastAPI, RFC 7807 error handling, memory optimization, pyproject.toml tooling, and anti-patterns. Extends python-patterns.