🛠️ 開発・MCP コミュニティ 🔴 エンジニア向け
👤 エンジニア・AI開発者
🛠️ FrontendモバイルセキュリティXSSScan
frontend-mobile-security-xss-scan
ReactやVueなどのJavaScriptコードを分析し、クロスサイトスクリプティング(XSS)の脆弱性を特定・防止するSkill。
⚡
⏱ ライブラリ調査+組込 半日 → 1時間
📺 まず動画で見る(YouTube)
▶ 【衝撃】最強のAIエージェント「Claude Code」の最新機能・使い方・プログラミングをAIで効率化する超実践術を解説! ↗
※ jpskill.com 編集部が参考用に選んだ動画です。動画の内容と Skill の挙動は厳密には一致しないことがあります。
📜 元の英語説明(参考)
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
🇯🇵 日本人クリエイター向け解説
一言でいうと
ReactやVueなどのJavaScriptコードを分析し、クロスサイトスクリプティング(XSS)の脆弱性を特定・防止するSkill。
※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。
⚡ おすすめ: コマンド1行でインストール(60秒)
下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。
🍎 Mac / 🐧 Linux
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o frontend-mobile-security-xss-scan.zip https://jpskill.com/download/2894.zip && unzip -o frontend-mobile-security-xss-scan.zip && rm frontend-mobile-security-xss-scan.zip
🪟 Windows (PowerShell)
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/2894.zip -OutFile "$d\frontend-mobile-security-xss-scan.zip"; Expand-Archive "$d\frontend-mobile-security-xss-scan.zip" -DestinationPath $d -Force; ri "$d\frontend-mobile-security-xss-scan.zip"完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。
💾 手動でダウンロードしたい(コマンドが難しい人向け)
- 1. 下の青いボタンを押して
frontend-mobile-security-xss-scan.zipをダウンロード - 2. ZIPファイルをダブルクリックで解凍 →
frontend-mobile-security-xss-scanフォルダができる - 3. そのフォルダを
C:\Users\あなたの名前\.claude\skills\(Win)または~/.claude/skills/(Mac)へ移動 - 4. Claude Code を再起動
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-17
- 取得日時
- 2026-05-17
- 同梱ファイル
- 1
💬 こう話しかけるだけ — サンプルプロンプト
- › Frontend Mobile Security Xss S を使って、最小構成のサンプルコードを示して
- › Frontend Mobile Security Xss S の主な使い方と注意点を教えて
- › Frontend Mobile Security Xss S を既存プロジェクトに組み込む方法を教えて
これをClaude Code に貼るだけで、このSkillが自動発動します。
📖 Skill本文(日本語訳)
※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。
フロントエンドコードのXSS脆弱性スキャナー
あなたは、クロスサイトスクリプティング(XSS)の脆弱性検出と防止に焦点を当てたフロントエンドセキュリティの専門家です。React、Vue、Angular、およびバニラJavaScriptコードを分析し、インジェクションポイント、安全でないDOM操作、不適切なサニタイズを特定します。
このスキルを使用する場面
- フロントエンドコードのXSS脆弱性スキャナーに関するタスクやワークフローに取り組む場合
- フロントエンドコードのXSS脆弱性スキャナーに関するガイダンス、ベストプラクティス、またはチェックリストが必要な場合
このスキルを使用しない場面
- タスクがフロントエンドコードのXSS脆弱性スキャナーと無関係な場合
- この範囲外の異なるドメインまたはツールが必要な場合
コンテキスト
ユーザーは、クライアントサイドコードに対する包括的なXSS脆弱性スキャンを必要としており、安全でないHTML操作、URL処理の問題、不適切なユーザー入力のレンダリングなどの危険なパターンを特定したいと考えています。コンテキストを意識した検出と、フレームワーク固有のセキュリティパターンに焦点を当てます。
要件
$ARGUMENTS
手順
1. XSS脆弱性の検出
静的解析を使用して、コードベースのXSS脆弱性をスキャンします。
interface XSSFinding {
file: string;
line: number;
severity: 'critical' | 'high' | 'medium' | 'low';
type: string;
vulnerable_code: string;
description: string;
fix: string;
cwe: string;
}
class XSSScanner {
private vulnerablePatterns = [
'innerHTML', 'outerHTML', 'document.write',
'insertAdjacentHTML', 'location.href', 'window.open'
];
async scanDirectory(path: string): Promise<XSSFinding[]> {
const files = await this.findJavaScriptFiles(path);
const findings: XSSFinding[] = [];
for (const file of files) {
const content = await fs.readFile(file, 'utf-8');
findings.push(...this.scanFile(file, content));
}
return findings;
}
scanFile(filePath: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
findings.push(...this.detectHTMLManipulation(filePath, content));
findings.push(...this.detectReactVulnerabilities(filePath, content));
findings.push(...this.detectURLVulnerabilities(filePath, content));
findings.push(...this.detectEventHandlerIssues(filePath, content));
return findings;
}
detectHTMLManipulation(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('innerHTML') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'critical',
type: 'Unsafe HTML manipulation',
vulnerable_code: line.trim(),
description: 'User-controlled data in HTML manipulation creates XSS risk',
fix: 'Use textContent for plain text or sanitize with DOMPurify library',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('dangerously') && !this.hasSanitization(content)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'React unsafe HTML rendering',
vulnerable_code: line.trim(),
description: 'Unsanitized HTML in React component creates XSS vulnerability',
fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('location.') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'URL injection',
vulnerable_code: line.trim(),
description: 'User input in URL assignment can execute malicious code',
fix: 'Validate URLs and enforce http/https protocols only',
cwe: 'CWE-79'
});
}
});
return findings;
}
hasUserInput(line: string): boolean {
const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
return indicators.some(indicator => line.includes(indicator));
}
hasSanitization(content: string): boolean {
return content.includes('DOMPurify') || content.includes('sanitize');
}
}2. フレームワーク固有の検出
class ReactXSSScanner {
scanReactComponent(code: string): XSSFinding[] {
const findings: XSSFinding[] = [];
// Check for unsafe React patterns
const unsafePatterns = [
'dangerouslySetInnerHTML',
'createMarkup',
'rawHtml'
];
unsafePatterns.forEach(pattern => {
if (code.includes(pattern) && !code.includes('DOMPurify')) {
findings.push({
severity: 'high',
type: 'React XSS risk',
description: `Pattern ${pattern} used without sanitization`,
fix: 'Apply proper HTML sanitization'
});
}
});
return findings;
}
}
class VueXSSScanner {
scanVueTemplate(template: string): XSSFinding[] {
const findings: XSSFinding[] = [];
if (template.includes('v-html')) {
findings.push({
severity: 'high',
type: 'Vue HTML injection',
description: 'v-html directive renders raw HTML',
fix: 'Use v-text for plain text or sanitize HTML'
});
}
return findings;
}
}3. 安全なコーディング例
class SecureCodingGuide {
getSecurePattern(vulnerability: string): string {
const patterns = {
html_manipulation: `
// SECURE: Use textContent for plain text
element.textContent = userInput;
// SECURE: Sanitize HTML when needed
import DOMPurify from 'dompurify';
(原文がここで切り詰められています)📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開
XSS Vulnerability Scanner for Frontend Code
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.
Use this skill when
- Working on xss vulnerability scanner for frontend code tasks or workflows
- Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code
Do not use this skill when
- The task is unrelated to xss vulnerability scanner for frontend code
- You need a different domain or tool outside this scope
Context
The user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.
Requirements
$ARGUMENTS
Instructions
1. XSS Vulnerability Detection
Scan codebase for XSS vulnerabilities using static analysis:
interface XSSFinding {
file: string;
line: number;
severity: 'critical' | 'high' | 'medium' | 'low';
type: string;
vulnerable_code: string;
description: string;
fix: string;
cwe: string;
}
class XSSScanner {
private vulnerablePatterns = [
'innerHTML', 'outerHTML', 'document.write',
'insertAdjacentHTML', 'location.href', 'window.open'
];
async scanDirectory(path: string): Promise<XSSFinding[]> {
const files = await this.findJavaScriptFiles(path);
const findings: XSSFinding[] = [];
for (const file of files) {
const content = await fs.readFile(file, 'utf-8');
findings.push(...this.scanFile(file, content));
}
return findings;
}
scanFile(filePath: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
findings.push(...this.detectHTMLManipulation(filePath, content));
findings.push(...this.detectReactVulnerabilities(filePath, content));
findings.push(...this.detectURLVulnerabilities(filePath, content));
findings.push(...this.detectEventHandlerIssues(filePath, content));
return findings;
}
detectHTMLManipulation(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('innerHTML') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'critical',
type: 'Unsafe HTML manipulation',
vulnerable_code: line.trim(),
description: 'User-controlled data in HTML manipulation creates XSS risk',
fix: 'Use textContent for plain text or sanitize with DOMPurify library',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('dangerously') && !this.hasSanitization(content)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'React unsafe HTML rendering',
vulnerable_code: line.trim(),
description: 'Unsanitized HTML in React component creates XSS vulnerability',
fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('location.') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'URL injection',
vulnerable_code: line.trim(),
description: 'User input in URL assignment can execute malicious code',
fix: 'Validate URLs and enforce http/https protocols only',
cwe: 'CWE-79'
});
}
});
return findings;
}
hasUserInput(line: string): boolean {
const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
return indicators.some(indicator => line.includes(indicator));
}
hasSanitization(content: string): boolean {
return content.includes('DOMPurify') || content.includes('sanitize');
}
}2. Framework-Specific Detection
class ReactXSSScanner {
scanReactComponent(code: string): XSSFinding[] {
const findings: XSSFinding[] = [];
// Check for unsafe React patterns
const unsafePatterns = [
'dangerouslySetInnerHTML',
'createMarkup',
'rawHtml'
];
unsafePatterns.forEach(pattern => {
if (code.includes(pattern) && !code.includes('DOMPurify')) {
findings.push({
severity: 'high',
type: 'React XSS risk',
description: `Pattern ${pattern} used without sanitization`,
fix: 'Apply proper HTML sanitization'
});
}
});
return findings;
}
}
class VueXSSScanner {
scanVueTemplate(template: string): XSSFinding[] {
const findings: XSSFinding[] = [];
if (template.includes('v-html')) {
findings.push({
severity: 'high',
type: 'Vue HTML injection',
description: 'v-html directive renders raw HTML',
fix: 'Use v-text for plain text or sanitize HTML'
});
}
return findings;
}
}3. Secure Coding Examples
class SecureCodingGuide {
getSecurePattern(vulnerability: string): string {
const patterns = {
html_manipulation: `
// SECURE: Use textContent for plain text
element.textContent = userInput;
// SECURE: Sanitize HTML when needed
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;`,
url_handling: `
// SECURE: Validate and sanitize URLs
function sanitizeURL(url: string): string {
try {
const parsed = new URL(url);
if (['http:', 'https:'].includes(parsed.protocol)) {
return parsed.href;
}
} catch {}
return '#';
}`,
react_rendering: `
// SECURE: Sanitize before rendering
import DOMPurify from 'dompurify';
const Component = ({ html }) => (
<div dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(html)
}} />
);`
};
return patterns[vulnerability] || 'No secure pattern available';
}
}4. Automated Scanning Integration
# ESLint with security plugin
npm install --save-dev eslint-plugin-security
eslint . --plugin security
# Semgrep for XSS patterns
semgrep --config=p/xss --json
# Custom XSS scanner
node xss-scanner.js --path=src --format=json5. Report Generation
class XSSReportGenerator {
generateReport(findings: XSSFinding[]): string {
const grouped = this.groupBySeverity(findings);
let report = '# XSS Vulnerability Scan Report\n\n';
report += `Total Findings: ${findings.length}\n\n`;
for (const [severity, issues] of Object.entries(grouped)) {
report += `## ${severity.toUpperCase()} (${issues.length})\n\n`;
for (const issue of issues) {
report += `- **${issue.type}**\n`;
report += ` File: ${issue.file}:${issue.line}\n`;
report += ` Fix: ${issue.fix}\n\n`;
}
}
return report;
}
groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {
return findings.reduce((acc, finding) => {
if (!acc[finding.severity]) acc[finding.severity] = [];
acc[finding.severity].push(finding);
return acc;
}, {} as Record<string, XSSFinding[]>);
}
}6. Prevention Checklist
HTML Manipulation
- Never use innerHTML with user input
- Prefer textContent for text content
- Sanitize with DOMPurify before rendering HTML
- Avoid document.write entirely
URL Handling
- Validate all URLs before assignment
- Block javascript: and data: protocols
- Use URL constructor for validation
- Sanitize href attributes
Event Handlers
- Use addEventListener instead of inline handlers
- Sanitize all event handler input
- Avoid string-to-code patterns
Framework-Specific
- React: Sanitize before using unsafe APIs
- Vue: Prefer v-text over v-html
- Angular: Use built-in sanitization
- Avoid bypassing framework security features
Output Format
- Vulnerability Report: Detailed findings with severity levels
- Risk Analysis: Impact assessment for each vulnerability
- Fix Recommendations: Secure code examples
- Sanitization Guide: DOMPurify usage patterns
- Prevention Checklist: Best practices for XSS prevention
Focus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.