How do I install Frontend Mobile Security Xss Scan?

Install Frontend Mobile Security Xss Scan with a single command: npx mdskills install sickn33/frontend-mobile-security-xss-scan. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Frontend Mobile Security Xss Scan?

Frontend Mobile Security Xss Scan works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Frontend Mobile Security Xss Scan

Name: Frontend Mobile Security Xss Scan: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/frontend-mobile-security-xss-scan

Fork & Edit

Skill Advisor8.0

Comprehensive XSS detection with framework-specific scanning, code examples, and detailed remediation guidance

+Provides framework-specific detection for React, Vue, and Angular with clear patterns
+Includes actionable secure coding examples and remediation guidance for each vulnerability type
+Offers well-structured output with severity classification and CWE mapping
-Requests shell execution and network permissions without clear justification in the instructions

SKILL.md

Edit in Browser

1---
2name: frontend-mobile-security-xss-scan
3description: "You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi"
4---
5 
6# XSS Vulnerability Scanner for Frontend Code
7 
8You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.
9 
10## Use this skill when
11 
12- Working on xss vulnerability scanner for frontend code tasks or workflows
13- Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code
14 
15## Do not use this skill when
16 
17- The task is unrelated to xss vulnerability scanner for frontend code
18- You need a different domain or tool outside this scope
19 
20## Context
21 
22The user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.
23 
24## Requirements
25 
26$ARGUMENTS
27 
28## Instructions
29 
30### 1. XSS Vulnerability Detection
31 
32Scan codebase for XSS vulnerabilities using static analysis:
33 
34```typescript
35interface XSSFinding {
36  file: string;
37  line: number;
38  severity: 'critical' | 'high' | 'medium' | 'low';
39  type: string;
40  vulnerable_code: string;
41  description: string;
42  fix: string;
43  cwe: string;
44}
45 
46class XSSScanner {
47  private vulnerablePatterns = [
48    'innerHTML', 'outerHTML', 'document.write',
49    'insertAdjacentHTML', 'location.href', 'window.open'
50  ];
51 
52  async scanDirectory(path: string): Promise<XSSFinding[]> {
53    const files = await this.findJavaScriptFiles(path);
54    const findings: XSSFinding[] = [];
55 
56    for (const file of files) {
57      const content = await fs.readFile(file, 'utf-8');
58      findings.push(...this.scanFile(file, content));
59    }
60 
61    return findings;
62  }
63 
64  scanFile(filePath: string, content: string): XSSFinding[] {
65    const findings: XSSFinding[] = [];
66 
67    findings.push(...this.detectHTMLManipulation(filePath, content));
68    findings.push(...this.detectReactVulnerabilities(filePath, content));
69    findings.push(...this.detectURLVulnerabilities(filePath, content));
70    findings.push(...this.detectEventHandlerIssues(filePath, content));
71 
72    return findings;
73  }
74 
75  detectHTMLManipulation(file: string, content: string): XSSFinding[] {
76    const findings: XSSFinding[] = [];
77    const lines = content.split('\n');
78 
79    lines.forEach((line, index) => {
80      if (line.includes('innerHTML') && this.hasUserInput(line)) {
81        findings.push({
82          file,
83          line: index + 1,
84          severity: 'critical',
85          type: 'Unsafe HTML manipulation',
86          vulnerable_code: line.trim(),
87          description: 'User-controlled data in HTML manipulation creates XSS risk',
88          fix: 'Use textContent for plain text or sanitize with DOMPurify library',
89          cwe: 'CWE-79'
90        });
91      }
92    });
93 
94    return findings;
95  }
96 
97  detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
98    const findings: XSSFinding[] = [];
99    const lines = content.split('\n');
100 
101    lines.forEach((line, index) => {
102      if (line.includes('dangerously') && !this.hasSanitization(content)) {
103        findings.push({
104          file,
105          line: index + 1,
106          severity: 'high',
107          type: 'React unsafe HTML rendering',
108          vulnerable_code: line.trim(),
109          description: 'Unsanitized HTML in React component creates XSS vulnerability',
110          fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
111          cwe: 'CWE-79'
112        });
113      }
114    });
115 
116    return findings;
117  }
118 
119  detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
120    const findings: XSSFinding[] = [];
121    const lines = content.split('\n');
122 
123    lines.forEach((line, index) => {
124      if (line.includes('location.') && this.hasUserInput(line)) {
125        findings.push({
126          file,
127          line: index + 1,
128          severity: 'high',
129          type: 'URL injection',
130          vulnerable_code: line.trim(),
131          description: 'User input in URL assignment can execute malicious code',
132          fix: 'Validate URLs and enforce http/https protocols only',
133          cwe: 'CWE-79'
134        });
135      }
136    });
137 
138    return findings;
139  }
140 
141  hasUserInput(line: string): boolean {
142    const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
143    return indicators.some(indicator => line.includes(indicator));
144  }
145 
146  hasSanitization(content: string): boolean {
147    return content.includes('DOMPurify') || content.includes('sanitize');
148  }
149}
150```
151 
152### 2. Framework-Specific Detection
153 
154```typescript
155class ReactXSSScanner {
156  scanReactComponent(code: string): XSSFinding[] {
157    const findings: XSSFinding[] = [];
158 
159    // Check for unsafe React patterns
160    const unsafePatterns = [
161      'dangerouslySetInnerHTML',
162      'createMarkup',
163      'rawHtml'
164    ];
165 
166    unsafePatterns.forEach(pattern => {
167      if (code.includes(pattern) && !code.includes('DOMPurify')) {
168        findings.push({
169          severity: 'high',
170          type: 'React XSS risk',
171          description: `Pattern ${pattern} used without sanitization`,
172          fix: 'Apply proper HTML sanitization'
173        });
174      }
175    });
176 
177    return findings;
178  }
179}
180 
181class VueXSSScanner {
182  scanVueTemplate(template: string): XSSFinding[] {
183    const findings: XSSFinding[] = [];
184 
185    if (template.includes('v-html')) {
186      findings.push({
187        severity: 'high',
188        type: 'Vue HTML injection',
189        description: 'v-html directive renders raw HTML',
190        fix: 'Use v-text for plain text or sanitize HTML'
191      });
192    }
193 
194    return findings;
195  }
196}
197```
198 
199### 3. Secure Coding Examples
200 
201```typescript
202class SecureCodingGuide {
203  getSecurePattern(vulnerability: string): string {
204    const patterns = {
205      html_manipulation: `
206// SECURE: Use textContent for plain text
207element.textContent = userInput;
208 
209// SECURE: Sanitize HTML when needed
210import DOMPurify from 'dompurify';
211const clean = DOMPurify.sanitize(userInput);
212element.innerHTML = clean;`,
213 
214      url_handling: `
215// SECURE: Validate and sanitize URLs
216function sanitizeURL(url: string): string {
217  try {
218    const parsed = new URL(url);
219    if (['http:', 'https:'].includes(parsed.protocol)) {
220      return parsed.href;
221    }
222  } catch {}
223  return '#';
224}`,
225 
226      react_rendering: `
227// SECURE: Sanitize before rendering
228import DOMPurify from 'dompurify';
229 
230const Component = ({ html }) => (
231  <div dangerouslySetInnerHTML={{
232    __html: DOMPurify.sanitize(html)
233  }} />
234);`
235    };
236 
237    return patterns[vulnerability] || 'No secure pattern available';
238  }
239}
240```
241 
242### 4. Automated Scanning Integration
243 
244```bash
245# ESLint with security plugin
246npm install --save-dev eslint-plugin-security
247eslint . --plugin security
248 
249# Semgrep for XSS patterns
250semgrep --config=p/xss --json
251 
252# Custom XSS scanner
253node xss-scanner.js --path=src --format=json
254```
255 
256### 5. Report Generation
257 
258```typescript
259class XSSReportGenerator {
260  generateReport(findings: XSSFinding[]): string {
261    const grouped = this.groupBySeverity(findings);
262 
263    let report = '# XSS Vulnerability Scan Report\n\n';
264    report += `Total Findings: ${findings.length}\n\n`;
265 
266    for (const [severity, issues] of Object.entries(grouped)) {
267      report += `## ${severity.toUpperCase()} (${issues.length})\n\n`;
268 
269      for (const issue of issues) {
270        report += `- **${issue.type}**\n`;
271        report += `  File: ${issue.file}:${issue.line}\n`;
272        report += `  Fix: ${issue.fix}\n\n`;
273      }
274    }
275 
276    return report;
277  }
278 
279  groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {
280    return findings.reduce((acc, finding) => {
281      if (!acc[finding.severity]) acc[finding.severity] = [];
282      acc[finding.severity].push(finding);
283      return acc;
284    }, {} as Record<string, XSSFinding[]>);
285  }
286}
287```
288 
289### 6. Prevention Checklist
290 
291**HTML Manipulation**
292- Never use innerHTML with user input
293- Prefer textContent for text content
294- Sanitize with DOMPurify before rendering HTML
295- Avoid document.write entirely
296 
297**URL Handling**
298- Validate all URLs before assignment
299- Block javascript: and data: protocols
300- Use URL constructor for validation
301- Sanitize href attributes
302 
303**Event Handlers**
304- Use addEventListener instead of inline handlers
305- Sanitize all event handler input
306- Avoid string-to-code patterns
307 
308**Framework-Specific**
309- React: Sanitize before using unsafe APIs
310- Vue: Prefer v-text over v-html
311- Angular: Use built-in sanitization
312- Avoid bypassing framework security features
313 
314## Output Format
315 
3161. **Vulnerability Report**: Detailed findings with severity levels
3172. **Risk Analysis**: Impact assessment for each vulnerability
3183. **Fix Recommendations**: Secure code examples
3194. **Sanitization Guide**: DOMPurify usage patterns
3205. **Prevention Checklist**: Best practices for XSS prevention
321 
322Focus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.
323

Full transparency — inspect the skill content before installing.