security-review-advanced
Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.
Best use case
security-review-advanced is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.
Teams using security-review-advanced should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-review-advanced/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-review-advanced Compares
| Feature / Agent | security-review-advanced | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Review — Anti-Patterns
This skill extends `security-review` with common security mistakes and how to fix them. Load `security-review` first.
## When to Activate
- JWT or session tokens stored in `localStorage` (XSS risk)
- API endpoints rely on frontend UI hiding buttons instead of server-side permission checks
- Error handlers return `error.stack` or raw database error messages to clients
- Input validation uses `replace()` to strip known bad strings (blacklist pattern)
- CI pipelines use `npm install` instead of `npm ci`
---
## Anti-Patterns
### Storing Tokens in localStorage
**Wrong:**
```typescript
// XSS can steal the token from any script on the page
localStorage.setItem('access_token', token);
const token = localStorage.getItem('access_token');
fetch('/api/data', { headers: { Authorization: `Bearer ${token}` } });
```
**Correct:**
```typescript
// Store refresh token in httpOnly cookie — JS cannot read it
res.cookie('refresh_token', refreshToken, { httpOnly: true, secure: true, sameSite: 'strict' });
// Store access token in memory only (lost on page refresh — that's fine)
let accessToken = responseBody.access_token;
```
**Why:** `localStorage` is accessible to any JavaScript on the page, making tokens trivially stealable via XSS.
---
### Trusting Client-Side Authorization Checks
**Wrong:**
```typescript
// Frontend hides the "Delete" button for non-admins — but the API accepts the request anyway
app.delete('/api/orders/:id', async (req, res) => {
await db.orders.delete({ where: { id: req.params.id } });
res.json({ success: true });
});
```
**Correct:**
```typescript
app.delete('/api/orders/:id', requireAuth, requirePermission('orders:delete'), async (req, res) => {
await db.orders.delete({ where: { id: req.params.id } });
res.json({ success: true });
});
```
**Why:** Attackers call APIs directly — hiding UI elements is not access control.
---
### Reflecting Full Error Details to the Client
**Wrong:**
```typescript
catch (error) {
res.status(500).json({ error: error.message, stack: error.stack, query: error.query });
}
```
**Correct:**
```typescript
catch (error) {
logger.error('Unhandled error', { error, userId: req.user?.id });
res.status(500).json({ error: 'An unexpected error occurred. Please try again.' });
}
```
**Why:** Stack traces and raw DB error messages reveal internal structure that attackers use to craft targeted exploits.
---
### Using Blacklist Validation Instead of Whitelist
**Wrong:**
```typescript
// Blocks known bad values — attackers find variants
function sanitizeInput(input: string) {
return input.replace(/<script>/gi, '').replace(/javascript:/gi, '');
}
```
**Correct:**
```typescript
import { z } from 'zod';
// Define exactly what is allowed — everything else is rejected
const schema = z.object({
username: z.string().regex(/^[a-zA-Z0-9_]{3,30}$/),
bio: z.string().max(500),
});
```
**Why:** Blacklists are always incomplete; whitelists define a finite safe set and reject everything outside it.
---
### Using `npm install` in CI Pipelines
**Wrong:**
```yaml
# Can silently upgrade dependencies, introducing unvetted changes
- run: npm install
```
**Correct:**
```yaml
# Installs exactly what's in the lock file — fails if lock file is out of sync
- run: npm ci
```
**Why:** `npm install` can update the lock file mid-CI run, making builds non-reproducible and bypassing dependency review.
---
## Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Next.js Security](https://nextjs.org/docs/security)
- [Supabase Security](https://supabase.com/docs/guides/auth)
- [Web Security Academy](https://portswigger.net/web-security)
**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.
## Reference
- `security-review` — OWASP Top 10, secrets management, SQL injection, XSS, CSRF, input validation checklist
- `auth-patterns` — JWT, OAuth 2.0, RBAC, session management
- `gdpr-privacy` — PII classification, retention patterns, RTBF implementationRelated Skills
typescript-patterns-advanced
Advanced TypeScript — mapped types, template literal types, conditional types, infer, type guards, decorators, async patterns, testing with Vitest/Jest, and performance. Extends typescript-patterns.
tdd-workflow-advanced
TDD anti-patterns — writing code before tests, testing implementation details instead of behavior, using waitForTimeout as a sync strategy, chaining tests that share state, mocking the system under test instead of its dependencies.
swift-patterns-advanced
Advanced Swift patterns — property wrappers, result builders, Combine basics, opaque & existential types, macro system, advanced generics, and performance optimization. Extends swift-patterns.
supply-chain-security
Software supply chain security: SBOM generation (CycloneDX/SPDX with syft/grype), SLSA framework levels, Sigstore/cosign artifact signing, dependency hash pinning, reproducible builds, VEX documents, and SSDF compliance.
springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
serverless-patterns-advanced
Advanced Serverless patterns — Lambda idempotency (Lambda Powertools + DynamoDB persistence layer), Lambda cost model (pricing formula, break-even vs containers), and CloudWatch Insights observability queries for cold starts, duration, and errors.
security-scan
Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.
security-review-web3
Security patterns for Web3 and blockchain applications — Solana wallet signature verification, transaction validation, smart contract interaction security, and checklist for DeFi/NFT features.
rust-testing-advanced
Advanced Rust testing anti-patterns and corrections — cfg(test) placement, expect() over unwrap(), mockall expectation ordering, executor mixing (#[tokio::test] vs block_on), PgPool isolation with
rust-patterns-advanced
Advanced Rust patterns — zero-cost abstractions, proc macros, unsafe FFI, WASM, Axum web architecture, trait objects vs generics, and performance profiling.
python-testing-advanced
Advanced Python testing — async testing with pytest-asyncio, exception/side-effect testing, test organization, common patterns (API, database, class methods), pytest configuration, and CLI reference. Extends python-testing.
python-patterns-advanced
Advanced Python patterns — concurrency (threading, multiprocessing, async/await), hexagonal architecture with FastAPI, RFC 7807 error handling, memory optimization, pyproject.toml tooling, and anti-patterns. Extends python-patterns.