How do I install frontend-security?

Run `npx skills add https://github.com/schalkneethling/webdev-agent-skills --skill frontend-security` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does frontend-security support?

frontend-security works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is frontend-security free to use?

Yes. frontend-security is free to install and use. It is available from the open explainx.ai skill registry published by schalkneethling.

Where can I read ratings and reviews for frontend-security?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Frontend

frontend-security▌

schalkneethling/webdev-agent-skills · updated Apr 8, 2026

$npx skills add https://github.com/schalkneethling/webdev-agent-skills --skill frontend-security

0 commentsdiscussion

summary

Perform comprehensive security audits of frontend codebases to identify vulnerabilities, bad practices, and missing protections.

skill.md

Frontend Security Audit Skill

Perform comprehensive security audits of frontend codebases to identify vulnerabilities, bad practices, and missing protections.

Audit Process

Scan for dangerous patterns - Search codebase for known vulnerability indicators
Review framework-specific risks - Check for framework security bypass patterns
Validate defensive measures - Verify CSP, CSRF tokens, input validation
Check dependencies - Review npm/node dependencies for vulnerabilities
Report findings - Categorize by severity with remediation guidance

Critical Vulnerability Patterns to Search

XSS Indicators (Search Priority: HIGH)

# React dangerous patterns
grep -rn "dangerouslySetInnerHTML" --include="*.jsx" --include="*.tsx" --include="*.js"

# Direct DOM manipulation
grep -rn "\.innerHTML\s*=" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx"
grep -rn "\.outerHTML\s*=" --include="*.js" --include="*.ts"
grep -rn "document\.write" --include="*.js" --include="*.ts"

# URL-based injection
grep -rn "location\.href\s*=" --include="*.js" --include="*.ts"
grep -rn "location\.replace" --include="*.js" --include="*.ts"
grep -rn "window\.open" --include="*.js" --include="*.ts"

# Eval and code execution
grep -rn "eval\s*(" --include="*.js" --include="*.ts"
grep -rn "new Function\s*(" --include="*.js" --include="*.ts"
grep -rn "setTimeout\s*(\s*['\"]" --include="*.js" --include="*.ts"
grep -rn "setInterval\s*(\s*['\"]" --include="*.js" --include="*.ts"

# Twig unescaped output
grep -rn "|raw" --include="*.twig" --include="*.html.twig"
grep -rn "{% autoescape false %}" --include="*.twig"

CSRF Indicators

# Forms without CSRF tokens
grep -rn "<form" --include="*.html" --include="*.jsx" --include="*.tsx" --include="*.twig"

# State-changing requests without protection
grep -rn "fetch\s*(" --include="*.js" --include="*.ts" | grep -E "(POST|PUT|DELETE|PATCH)"
grep -rn "axios\.(post|put|delete|patch)" --include="*.js" --include="*.ts"

Sensitive Data Exposure

# localStorage/sessionStorage with sensitive data
grep -rn "localStorage\." --include="*.js" --include="*.ts"
grep -rn "sessionStorage\." --include="*.js" --include="*.ts"

# Hardcoded secrets
grep -rn "api[_-]?key\s*[:=]" --include="*.js" --include="*.ts" --include="*.env"
grep -rn "secret\s*[:=]" --include="*.js" --include="*.ts"
grep -rn "password\s*[:=]" --include="*.js" --include="*.ts"

Reference Documentation

Load these references based on findings:

XSS vulnerabilities found: See references/xss-prevention.md
CSRF concerns: See references/csrf-protection.md
DOM manipulation issues: See references/dom-security.md
CSP review needed: See references/csp-configuration.md
Input handling issues: See references/input-validation.md
Node.js/NPM audit: See references/nodejs-npm-security.md
Framework-specific patterns: See references/framework-patterns.md
File upload handling: See references/file-upload-security.md
JWT implementation: See references/jwt-security.md

Severity Classification

CRITICAL - Exploitable XSS, authentication bypass, secrets exposure HIGH - Missing CSRF protection, unsafe DOM manipulation, SQL injection vectors MEDIUM - Weak CSP, missing security headers, improper input validation LOW - Informational disclosure, deprecated functions, suboptimal practices

Report Format

## Security Audit Report

### Summary
- Critical: X findings
- High: X findings
- Medium: X findings
- Low: X findings

### Critical Findings

#### [CRITICAL-001] Title
- **Location**: file:line
- **Pattern**: Code snippet
- **Risk**: Description of the vulnerability
- **Remediation**: How to fix
- **Reference**: OWASP link

### High Findings
[...]

OWASP Reference Links

For comprehensive guidance, consult these OWASP cheatsheets directly:

XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
DOM XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
CSRF Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
CSP: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
Input Validation: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
HTML5 Security: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html
DOM Clobbering: https://cheatsheetseries.owasp.org/cheatsheets/DOM_Clobbering_Prevention_Cheat_Sheet.html
Node.js Security: https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html
NPM Security: https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
AJAX Security: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html
File Upload: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
Error Handling: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
JWT Security: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
User Privacy: https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html
gRPC Security: https://cheatsheetseries.owasp.org/cheatsheets/gRPC_Security_Cheat_Sheet.html

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★40 reviews

★★★★★Henry White· Dec 20, 2024
I recommend frontend-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Kiara Ramirez· Dec 20, 2024
We added frontend-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Kiara Srinivasan· Dec 12, 2024
Keeps context tight: frontend-security is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Olivia Ramirez· Dec 8, 2024
frontend-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Ganesh Mohane· Dec 4, 2024
Useful defaults in frontend-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Benjamin Yang· Nov 27, 2024
Useful defaults in frontend-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Rahul Santra· Nov 23, 2024
frontend-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Noah Nasser· Nov 11, 2024
Solid pick for teams standardizing on skills: frontend-security is focused, and the summary matches what you get after install.
★★★★★Ama Smith· Nov 3, 2024
Registry listing for frontend-security matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Kiara Iyer· Oct 22, 2024
frontend-security reduced setup friction for our internal harness; good balance of opinion and flexibility.

showing 1-10 of 40

1 / 4