injection-vulnerabilities_skill

This skill analyzes AI-generated code to identify and explain injection vulnerabilities such as SQL injection, command injection, and XSS, with secure
  • JavaScript

4

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill injection-vulnerabilities

  • SKILL.md18.4 KB

Overview

This skill explains how AI-generated code commonly introduces SQL injection, command injection, and XSS vulnerabilities, and shows concrete patterns and fixes. It focuses on why models produce insecure code, how to spot vulnerable constructs, and practical mitigations you can apply immediately. Use it to train reviewers, harden AI-assisted code, or audit generated snippets.

How this skill works

The skill inspects common code patterns produced by AI—string interpolation in SQL, exec-style shell calls, and raw HTML interpolation—that create injection channels. It contrasts vulnerable examples with secure alternatives (parameterized queries, spawn/argument arrays, HTML escaping and CSP). It also explains root causes in training data and model simplicity bias so reviewers understand why these flaws recur.

When to use it

  • Reviewing or approving AI-generated backend code that builds database queries
  • Auditing scripts or endpoints that invoke system commands or external tools
  • Securing server-rendered HTML or template generation against user content
  • Designing guardrails or prompts for AI assistants to produce safer code
  • Training developers or security reviewers on common AI-induced injection patterns

Best practices

  • Always use parameterized queries or ORM query builders—never concatenate user input into SQL strings
  • Avoid shell evaluation (exec) with user input; prefer spawn/subprocess with argument arrays and validate filenames/parameters
  • Sanitize and escape all untrusted content before inserting into HTML; set strict Content-Security-Policy headers
  • Apply input validation: type checks, whitelists, length limits, and regex validation for filenames, formats, and IDs
  • Treat AI output as untrusted code: add security reviews, automated scanners, and unit tests that exercise malicious inputs

Example use cases

  • Fixing an AI-generated user search function to use parameterized queries instead of f-strings
  • Rewriting an image-conversion endpoint to validate filenames and use spawn with arguments
  • Hardening a comment display page by escaping user fields and adding CSP headers
  • Creating prompt templates and linting rules so AI assistants produce secure database and shell code
  • Building test cases that simulate SQL/XSS/command payloads to catch regressions

FAQ

Models learn common patterns from training data; many examples and tutorials use convenient but insecure techniques like string interpolation or exec, and the model favors simple, functional code over security-aware alternatives.

Is parameterized queries enough to stop all SQL injection?

Parameterized queries prevent data being treated as code for typical SQL engines, but you should still validate inputs, avoid dynamic identifiers, and use least privilege on database accounts.

When should I use spawn instead of exec?

Use spawn (or subprocess.run with argument arrays) whenever any part of the command comes from user input. exec invokes a shell and allows command chaining, which is unsafe with untrusted data.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
injection-vulnerabilities skill by harperaa/secure-claude-skills | VeilStrat