- Home
- Skills
- Harperaa
- Secure Claude Skills
- Injection Vulnerabilities
injection-vulnerabilities_skill
- JavaScript
4
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill harperaa/secure-claude-skills --skill injection-vulnerabilities- SKILL.md18.4 KB
Overview
This skill explains how AI-generated code commonly introduces SQL injection, command injection, and XSS vulnerabilities, and shows concrete patterns and fixes. It focuses on why models produce insecure code, how to spot vulnerable constructs, and practical mitigations you can apply immediately. Use it to train reviewers, harden AI-assisted code, or audit generated snippets.
How this skill works
The skill inspects common code patterns produced by AI—string interpolation in SQL, exec-style shell calls, and raw HTML interpolation—that create injection channels. It contrasts vulnerable examples with secure alternatives (parameterized queries, spawn/argument arrays, HTML escaping and CSP). It also explains root causes in training data and model simplicity bias so reviewers understand why these flaws recur.
When to use it
- Reviewing or approving AI-generated backend code that builds database queries
- Auditing scripts or endpoints that invoke system commands or external tools
- Securing server-rendered HTML or template generation against user content
- Designing guardrails or prompts for AI assistants to produce safer code
- Training developers or security reviewers on common AI-induced injection patterns
Best practices
- Always use parameterized queries or ORM query builders—never concatenate user input into SQL strings
- Avoid shell evaluation (exec) with user input; prefer spawn/subprocess with argument arrays and validate filenames/parameters
- Sanitize and escape all untrusted content before inserting into HTML; set strict Content-Security-Policy headers
- Apply input validation: type checks, whitelists, length limits, and regex validation for filenames, formats, and IDs
- Treat AI output as untrusted code: add security reviews, automated scanners, and unit tests that exercise malicious inputs
Example use cases
- Fixing an AI-generated user search function to use parameterized queries instead of f-strings
- Rewriting an image-conversion endpoint to validate filenames and use spawn with arguments
- Hardening a comment display page by escaping user fields and adding CSP headers
- Creating prompt templates and linting rules so AI assistants produce secure database and shell code
- Building test cases that simulate SQL/XSS/command payloads to catch regressions
FAQ
Models learn common patterns from training data; many examples and tutorials use convenient but insecure techniques like string interpolation or exec, and the model favors simple, functional code over security-aware alternatives.
Is parameterized queries enough to stop all SQL injection?
Parameterized queries prevent data being treated as code for typical SQL engines, but you should still validate inputs, avoid dynamic identifiers, and use least privilege on database accounts.
When should I use spawn instead of exec?
Use spawn (or subprocess.run with argument arrays) whenever any part of the command comes from user input. exec invokes a shell and allows command chaining, which is unsafe with untrusted data.