How do I install frontend-security?

Run `npx skills add https://github.com/schalkneethling/webdev-agent-skills --skill frontend-security` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does frontend-security support?

frontend-security works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is frontend-security free to use?

Yes. frontend-security is free to install and use. It is available from the open explainx.ai skill registry published by schalkneethling.

Where can I read ratings and reviews for frontend-security?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Frontend

frontend-security▌

schalkneethling/webdev-agent-skills · updated Apr 8, 2026

$npx skills add https://github.com/schalkneethling/webdev-agent-skills --skill frontend-security

summary

Perform comprehensive security audits of frontend codebases to identify vulnerabilities, bad practices, and missing protections.

skill.md

Frontend Security Audit Skill

Perform comprehensive security audits of frontend codebases to identify vulnerabilities, bad practices, and missing protections.

Audit Process

Scan for dangerous patterns - Search codebase for known vulnerability indicators
Review framework-specific risks - Check for framework security bypass patterns
Validate defensive measures - Verify CSP, CSRF tokens, input validation
Check dependencies - Review npm/node dependencies for vulnerabilities
Report findings - Categorize by severity with remediation guidance

Critical Vulnerability Patterns to Search

XSS Indicators (Search Priority: HIGH)

# React dangerous patterns
grep -rn "dangerouslySetInnerHTML" --include="*.jsx" --include="*.tsx" --include="*.js"

# Direct DOM manipulation
grep -rn "\.innerHTML\s*=" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx"
grep -rn "\.outerHTML\s*=" --include="*.js" --include="*.ts"
grep -rn "document\.write" --include="*.js" --include="*.ts"

# URL-based injection
grep -rn "location\.href\s*=" --include="*.js" --include="*.ts"
grep -rn "location\.replace" --include="*.js" --include="*.ts"
grep -rn "window\.open" --include="*.js" --include="*.ts"

# Eval and code execution
grep -rn "eval\s*(" --include="*.js" --include="*.ts"
grep -rn "new Function\s*(" --include="*.js" --include="*.ts"
grep -rn "setTimeout\s*(\s*['\"]" --include="*.js" --include="*.ts"
grep -rn "setInterval\s*(\s*['\"]" --include="*.js" --include="*.ts"

# Twig unescaped output
grep -rn "|raw" --include="*.twig" --include="*.html.twig"
grep -rn "{% autoescape false %}" --include="*.twig"

CSRF Indicators

# Forms without CSRF tokens
grep -rn "<form" --include="*.html" --include="*.jsx" --include="*.tsx" --include="*.twig"

# State-changing requests without protection
grep -rn "fetch\s*(" --include="*.js" --include="*.ts" | grep -E "(POST|PUT|DELETE|PATCH)"
grep -rn "axios\.(post|put|delete|patch)" --include="*.js" --include="*.ts"

Sensitive Data Exposure

# localStorage/sessionStorage with sensitive data
grep -rn "localStorage\." --include="*.js" --include="*.ts"
grep -rn "sessionStorage\." --include="*.js" --include="*.ts"

# Hardcoded secrets
grep -rn "api[_-]?key\s*[:=]" --include="*.js" --include="*.ts" --include="*.env"
grep -rn "secret\s*[:=]" --include="*.js" --include="*.ts"
grep -rn "password\s*[:=]" --include="*.js" --include="*.ts"

Reference Documentation

Load these references based on findings:

XSS vulnerabilities found: See references/xss-prevention.md
CSRF concerns: See references/csrf-protection.md
DOM manipulation issues: See references/dom-security.md
CSP review needed: See references/csp-configuration.md
Input handling issues: See references/input-validation.md
Node.js/NPM audit: See references/nodejs-npm-security.md
Framework-specific patterns: See references/framework-patterns.md
File upload handling: See references/file-upload-security.md
JWT implementation: See references/jwt-security.md

Severity Classification

CRITICAL - Exploitable XSS, authentication bypass, secrets exposure HIGH - Missing CSRF protection, unsafe DOM manipulation, SQL injection vectors MEDIUM - Weak CSP, missing security headers, improper input validation LOW - Informational disclosure, deprecated functions, suboptimal practices

Report Format

## Security Audit Report

### Summary
- Critical: X findings
- High: X findings
- Medium: X findings
- Low: X findings

### Critical Findings

#### [CRITICAL-001] Title
- **Location**: file:line
- **Pattern**: Code snippet
- **Risk**: Description of the vulnerability
- **Remediation**: How to fix
- **Reference**: OWASP link

### High Findings
[...]

OWASP Reference Links

For comprehensive guidance, consult these OWASP cheatsheets directly:

XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
DOM XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
CSRF Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
CSP: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
Input Validation: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
HTML5 Security: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html
DOM Clobbering: https://cheatsheetseries.owasp.org/cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.html
Node.js Security: https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html
NPM Security: https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
AJAX Security: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html
File Upload: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
Error Handling: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
JWT Security: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
User Privacy: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html
gRPC Security: https://cheatsheetseries.owasp.org/cheatsheets/gRPC_Security_Cheat_Sheet.html

general reviews

Ratings

4.5★★★★★10 reviews

★★★★★Shikha Mishra· Oct 10, 2024
frontend-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Piyush G· Sep 9, 2024
Keeps context tight: frontend-security is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Chaitanya Patil· Aug 8, 2024
Registry listing for frontend-security matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Sakshi Patil· Jul 7, 2024
frontend-security reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Ganesh Mohane· Jun 6, 2024
I recommend frontend-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Oshnikdeep· May 5, 2024
Useful defaults in frontend-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Dhruvi Jain· Apr 4, 2024
frontend-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Rahul Santra· Mar 3, 2024
Solid pick for teams standardizing on skills: frontend-security is focused, and the summary matches what you get after install.
★★★★★Pratham Ware· Feb 2, 2024
We added frontend-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Yash Thakker· Jan 1, 2024
frontend-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.