Scenario: Penetration test with source access β Java banking application
Trigger: "We're granting you source access for this pentest. The application handles fund transfers and user account management."
Process:
1. Phase 1: Grep for getParameter β finds 47 call sites. Note request.getParameter("title") stored in m_pageTitle field in PageController.java:88.
2. Phase 2.1 (XSS): Grep for InnerHtml β finds objCell.InnerHtml = link in ReportView.java:204. Trace link backward β constructed by string concatenation from HttpUtility.UrlDecode(Request.QueryString["refURL"]) without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace m_pageTitle forward β finds it written into </code> element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">type=3</code>).
3. Phase 2.2 (SQL injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement</code> β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">s.executeQuery("SELECT name, accno FROM TblCustomers WHERE " + SqlWhere)</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">CustomerSearch.java:156</code>. <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">SqlWhere</code> is built from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">Request.QueryString["CID"]</code>. Confirmed SQL injection (CWE-89, Critical).
4. Phase 2.6 (Backdoor): Line-by-line review of <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">AuthService.java</code> β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">if (checkCredentials(up, password) || "oculiomnium".equals(password)) return up;</code>. Hardcoded backdoor password grants access to any account (CWE-798, Critical).
Output: 3 findings β Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">prepareStatement</code>; remove hardcoded password; HTML-encode all output via <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HtmlUtils.htmlEscape()</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Pre-launch PHP e-commerce application review</strong>
Trigger: "We're launching next month. Please review our PHP codebase for security issues before we go live."
Process:
1. Phase 1: Grep for PHP input sources β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_GET</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_POST</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_COOKIE</code> in 23 files. Check <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = On</code> on their dev server; flag immediately.
2. Phase 2.3 (Path traversal + RFI): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">include(</code> β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">include($_GET['page'] . '.php')</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">main.php:12</code>. No <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include</code> check in code. Check <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include = 1</code>. Confirmed Remote File Inclusion (CWE-98, Critical). Also: <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_fopen = 1</code> and <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = On</code> in production config.
3. Phase 2.2 (SQL injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query(</code> β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'")</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">login.php:34</code>. Variables from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_POST</code> without escaping. Confirmed SQL injection (CWE-89, Critical). <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">magic_quotes_gpc = Off</code> confirms no runtime escaping active.
4. Phase 2.5 (OS command injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec(</code> β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec("convert " . $_POST['filename'] . " -resize 100x100 output.jpg")</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">image.php:67</code>. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).
5. Phase 4 (Config): <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = On</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β leaks stack traces and DB credentials to users (Low). <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = On</code> β creates uninitialized variable injection vectors (High).
Output: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include</code> and <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_fopen</code>; replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysqli->prepare</code>; replace shell <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec</code> with ImageMagick PHP extension API; set <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = Off</code> + <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">log_errors = On</code>; set <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = Off</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Security audit of a PHP/JavaScript SPA β focus on client-side and database tier</strong>
Trigger: "Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture."
Process:
1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">url = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">redirect.js:22</code>. Script checks for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">//</code> to block absolute URLs but calls <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">unescape()</code> afterward. Confirmed DOM-based open redirect and XSS via <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">?redir=%2500javascript:alert(1)</code> (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.
2. Phase 2.2 (Stored procedure SQL injection): Review <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.sql</code> migration files β finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">CREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO</code>. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">@name</code> β confirmed stored procedure SQL injection (CWE-89, High).
3. Phase 3 (Session management): Line-by-line review of <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">TokenGenerator.java</code> β uses <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.util.Random</code> (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).
Output: 3 High findings β DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">unescape()</code> call from redirect script; rewrite stored procedure using <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">sp_executesql</code> with parameterized query; replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.util.Random</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.security.SecureRandom</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p></div></div></div><button style="background:none;border:none;color:#6366f1;cursor:pointer;font-size:.82em;padding:4px 0;display:inline-flex;align-items:center;gap:4px">βΈ Show full description</button></div><div class="actions-row" style="margin-top:8px;margin-bottom:4px;gap:8px"><a href="https://clawhub.ai/quochungto/bookforge-source-code-security-review" target="_blank" rel="noopener" class="btn-secondary" style="padding:6px 12px;font-size:.82em;border-radius:8px;background:transparent;border:1px solid #1e1e3f;color:#6b7280;text-decoration:none;white-space:nowrap">View on <!-- -->ClawHub</a><button class="copy-btn" data-cmd="clawhub install bookforge-source-code-security-review" style="background:linear-gradient(135deg, #22c55e22, #16a34a22);color:#22c55e;border:1px solid #22c55e33;border-radius:8px;padding:6px 12px;font-size:.82em;cursor:pointer;white-space:nowrap;font-weight:700">π Copy install</button></div></div><div class="install-box"><div class="install-header"><div class="install-dots"><div class="dot" style="background:#ef4444"></div><div class="dot" style="background:#eab308"></div><div class="dot" style="background:#22c55e"></div></div><span class="install-label">TERMINAL</span></div><div class="install-body" style="flex-wrap:wrap"><code class="install-cmd">clawhub install bookforge-source-code-security-review</code><button class="copy-btn" data-cmd="clawhub install bookforge-source-code-security-review" style="font-weight:700">Copy</button></div></div><section class="next-step-card"><h2 class="next-step-title">π§ͺ Use this skill with your agent</h2><p class="next-step-sub">Most visitors already have an agent. Pick your environment, install or copy the workflow, then run the smoke-test prompt above.</p><div class="agent-grid"><a class="agent-card" href="https://manus.im/invitation/PAN0HWLUJPLKA?utm_source=bytesagain&utm_medium=skill_page&utm_campaign=agent_cta" target="_blank" rel="sponsored noopener noreferrer"><div class="agent-name"><span>Manus</span><span class="sponsored-pill">invite</span></div><div class="agent-desc">Task-oriented agent. Great for testing AI skills end-to-end.</div><div class="agent-link">Try Manus<!-- --> β</div></a><a class="agent-card" href="/install"><div class="agent-name"><span>OpenClaw</span></div><div class="agent-desc">Local-first agent. Install skills via ClawHub CLI.</div><div class="agent-link">Set up OpenClaw<!-- --> β</div></a><a class="agent-card" href="https://code.claude.com/docs" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Claude Code</span></div><div class="agent-desc">Anthropic's coding agent. Paste the prompt or SKILL.md into your session.</div><div class="agent-link">Claude Code docs<!-- --> β</div></a><a class="agent-card" href="https://cursor.com" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Cursor</span></div><div class="agent-desc">AI-powered IDE. Use the smoke-test prompt in Cursor Agent.</div><div class="agent-link">Open Cursor<!-- --> β</div></a><a class="agent-card" href="https://docs.continue.dev/customize/tools" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Continue.dev</span></div><div class="agent-desc">Open-source AI code assistant. Add SKILL.md as a custom tool.</div><div class="agent-link">Continue docs<!-- --> β</div></a><a class="agent-card" href="https://codeium.com/windsurf" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Windsurf</span></div><div class="agent-desc">Agentic IDE by Codeium. Paste the prompt into Cascade.</div><div class="agent-link">Try Windsurf<!-- --> β</div></a><a class="agent-card" href="https://github.com/cline/cline" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Cline</span></div><div class="agent-desc">VS Code extension for autonomous coding with MCP tools.</div><div class="agent-link">Cline on GitHub<!-- --> β</div></a><a class="agent-card" href="https://github.com/features/copilot" target="_blank" rel="noopener noreferrer"><div class="agent-name"><span>Copilot Workspace</span></div><div class="agent-desc">GitHub's AI dev environment. Suitable for code-generation skills.</div><div class="agent-link">Copilot Workspace<!-- --> β</div></a></div></section><div class="cta-banner"><div><p class="cta-title">π Can't find the right skill?</p><p class="cta-sub">Search 60,000+ AI agent skills β free, no login needed.</p></div><a href="/" class="btn-primary" style="font-size:.88em;padding:10px 22px">Search Skills β</a></div></div><div class="two-col-side"></div></div></div><script>
document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn => {
btn.addEventListener('click', () => {
const cmd = btn.getAttribute('data-cmd');
if (!cmd) return;
navigator.clipboard.writeText(cmd).then(() => {
const orig = btn.textContent;
btn.textContent = 'Copied!';
setTimeout(() => btn.textContent = orig, 1500);
}).catch(() => {});
});
});
</script><!--$--><!--/$--></main><footer style="background:#0a0a1a;border-top:1px solid #1a1a2e;margin-top:60px"><div style="border-top:1px solid #111;max-width:1200px;margin:0 auto;padding:24px 20px"><div style="display:flex;justify-content:space-between;flex-wrap:wrap;gap:24px;margin-bottom:24px"><div><div style="font-weight:700;color:#ccc;margin-bottom:8px">BytesAgain</div><div style="color:#555;font-size:.82em;max-width:200px">Discover the best AI agent skills for your workflow.</div></div><div><div style="color:#888;font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Explore</div><div style="margin-bottom:6px"><a href="/skills" style="color:#666;text-decoration:none;font-size:.85em">Skills</a></div><div style="margin-bottom:6px"><a href="/articles" style="color:#666;text-decoration:none;font-size:.85em">Articles</a></div><div style="margin-bottom:6px"><a href="/use-case" style="color:#666;text-decoration:none;font-size:.85em">Cases</a></div></div><div><div style="color:#888;font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Company</div><div style="margin-bottom:6px"><a href="/about" style="color:#666;text-decoration:none;font-size:.85em">About</a></div><div style="margin-bottom:6px"><a href="/contact" style="color:#666;text-decoration:none;font-size:.85em">Contact</a></div><div style="margin-bottom:6px"><a href="/privacy-policy" style="color:#666;text-decoration:none;font-size:.85em">Privacy Policy</a></div><div style="margin-bottom:6px"><a href="/terms" style="color:#666;text-decoration:none;font-size:.85em">Terms</a></div><div style="margin-bottom:6px"><a href="/feedback" style="color:#666;text-decoration:none;font-size:.85em">Feedback</a></div></div></div><div style="border-top:1px solid #111;padding-top:16px"><div style="color:#444;font-size:.8em;margin-bottom:8px">Β© <!-- -->2026<!-- --> BytesAgain. All rights reserved.</div><div style="color:#333;font-size:.75em;line-height:1.6;max-width:720px">BytesAgain is an independent skill directory. We index and link to third-party content (ClawHub, GitHub, LobeHub, Dify, etc.) for informational purposes only. All trademarks, skill names, and content are the property of their respective owners. BytesAgain does not claim ownership of any indexed content.</div></div></div></footer><button style="position:fixed;bottom:28px;right:28px;z-index:1000;width:48px;height:48px;border-radius:50%;border:none;cursor:pointer;background:linear-gradient(135deg,#667eea,#00d4ff);color:#fff;font-size:1.3em;box-shadow:0 4px 20px #667eea66;display:flex;align-items:center;justify-content:center;transition:transform .2s">π¬</button><script src="/_next/static/chunks/0ze4gu236oq96.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[62894,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"LangProvider\"]\n3:I[16988,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\nd:I[68027,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\",1]\n:HL[\"/_next/static/chunks/0u0u2jc_hw-33.css?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"style\"]\n:HL[\"/_next/static/media/caa3a2e1cccd8315-s.p.16t1db8_9y2o~.woff2?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n4:Td5e,"])</script><script>self.__next_f.push([1,"[{\"@context\":\"https://schema.org\",\"@type\":\"WebSite\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"description\":\"Search 60,000+ verified AI agent skills via MCP API or REST. Supports 7 languages. Free, no auth required.\",\"inLanguage\":[\"en\",\"zh\",\"es\",\"fr\",\"de\",\"ja\",\"ko\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https://bytesagain.com/skills?q={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}},{\"@context\":\"https://schema.org\",\"@type\":\"Organization\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://bytesagain.com/og-image.png\"},\"description\":\"AI agent skill directory. Search 60,000+ skills, 1,000+ use cases, and community requests.\",\"foundingDate\":\"2026\",\"foundingLocation\":{\"@type\":\"Place\",\"name\":\"Global\"},\"sameAs\":[\"https://x.com/bytesagain\",\"https://github.com/bytesagain/ai-skills\",\"https://clawhub.ai/profile/bytesagain\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"email\":\"hello@bytesagain.com\",\"contactType\":\"customer support\"},\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"value\":1}},{\"@context\":\"https://schema.org\",\"@type\":\"WebApplication\",\"name\":\"BytesAgain AI Skills Search\",\"url\":\"https://bytesagain.com\",\"applicationCategory\":\"DeveloperApplication\",\"operatingSystem\":\"Web\",\"description\":\"Search engine and MCP API for 60,000+ AI agent skills. Semantic search, role recommendations, and use case packs.\",\"offers\":{\"@type\":\"Offer\",\"price\":\"0\",\"priceCurrency\":\"USD\"},\"featureList\":[\"Search 60,000+ AI agent skills\",\"Role-based recommendations for developers, creators, and traders\",\"1,000+ curated use case packs\",\"Free MCP API and REST API\",\"Multi-language search (EN, ZH, ES, FR, DE, JA, KO)\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":\"https://bytesagain.com/skills?q={search_term_string}\",\"query-input\":\"required name=search_term_string\"},\"dateModified\":\"2026-05-14\"},{\"@context\":\"https://schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"BytesAgain is a curated directory of 60,000+ AI agent skills from ClawHub, GitHub, LobeHub, and Dify. Search skills by keyword in 7 languages, browse by role (developer, creator, trader, marketer) or by use case.\"}},{\"@type\":\"Question\",\"name\":\"How do I find AI skills on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Use the search bar on BytesAgain.com to search by keyword in 7 languages. You can also browse by role (developer, creator, trader, marketer) or by use case. Each skill shows install instructions for Claude, Cursor, OpenClaw, Continue, and more.\"}},{\"@type\":\"Question\",\"name\":\"Is BytesAgain free?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes, BytesAgain is completely free. No registration required for searching skills. The MCP API is also free with rate limits.\"}},{\"@type\":\"Question\",\"name\":\"Does BytesAgain have an API for AI agents?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! BytesAgain provides a free MCP SSE endpoint at /api/mcp/sse for AI agents, plus a REST API at /api/mcp?action=search\u0026q=\u003cquery\u003e. No authentication needed.\"}},{\"@type\":\"Question\",\"name\":\"Can I request a new AI skill on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! Visit the Requests page on BytesAgain.com to submit a skill request. Your request will be visible to the community and notified to the site admin.\"}}]}]"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"c\":[\"\",\"skill\",\"bookforge-source-code-security-review\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"skill\",{\"children\":[[\"slug\",\"bookforge-source-code-security-review\",\"d\",null],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",16],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0u0u2jc_hw-33.css?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-2\",{\"src\":\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"llms\",\"href\":\"/llms.txt\"}],[\"$\",\"link\",null,{\"rel\":\"llms-full\",\"href\":\"/llms-full.txt\"}],[\"$\",\"script\",null,{\"async\":true,\"src\":\"https://www.googletagmanager.com/gtag/js?id=G-3C1MM9FWYF\"}],[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n window.dataLayer = window.dataLayer || [];\\n function gtag(){dataLayer.push(arguments);}\\n gtag('js', new Date());\\n gtag('config', 'G-3C1MM9FWYF');\\n \"}}]]}],[\"$\",\"body\",null,{\"className\":\"geist_9e050971-module__05dp7a__className\",\"style\":{\"background\":\"#0a0a1a\",\"color\":\"#e0e0e0\",\"margin\":0},\"children\":[\"$\",\"$L2\",null,{\"children\":[[\"$\",\"div\",null,{\"style\":{\"width\":\"100%\",\"background\":\"linear-gradient(90deg,#13103a,#0d0d1f,#13103a)\",\"borderBottom\":\"1px solid #2a2a5a\",\"padding\":\"8px 20px\",\"textAlign\":\"center\",\"fontSize\":\".82em\",\"color\":\"#818cf8\"},\"children\":[\"π \",[\"$\",\"strong\",null,{\"style\":{\"color\":\"#e2e8f0\"},\"children\":\"Get the FREE AI Skills Starter Guide\"}],\" β \",[\"$\",\"a\",null,{\"href\":\"/register\",\"style\":{\"color\":\"#00d4ff\",\"textDecoration\":\"underline\"},\"children\":\"Subscribe β\"}]]}],[\"$\",\"$L3\",null,{}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$4\"}}],\"$L5\",\"$L6\",\"$L7\"]}]}]]}]]}],{\"children\":[\"$L8\",{\"children\":[\"$L9\",{\"children\":[\"$La\",{},null,false,null]},null,false,\"$@b\"]},null,false,\"$@b\"]},null,false,null],\"$Lc\",false]],\"m\":\"$undefined\",\"G\":[\"$d\",[\"$Le\"]],\"S\":true,\"h\":null,\"s\":\"$undefined\",\"l\":\"$undefined\",\"p\":\"$undefined\",\"d\":\"$undefined\"}\n"])</script><script>self.__next_f.push([1,"f:I[39756,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n10:I[37457,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n11:I[90940,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n12:I[16397,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n14:I[97367,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"OutletBoundary\"]\n15:\"$Sreact.suspense\"\n18:I[97367,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"ViewportBoundary\"]\n1a:I[97367,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"MetadataBoundary\"]\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"main\",null,{\"children\":[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":404}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}]\n"])</script><script>self.__next_f.push([1,"6:[\"$\",\"$L11\",null,{}]\n7:[\"$\",\"$L12\",null,{}]\n8:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\n9:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$Lf\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L10\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\na:[\"$\",\"$1\",\"c\",{\"children\":[\"$L13\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/13n0i~5jmm-ff.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L14\",null,{\"children\":[\"$\",\"$15\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@16\"}]}]]}]\n17:[]\nb:\"$W17\"\nc:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L18\",null,{\"children\":\"$L19\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L1a\",null,{\"children\":[\"$\",\"$15\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L1b\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\ne:[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/0u0u2jc_hw-33.css?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n"])</script><script>self.__next_f.push([1,"19:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"1c:I[27201,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"IconMark\"]\n16:null\n"])</script><script>self.__next_f.push([1,"1b:[[\"$\",\"title\",\"0\",{\"children\":\"Source Code Security Review β AI Agent Skill | BytesAgain | BytesAgain\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"2\",{\"name\":\"robots\",\"content\":\"index, follow\"}],[\"$\",\"meta\",\"3\",{\"name\":\"googlebot\",\"content\":\"index, follow, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"meta\",\"4\",{\"name\":\"llms-txt\",\"content\":\"https://bytesagain.com/llms.txt\"}],[\"$\",\"meta\",\"5\",{\"name\":\"llms-full-txt\",\"content\":\"https://bytesagain.com/llms-full.txt\"}],[\"$\",\"link\",\"6\",{\"rel\":\"canonical\",\"href\":\"https://bytesagain.com/skill/bookforge-source-code-security-review\"}],[\"$\",\"meta\",\"7\",{\"name\":\"baidu-site-verification\",\"content\":\"codeva-0evUqX1TFs\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:title\",\"content\":\"Source Code Security Review β AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:url\",\"content\":\"https://bytesagain.com/skill/bookforge-source-code-security-review\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:site_name\",\"content\":\"BytesAgain\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"14\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"15\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:title\",\"content\":\"Source Code Security Review β AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"21\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"link\",\"22\",{\"rel\":\"icon\",\"href\":\"/favicon.ico?favicon.0x3dzn~oxb6tn.ico\",\"sizes\":\"256x256\",\"type\":\"image/x-icon\"}],[\"$\",\"$L1c\",\"23\",{}]]\n"])</script><script>self.__next_f.push([1,"1d:T1e26,"])</script><script>self.__next_f.push([1,"\n .skill-page { max-width: 1100px; margin: 0 auto; padding: 32px 20px 80px; }\n .two-col { display: flex; gap: 32px; align-items: flex-start; }\n .two-col-main { flex: 1; min-width: 0; }\n .two-col-side { width: 300px; flex-shrink: 0; }\n @media (max-width: 860px) {\n .two-col { flex-direction: column; }\n .two-col-side { width: 100%; }\n }\n .breadcrumb { font-size: .82em; color: #4b5563; margin-bottom: 28px; }\n .breadcrumb a { color: #818cf8; text-decoration: none; }\n .breadcrumb a:hover { text-decoration: underline; }\n .skill-card { background: #0d0d1f; border: 1px solid #1e1e3f; border-radius: 20px; padding: 28px; margin-bottom: 24px; }\n .skill-header { display: flex; align-items: flex-start; justify-content: space-between; gap: 16px; margin-bottom: 20px; flex-wrap: wrap; }\n .skill-badges { display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }\n .skill-top-actions { display: flex; align-items: center; gap: 10px; margin-left: auto; }\n .badge { display: inline-flex; align-items: center; gap: 5px; font-size: .75em; font-weight: 600; padding: 4px 12px; border-radius: 999px; border: 1px solid transparent; }\n .skill-title { font-size: 1.6em; font-weight: 800; color: #f1f5f9; margin: 0 0 4px; line-height: 1.2; }\n .skill-owner { font-size: .82em; color: #4b5563; margin: 0 0 14px; }\n .skill-owner span { color: #818cf8; }\n .skill-desc { font-size: .92em; color: #94a3b8; line-height: 1.65; margin: 0 0 16px; }\n .skill-meta { display: flex; gap: 16px; flex-wrap: wrap; margin-bottom: 18px; padding-bottom: 16px; border-bottom: 1px solid #1e1e3f; }\n .meta-item { display: flex; flex-direction: column; gap: 2px; }\n .meta-label { font-size: .7em; color: #374151; text-transform: uppercase; letter-spacing: 1px; font-weight: 600; }\n .meta-value { font-size: .92em; color: #94a3b8; font-weight: 600; }\n .tags-row { display: flex; gap: 6px; flex-wrap: wrap; }\n .tag { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 3px 10px; text-decoration: none; }\n .tag:hover { background: #6366f125; }\n .install-box { background: #070714; border: 1px solid #1e1e3f; border-radius: 12px; overflow: hidden; margin-bottom: 24px; }\n .install-header { display: flex; align-items: center; justify-content: space-between; padding: 10px 16px; border-bottom: 1px solid #1e1e3f; }\n .install-dots { display: flex; gap: 6px; }\n .dot { width: 10px; height: 10px; border-radius: 50%; }\n .install-label { font-size: .72em; color: #374151; font-family: monospace; letter-spacing: 1px; }\n .install-body { padding: 16px 20px; display: flex; align-items: center; justify-content: space-between; gap: 12px; }\n .install-cmd { font-family: 'Courier New', monospace; font-size: 1em; color: #a5f3fc; }\n .copy-btn { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 5px 12px; cursor: pointer; white-space: nowrap; transition: all .15s; }\n .copy-btn:hover { background: #6366f125; }\n .btn-primary { display: inline-flex; align-items: center; gap: 8px; padding: 13px 28px; background: linear-gradient(135deg, #6366f1, #818cf8); border-radius: 10px; color: #fff; text-decoration: none; font-weight: 700; font-size: .95em; transition: opacity .15s; }\n .btn-primary:hover { opacity: .88; }\n .btn-secondary { display: inline-flex; align-items: center; gap: 8px; padding: 13px 24px; background: transparent; border: 1px solid #1e1e3f; border-radius: 10px; color: #6b7280; text-decoration: none; font-weight: 600; font-size: .95em; transition: all .15s; }\n .btn-secondary:hover { border-color: #818cf8; color: #818cf8; }\n .actions-row { display: flex; gap: 12px; flex-wrap: wrap; }\n .disclaimer { margin-top: 20px; padding: 14px 18px; background: #070714; border: 1px solid #1a1a3a; border-radius: 10px; font-size: .78em; color: #374151; line-height: 1.7; }\n .disclaimer a { color: #6366f1; }\n .ours-badge { display: inline-flex; align-items: center; gap: 6px; font-size: .72em; font-weight: 700; color: #22d3ee; background: #22d3ee10; border: 1px solid #22d3ee30; border-radius: 999px; padding: 4px 14px; }\n .section-card { background: #0d0d1f; border: 1px solid #1e1e3f; border-radius: 16px; padding: 22px 24px; margin-bottom: 20px; }\n .section-title { color: #f8fafc; font-size: 1.08em; font-weight: 800; margin: 0 0 12px; display: flex; align-items: center; gap: 8px; }\n .section-content { font-size: .88em; color: #94a3b8; line-height: 1.7; }\n .next-step-card { background: linear-gradient(135deg, #10102a, #0d0d1f); border: 1px solid #6366f144; border-radius: 16px; padding: 20px; margin: 0 0 20px; }\n .next-step-title { color: #f8fafc; font-size: 1.18em; font-weight: 800; margin: 0 0 8px; }\n .next-step-sub { color: #94a3b8; line-height: 1.65; margin: 0 0 18px; }\n .agent-grid { display: grid; grid-template-columns: repeat(auto-fit,minmax(210px,1fr)); gap: 12px; margin-top: 14px; }\n .agent-card { display: block; background: #070714; border: 1px solid #1e1e3f; border-radius: 14px; padding: 16px; text-decoration: none; transition: border-color .15s, transform .15s; }\n .agent-card:hover { border-color: #818cf8; transform: translateY(-1px); }\n .agent-name { color: #f8fafc; font-weight: 800; margin-bottom: 6px; display: flex; justify-content: space-between; gap: 8px; }\n .agent-desc { color: #64748b; font-size: .84em; line-height: 1.55; margin-bottom: 12px; }\n .agent-link { color: #a5b4fc; font-size: .82em; font-weight: 800; }\n .sponsored-pill { color: #fbbf24; background: #fbbf2414; border: 1px solid #fbbf2444; border-radius: 999px; padding: 2px 7px; font-size: .7em; white-space: nowrap; }\n .cta-banner { background: linear-gradient(135deg, #0d0d1f, #13103a); border: 1px solid #6366f133; border-radius: 16px; padding: 24px 28px; display: flex; align-items: center; justify-content: space-between; gap: 16px; flex-wrap: wrap; margin-top: 8px; }\n .cta-title { font-weight: 700; color: #e2e8f0; margin: 0 0 4px; }\n .cta-sub { color: #4b5563; font-size: .86em; }\n /* Script box */\n .script-box { background: #050510; border: 1px solid #1e1e3f; border-radius: 12px; overflow: hidden; }\n .script-header { display: flex; align-items: center; justify-content: space-between; padding: 8px 14px; background: #0a0a1c; border-bottom: 1px solid #1e1e3f; }\n .script-filename { font-size: .72em; color: #4b5563; font-family: 'Courier New', monospace; }\n .script-copy-btn { font-size: .72em; color: #6366f1; background: none; border: 1px solid #6366f130; border-radius: 4px; padding: 2px 10px; cursor: pointer; }\n .script-copy-btn:hover { background: #6366f115; }\n .script-body { padding: 14px 16px; font-family: 'Courier New', monospace; font-size: .82em; line-height: 1.6; color: #a5f3fc; overflow-x: auto; max-height: 420px; overflow-y: auto; white-space: pre; }\n /* Articles */\n .article-card { display: block; background: #0f0f23; border: 1px solid #1a1a3e; border-radius: 10px; padding: 14px 16px; text-decoration: none; transition: border-color .15s; }\n .article-card:hover { border-color: #6366f1; }\n @media (max-width: 600px) {\n .skill-card { padding: 20px; }\n .skill-title { font-size: 1.5em; }\n .cta-banner { flex-direction: column; align-items: flex-start; }\n }\n "])</script><script>self.__next_f.push([1,"13:[[\"$\",\"style\",null,{\"children\":\"$1d\"}],\"$L1e\",\"$L1f\"]\n"])</script><script>self.__next_f.push([1,"20:I[78297,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/13n0i~5jmm-ff.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n21:I[32109,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/13n0i~5jmm-ff.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n22:T1413,"])</script><script>self.__next_f.push([1,"**Scenario: Penetration test with source access β Java banking application**\nTrigger: \"We're granting you source access for this pentest. The application handles fund transfers and user account management.\"\nProcess:\n1. Phase 1: Grep for `getParameter` β finds 47 call sites. Note `request.getParameter(\"title\")` stored in `m_pageTitle` field in `PageController.java:88`.\n2. Phase 2.1 (XSS): Grep for `InnerHtml` β finds `objCell.InnerHtml = link` in `ReportView.java:204`. Trace `link` backward β constructed by string concatenation from `HttpUtility.UrlDecode(Request.QueryString[\"refURL\"])` without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace `m_pageTitle` forward β finds it written into `\u003ctitle\u003e` element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires `type=3`).\n3. Phase 2.2 (SQL injection): Grep for `createStatement` β finds `s.executeQuery(\"SELECT name, accno FROM TblCustomers WHERE \" + SqlWhere)` in `CustomerSearch.java:156`. `SqlWhere` is built from `Request.QueryString[\"CID\"]`. Confirmed SQL injection (CWE-89, Critical).\n4. Phase 2.6 (Backdoor): Line-by-line review of `AuthService.java` β finds `if (checkCredentials(up, password) || \"oculiomnium\".equals(password)) return up;`. Hardcoded backdoor password grants access to any account (CWE-798, Critical).\nOutput: 3 findings β Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace `createStatement` with `prepareStatement`; remove hardcoded password; HTML-encode all output via `HtmlUtils.htmlEscape()`.\n\n---\n\n**Scenario: Pre-launch PHP e-commerce application review**\nTrigger: \"We're launching next month. Please review our PHP codebase for security issues before we go live.\"\nProcess:\n1. Phase 1: Grep for PHP input sources β finds `$_GET`, `$_POST`, `$_COOKIE` in 23 files. Check `php.ini` β `register_globals = On` on their dev server; flag immediately.\n2. Phase 2.3 (Path traversal + RFI): Grep for `include(` β finds `include($_GET['page'] . '.php')` in `main.php:12`. No `allow_url_include` check in code. Check `php.ini` β `allow_url_include = 1`. Confirmed Remote File Inclusion (CWE-98, Critical). Also: `allow_url_fopen = 1` and `display_errors = On` in production config.\n3. Phase 2.2 (SQL injection): Grep for `mysql_query(` β finds `mysql_query(\"SELECT * FROM users WHERE username = '$username' AND password = '$password'\")` in `login.php:34`. Variables from `$_POST` without escaping. Confirmed SQL injection (CWE-89, Critical). `magic_quotes_gpc = Off` confirms no runtime escaping active.\n4. Phase 2.5 (OS command injection): Grep for `exec(` β finds `exec(\"convert \" . $_POST['filename'] . \" -resize 100x100 output.jpg\")` in `image.php:67`. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).\n5. Phase 4 (Config): `display_errors = On` in `php.ini` β leaks stack traces and DB credentials to users (Low). `register_globals = On` β creates uninitialized variable injection vectors (High).\nOutput: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable `allow_url_include` and `allow_url_fopen`; replace `mysql_query` with `mysqli-\u003eprepare`; replace shell `exec` with ImageMagick PHP extension API; set `display_errors = Off` + `log_errors = On`; set `register_globals = Off`.\n\n---\n\n**Scenario: Security audit of a PHP/JavaScript SPA β focus on client-side and database tier**\nTrigger: \"Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture.\"\nProcess:\n1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β finds `url = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;` in `redirect.js:22`. Script checks for `//` to block absolute URLs but calls `unescape()` afterward. Confirmed DOM-based open redirect and XSS via `?redir=%2500javascript:alert(1)` (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.\n2. Phase 2.2 (Stored procedure SQL injection): Review `.sql` migration files β finds `CREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO`. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from `@name` β confirmed stored procedure SQL injection (CWE-89, High).\n3. Phase 3 (Session management): Line-by-line review of `TokenGenerator.java` β uses `java.util.Random` (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).\nOutput: 3 High findings β DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove `unescape()` call from redirect script; rewrite stored procedure using `sp_executesql` with parameterized query; replace `java.util.Random` with `java.security.SecureRandom`.\n\n---"])</script><script>self.__next_f.push([1,"23:T6e0,"])</script><script>self.__next_f.push([1,"You have authorized access to a web application's source code and need to find security vulnerabilities systematically.\n\nThis skill applies when:\n- A penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone\n- You need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing\n- A black-box test revealed anomalous behavior and you want to trace its root cause in code\n- You are reviewing an open-source component before integrating it into production\n\n**The foundational insight:** Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals `\"3\"`, or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.\n\n**Before starting:** Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β a call to a custom `safeQuery()` wrapper may or may not prevent SQL injection depending on its implementation.\n\n**Authorized review only.** This skill is for security professionals with explicit written authorization.\n\n---"])</script><script>self.__next_f.push([1,"24:T8dac,"])</script><script>self.__next_f.push([1,"---\nname: source-code-security-review\ndescription: |\n Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized access to an application's source code and need to identify security flaws faster or more thoroughly than black-box testing alone; auditing a codebase prior to launch or after a security incident; reviewing open-source or purchased software for embedded vulnerabilities; complementing an active penetration test with source-level analysis. Applies a three-phase methodology: (1) identify all user-input entry points via platform-specific source APIs β Java HttpServletRequest, ASP.NET Request.Params/Form/QueryString, PHP $_GET/$_POST/$_COOKIE/$_REQUEST, Perl CGI param(), JavaScript document.location/URL; (2) trace data flow forward to dangerous sink APIs β Runtime.exec()/Process.Start() for OS command injection, Statement.execute()/mysql_query() for SQL injection, FileInputStream/include() for path traversal, sendRedirect()/header() for open redirect, eval() for script injection; (3) line-by-line close review of authentication, session management, access control, and native code components. Covers 8 vulnerability signature categories: cross-site scripting, SQL injection, path traversal, arbitrary redirection, OS command injection, backdoor passwords, native software bugs (buffer overflow, integer flaw, format string), and incriminating source code comments. Also covers database code components (stored procedures with dynamic SQL) and environment configuration checks (web.xml, Web.config, php.ini). Produces a prioritized findings report with evidence and countermeasures. Maps to CWE-79 (XSS), CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-601 (Open Redirect), CWE-78 (OS Command Injection), CWE-798 (Hardcoded Credentials), CWE-120/121/122 (Buffer Overflow), CWE-134 (Format String). For authorized security review engagements, appsec engineers, and security-minded developers.\nversion: 1.0.0\nhomepage: https://github.com/bookforge-ai/bookforge-skills/tree/main/books/web-application-hackers-handbook/skills/source-code-security-review\nmetadata: {\"openclaw\":{\"emoji\":\"π\",\"homepage\":\"https://github.com/bookforge-ai/bookforge-skills\"}}\nstatus: draft\ndepends-on: []\nsource-books:\n - id: web-application-hackers-handbook\n title: \"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws\"\n authors: [\"Dafydd Stuttard\", \"Marcus Pinto\"]\n edition: 2\n chapters: [19]\n pages: \"701-745\"\ntags: [code-review, white-box-testing, source-code-analysis, xss, sql-injection, path-traversal, open-redirect, command-injection, backdoor, buffer-overflow, java, aspnet, php, perl, javascript, penetration-testing, appsec, cwe-79, cwe-89, cwe-22, cwe-601, cwe-78, cwe-798, cwe-120, cwe-134]\nexecution:\n tier: 1\n mode: full\n inputs:\n - type: codebase\n description: \"Web application source code β server-side handlers, data access layer, database stored procedures, configuration files (web.xml, Web.config, php.ini), client-side JavaScript\"\n - type: document\n description: \"Build manifests, dependency lists, architecture diagrams β optional but useful for scoping\"\n tools-required: [Read, Grep]\n tools-optional: [Bash, Write]\n mcps-required: []\n environment: \"Run directly against the source code repository. No live application required. Authorized review context required.\"\ndiscovery:\n goal: \"Identify exploitable security vulnerabilities in web application source code using a structured three-phase approach β entry points, dangerous sinks, and line-by-line review of high-risk components β and produce a prioritized findings report\"\n tasks:\n - \"Establish platform and establish custom wrapper awareness before proceeding\"\n - \"Map all user-input entry points using platform-specific source APIs\"\n - \"Trace data flow from sources to dangerous sink APIs for each vulnerability category\"\n - \"Perform line-by-line review of high-risk components: authentication, session management, access control, native code\"\n - \"Audit database stored procedures for dynamic SQL construction\"\n - \"Review environment configuration files for security-relevant settings\"\n - \"Document findings with CWE mapping, severity, evidence, and countermeasures\"\n audience:\n roles: [\"penetration-tester\", \"application-security-engineer\", \"security-minded-developer\"]\n experience: \"intermediate-to-advanced β assumes familiarity with at least one server-side web platform (Java, .NET, PHP, Perl) and common web vulnerability classes\"\n triggers:\n - \"Penetration test engagement where source code access has been granted\"\n - \"Security audit of a web application prior to production deployment\"\n - \"Reviewing an open-source project or purchased component for embedded vulnerabilities\"\n - \"Root-cause analysis after a security incident β understanding how the vulnerability existed in code\"\n - \"Supplementing automated SAST tool output with manual verification\"\n not_for:\n - \"Black-box behavioral testing without source access β use the relevant black-box testing skills\"\n - \"Infrastructure or network security review β different scope\"\n - \"Mobile application source review β different platform APIs\"\n---\n\n# Source Code Security Review\n\n## When to Use\n\nYou have authorized access to a web application's source code and need to find security vulnerabilities systematically.\n\nThis skill applies when:\n- A penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone\n- You need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing\n- A black-box test revealed anomalous behavior and you want to trace its root cause in code\n- You are reviewing an open-source component before integrating it into production\n\n**The foundational insight:** Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals `\"3\"`, or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.\n\n**Before starting:** Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β a call to a custom `safeQuery()` wrapper may or may not prevent SQL injection depending on its implementation.\n\n**Authorized review only.** This skill is for security professionals with explicit written authorization.\n\n---\n\n## Context and Input Gathering\n\n### Required Context\n\n- **Platform(s) in use (Java, ASP.NET, PHP, Perl, JavaScript, or mix):**\n Why: each platform has distinct source APIs for reading user input and distinct dangerous sink APIs. The Grep patterns and review focus differ entirely between a Java servlet application and a PHP script.\n - Check for: `pom.xml` / `build.gradle` (Java), `*.csproj` / `Web.config` (ASP.NET), `*.php` files, `*.pl` files, `package.json` (Node.js/JS)\n\n- **Scope of review (full codebase, specific modules, authentication only):**\n Why: a large enterprise application may have hundreds of thousands of lines. Time-boxed reviews require prioritizing the highest-risk components. Without a defined scope, coverage is uneven.\n - If unspecified, start with authentication, session management, access control, and any component that processes user file access or external command execution\n\n- **Any existing SAST tool output:**\n Why: avoids duplicating what automated analysis already found and focuses manual effort on classes of issues that tools reliably miss (logic flaws, race conditions, backdoors).\n\n### Observable Context (gather from codebase)\n\n- Platform-specific configuration files: `web.xml`, `Web.config`, `php.ini`, `.htaccess`\n- Framework identification: Spring, Struts, Django, Laravel, Rails annotations and imports\n- Database access layer: ORM vs raw SQL, presence of prepared statement APIs\n- Custom security utilities: classes or functions named `sanitize`, `validate`, `encode`, `escape`, `filter`\n- Native code integration: JNI calls, P/Invoke, C extension includes, `Runtime.exec` / `Process.Start`\n\n---\n\n## Process\n\n### Phase 1 β Map User-Input Entry Points\n\n**ACTION:** Grep the codebase for platform-specific source APIs. Every location where user-controlled data enters the application is a potential source of tainted data. Build a catalog of entry points before tracing data flows.\n\n**WHY:** Vulnerabilities arise when user-controlled data reaches a dangerous operation without proper validation or encoding. You cannot trace data flow without first knowing all the places data enters. Applications frequently receive input through less-obvious channels β HTTP headers, cookies, session-derived data from user registration, even the URL path itself. Missing an entry point means missing all vulnerabilities that originate from it.\n\n**AGENT: EXECUTES** β Grep for platform-specific source APIs:\n\n**Java (HttpServletRequest / ServletRequest):**\n```\ngetParameter|getParameterNames|getParameterValues|getParameterMap\ngetQueryString|getHeader|getHeaders|getHeaderNames\ngetRequestURI|getRequestURL|getCookies|getRequestedSessionId\ngetInputStream|getReader|getRemoteUser|getUserPrincipal\n```\n\n**ASP.NET (System.Web.HttpRequest):**\n```\nRequest\\.Params|Request\\.Item|Request\\.Form|Request\\.QueryString\nRequest\\.ServerVariables|Request\\.Headers|Request\\.Url|Request\\.RawUrl\nRequest\\.UrlReferrer|Request\\.Cookies|Request\\.BinaryRead\nRequest\\.Browser|Request\\.UserAgent|Request\\.AcceptTypes\n```\n\n**PHP:**\n```\n\\$_GET|\\$_POST|\\$_COOKIE|\\$_REQUEST|\\$_FILES|\\$_SERVER\n\\$HTTP_GET_VARS|\\$HTTP_POST_VARS|\\$HTTP_COOKIE_VARS\n\\$GLOBALS\n```\nNote: if `register_globals` is enabled in `php.ini`, any variable name may receive request parameter values. Line-by-line review is then required to track all uses of uninitialized variables.\n\n**Perl (CGI.pm):**\n```\n-\u003eparam\\(|-\u003eparam_fetch\\(|-\u003eVars\\b|-\u003ecookie\\(|-\u003eraw_cookie\\(\n-\u003equery_string\\b|-\u003ereferer\\b|-\u003eself_url\\b|-\u003eurl\\b\nReadParse\n```\n\n**JavaScript (DOM sources):**\n```\ndocument\\.location|document\\.URL|document\\.URLUnencoded|document\\.referrer\nwindow\\.location|location\\.search|location\\.hash|location\\.href\n```\n\n**NOTE:** Also search for `$GLOBALS` (PHP), any class names ending in `Request`, `HttpContext`, `HttpInput`, or equivalent β applications commonly abstract input access behind wrapper classes.\n\n---\n\n### Phase 2 β Trace Data Flow to Dangerous Sinks (Signature Scanning)\n\n**ACTION:** For each vulnerability category below, grep for the dangerous sink APIs. For each hit, trace backward to determine whether user-controlled data from Phase 1 sources flows into that sink without adequate validation or encoding. Confirm or dismiss each candidate finding.\n\n**WHY:** Signature scanning targets the highest-density locations of potential vulnerabilities first. A hard-coded SQL query fragment like `\"SELECT` appearing in application code is almost always part of a SQL injectionβvulnerable pattern. An `eval()` call receiving user input is almost always dangerous. This approach finds low-hanging fruit quickly, leaving remaining time for the subtler line-by-line review in Phase 3.\n\n---\n\n#### 2.1 β Cross-Site Scripting (XSS)\n\n**Grep for output APIs that write user data to responses:**\n\n**Java:** `response.getWriter().print|println|write`, `out.print|println`, `.InnerHtml`, `response.setHeader`\n\n**ASP.NET:** `Response.Write|Response.Output.Write`, `\\.InnerHtml\\s*=`, `\\.InnerText\\s*=`\n\n**PHP:** `echo\\b|print\\b|printf\\b|vprintf\\b`, `\u003c?=`\n\n**JavaScript (DOM sinks):**\n```\ndocument\\.write\\(|document\\.writeln\\(|\\.innerHTML\\s*=\neval\\(|window\\.execScript\\(|window\\.setInterval\\(|window\\.setTimeout\\(\n```\n\n**Pattern to find:** User input from a Phase 1 source is incorporated into HTML output without HTML-encoding. Example:\n```java\n// Vulnerable: m_pageTitle set from request.getParameter(\"title\") and\n// later written into a \u003ctitle\u003e element without encoding\nm_pageTitle = request.getParameter(\"title\");\n```\nTrace `m_pageTitle` forward β if it is written to a response element or used to construct a link/HTML fragment without `HtmlEncode()` / `escapeHtml()` / `HtmlUtils.htmlEscape()`, this is a confirmed XSS.\n\n**Grep for SQL fragment strings to find XSS in query-string construction:**\n```\n\"SELECT |\"INSERT |\"DELETE |\" WHERE |\" AND |\" OR |\" ORDER BY\n```\nThese patterns are case-insensitive; also search lowercase. The surrounding whitespace and quote distinguish SQL keyword strings from ordinary concatenated strings.\n\n**NOTE on filter-based mitigations:** If a filter exists that blocks certain XSS payloads in the query string, trace it carefully. Filters applied to the wrong parameter, or applied before the vulnerable parameter is read, provide no protection.\n\n---\n\n#### 2.2 β SQL Injection\n\n**Grep for raw SQL execution APIs:**\n\n**Java:** `createStatement|Statement\\.execute|Statement\\.executeQuery|Statement\\.executeUpdate`\n\n**ASP.NET:** `SqlCommand|OleDbCommand|OdbcCommand|SqlDataAdapter|\\.CommandText\\s*=`\n\n**PHP:** `mysql_query|mssql_query|pg_query|mysqli_query`\n\n**Perl:** `-\u003eselectall_arrayref|-\u003edo\\b`\n\nFor each hit, check whether the SQL string is constructed by concatenating user-controlled data. The presence of string fragments like `\" WHERE ` + variable or `\"SELECT * FROM ` + variable adjacent to a `createStatement` / `execute` call is a strong indicator.\n\n**Contrast with safe patterns:** Presence of `prepareStatement` (Java), `.Parameters.Add` (ASP.NET), `mysqli-\u003eprepare` / `stmt-\u003ebind_param` (PHP), or `-\u003eprepare` / `-\u003eexecute` (Perl) indicates parameterized queries β confirm that the prepared statement is actually used with bound parameters, not that the SQL string itself still incorporates concatenated user input before being prepared.\n\n**Database stored procedures:** Extend this search to stored procedure definitions (`.sql` files, embedded SQL strings). A web application calling a parameterized stored procedure is safe only if the procedure itself does not construct dynamic SQL from its parameters. Search stored procedure code for dynamic SQL execution keywords: `EXEC` (MS-SQL, Sybase), `EXECUTE IMMEDIATE` (Oracle), `EXEC SQL` (DB2). If user-supplied procedure parameters are concatenated into these dynamic SQL strings, SQL injection exists in the database tier even when the application tier uses parameterized calls.\n\n---\n\n#### 2.3 β Path Traversal\n\n**Grep for filesystem APIs:**\n\n**Java:** `new File\\(|FileInputStream|FileOutputStream|FileReader|FileWriter`\n\n**ASP.NET:** `System\\.IO\\.File\\.|FileStream\\(|StreamReader\\(|StreamWriter\\(`\n\n**PHP:** `fopen\\(|readfile\\(|file\\(|fpassthru\\(|include\\(|require\\(|include_once\\(|require_once\\(`\n\n**Perl:** `open\\s*\\(|sysopen\\s*\\(`\n\nFor each hit, determine whether the filename parameter incorporates user-controlled data. The most common pattern is user data appended to a hard-coded base directory:\n```csharp\nFileStream fs = new FileStream(\"C:\\\\temp\\\\\" + userInput, FileMode.Open);\n```\nThis is vulnerable if `userInput` is not canonicalized and verified to not contain `..` sequences.\n\n**For PHP `include()` / `require()`:** Also check whether the included file path can resolve to a remote URL (if `allow_url_include` is enabled in `php.ini`). Remote File Inclusion (RFI) produces arbitrary code execution.\n\n**Grep for filename-related parameter names** as a quick surface finder:\n```\nAttachName|filename|filepath|file=|path=|template=|page=|include=\n```\n\n---\n\n#### 2.4 β Arbitrary Redirection\n\n**Grep for redirect APIs:**\n\n**Java:** `sendRedirect\\(|setStatus\\(|addHeader\\(`\n\n**ASP.NET:** `HttpResponse\\.Redirect\\(|Response\\.Status|Response\\.StatusCode|Response\\.AddHeader|Server\\.Transfer`\nNote: `Server.Transfer` changes the page processed server-side without issuing an HTTP redirect, so it cannot be exploited for external redirects β but it can still be used for internal access control bypass.\n\n**PHP:** `http_redirect\\(|header\\s*\\(.*Location|HttpMessage::setResponseCode|HttpMessage::setHeaders`\n\n**Perl:** `-\u003eredirect\\(`\n\nFor each hit, check whether the redirect URL string is constructed from user-controllable data (e.g., a `refURL` query string parameter, a `ReturnUrl` form field). Also check client-side JavaScript for redirect patterns:\n```javascript\ndocument.location = target;\nwindow.location.href = url;\n```\nTrace whether the URL value originates from a DOM source (`document.URL`, `document.referrer`, `location.search`). After-validation canonicalization is a common bypass path β if the code calls `unescape()` after checking for `//`, the check can be bypassed with double-encoded slashes (`%25252f%25252f`).\n\n---\n\n#### 2.5 β OS Command Injection\n\n**Grep for OS command execution APIs:**\n\n**Java:** `Runtime\\.getRuntime\\(\\)\\.exec|Runtime\\.exec\\(`\n\n**ASP.NET:** `Process\\.Start\\(|ProcessStartInfo`\n\n**PHP:** `\\bexec\\s*\\(|passthru\\(|popen\\(|proc_open\\(|shell_exec\\(|system\\(`, and the backtick operator `` `command` ``\n\n**Perl:** `system\\s*\\(|\\bexec\\s*\\(|qx/|qx\\(`, and the backtick operator\n\n**C/C++ (native components):** `system\\(|popen\\(|execve\\(|execl\\(`\n\nFor each hit, determine whether user-controlled data forms part of the command string. In Java, `Runtime.exec(string)` interprets shell metacharacters if the argument is a single string β but `Runtime.exec(String[])` with arguments passed as separate array elements does not. Partial control of the command string may still be exploitable via argument injection (injecting command-line flags rather than shell metacharacters).\n\n---\n\n#### 2.6 β Backdoor Passwords and Hidden Debug Functions\n\n**Grep for hardcoded credential patterns in authentication logic:**\n```\nequals\\(\".*\"\\)|\\.equals\\('.*'\\)|==\\s*[\"']\npassword.*==|password.*equals|\"admin\"|\"password\"|\"secret\"\n```\n\n**Grep for incriminating source code comments:**\n```\n// bug|// problem|// bad|// hope|// todo|// fix|// overflow\n// crash|// inject|// xss|// trust|# bug|# hack|# fixme\n# todo|# xxx\n```\n\nThese comment searches often surface developer-acknowledged vulnerabilities that were never resolved, temporary workarounds that became permanent, or security test code that was never removed. Example from production code:\n```c\nchar buf[200]; // I hope this is big enough\nstrcpy(buf, userinput);\n```\n\n**Also look for:** Unreferenced functions accessible via hidden URL parameters, `debug=1` style logic branches, IP address allowlists that bypass authentication.\n\n---\n\n#### 2.7 β Native Software Bugs (C/C++ components)\n\n**Buffer overflow β grep for unchecked buffer manipulation APIs:**\n```\n\\bstrcpy\\b|\\bstrcat\\b|\\bmemcpy\\b|\\bsprintf\\b|\\bgets\\b|\\bscanf\\b\n```\nAlso: their wide-character variants (`wcscpy`, `wcscat`, `swprintf`). For each hit, verify whether the destination buffer is large enough to accommodate the source data, and whether the source length is bounded. Even `strncpy` can be misused β check whether the size argument is `strlen(src)` rather than `sizeof(dst)` (the former still overflows if `src` exceeds `dst`'s size).\n\n**Integer vulnerabilities β grep for signed/unsigned comparisons:**\n```\nlen\\s*\u003c\\s*sizeof|size\\s*\u003c\\s*sizeof|length\\s*\u003c\\s*sizeof\n```\nIf `len` is a signed integer compared to `sizeof()` (which returns an unsigned `size_t`), a user-supplied negative value for `len` passes the check and causes the subsequent unchecked copy to overwrite memory.\n\n**Format string vulnerabilities β grep for uncontrolled format strings:**\n```\n\\bprintf\\s*(\\s*[^\"]\\|fprintf\\s*(\\s*[^\"][^,]\\|syslog\\s*(\\s*[^,]*,\\s*[^\"]\n```\nThe dangerous pattern is `printf(userInput)` instead of `printf(\"%s\", userInput)`. If the format string parameter is user-controllable, the attacker controls format specifiers β `%n` writes to arbitrary memory addresses, enabling code execution.\n\n---\n\n### Phase 3 β Line-by-Line Review of High-Risk Components\n\n**ACTION:** Select the components listed below for close sequential reading. The goal is not to find every vulnerability via signatures, but to understand the security logic and find flaws in its design or implementation β race conditions, time-of-check/time-of-use issues, bypasses enabled by edge cases, incorrect trust assumptions.\n\n**WHY:** Many serious vulnerabilities are not detectable by grep β they require understanding the surrounding logic. An authentication bypass may exist because a conditional check that should be `\u0026\u0026` is `||`. A session fixation vulnerability requires reading the session initialization flow end-to-end. These subtler issues are common in precisely the most security-critical code.\n\n**Components to read line-by-line:**\n\n1. **Authentication mechanisms** β login logic, password comparison, account lockout, password reset flow, multi-factor verification. Look for: timing-based username enumeration, bypass conditions (OR instead of AND in credential checks), hardcoded fallback credentials, insecure token generation for password reset.\n\n2. **Session management** β session token generation, storage, validation, and invalidation. Look for: use of `java.util.Random` (predictable) instead of `SecureRandom`, session tokens derived from user-controllable data, session fixation (token not rotated after login), logout that does not invalidate the server-side session.\n\n3. **Access control** β per-resource authorization checks, role validation. Look for: missing checks on sensitive endpoints, checks that rely on client-supplied role data, checks placed after the sensitive operation rather than before.\n\n4. **Application-wide input validation utilities** β any class or function named `sanitize`, `validate`, `encode`, `escape`. Look for: allowlist vs denylist (denylists are almost always bypassable), post-validation canonicalization (decoding after checking), validation applied to the wrong parameter.\n\n5. **Interfaces to external components** β database connections, OS command helpers, file access wrappers, LDAP queries. Confirm that parameterization is consistently applied and that no code path bypasses the wrapper.\n\n6. **Native code (C/C++) integration points** β any JNI, P/Invoke, or C extension boundary where Java/.NET managed data crosses into unmanaged memory. Data length and character set assumptions made in managed code may not hold in native code.\n\n---\n\n### Phase 4 β Environment Configuration Review\n\n**ACTION:** Read the platform configuration files and check the security-relevant settings below.\n\n**WHY:** A perfectly written application can be made insecure by a misconfigured environment. Debug mode enabled in production exposes stack traces that reveal internal paths, class names, and database credentials. Permissive PHP `register_globals` creates uninitialized variable injection vectors that do not appear in the application source. Insecure cookie flags allow session token theft.\n\n**Java β `web.xml`:**\n- `login-config`: verify authentication method; if forms-based, check action is `j_security_check` with correct parameter names (`j_username`, `j_password`)\n- `security-constraint` with `url-pattern`: verify all sensitive paths are covered; gaps mean unauthenticated access\n- `session-config session-timeout`: overly long or zero timeout increases session hijacking window\n- `error-page`: verify error codes map to custom pages (not stack traces)\n- `init-param`: check `listings` is `false` and `debug` is `0`\n\n**ASP.NET β `Web.config`:**\n- `httpCookies httpOnlyCookies=\"true\"`: prevents JavaScript cookie theft; `requireSSL=\"true\"` prevents cookie transmission over HTTP\n- `sessionState timeout`: session lifetime\n- `compilation debug=\"false\"`: debug symbols expose internals\n- `customErrors mode=\"On\"` or `\"RemoteOnly\"`: prevents detailed error disclosure to users\n- `httpRuntime enableHeaderChecking=\"true\"` (default): request header injection defense; `enableVersionHeader=\"false\"`: prevents version disclosure\n\n**PHP β `php.ini`:**\n- `register_globals = Off`: if On, all request parameters become global variables β mandatory Off for any application not specifically designed for it\n- `display_errors = Off`: prevents PHP errors from leaking to users; use `log_errors` + `error_log` instead\n- `allow_url_fopen` and `allow_url_include`: if On, `include()` can load remote URLs β Remote File Inclusion vector\n- `magic_quotes_gpc`: if On, single quotes in request parameters are auto-escaped β affects SQL injection testability; however magic quotes do not prevent numeric injection or second-order injection (data read from DB is unescaped); **removed in PHP 6**\n- `safe_mode`: if On, restricts `shell_exec`, `exec` execution paths β but bypassable; not a security panacea; **removed in PHP 6**\n- `file_uploads` and `upload_tmp_dir`: confirm uploaded files are stored in a non-web-accessible temporary path\n\n**Perl:** Check for taint mode (`-T` flag in shebang `#!/usr/bin/perl -T`). Taint mode marks all user input as tainted and prevents tainted data from reaching dangerous functions (`eval`, `system`, `exec`, `open`) without explicit pattern-match untainting. If taint mode is not enabled, no framework-level protection exists against injection. If it is enabled, verify the untainting regexes are sufficiently restrictive β overly broad patterns (e.g., `(.*)`) that extract arbitrary content defeat the protection.\n\n---\n\n### Phase 5 β Document Findings\n\n**ACTION:** For each confirmed vulnerability, record: vulnerability class, CWE identifier, severity, file path and line number(s), evidence (code snippet showing source β sink flow), and countermeasure.\n\n**Severity guidance:**\n- **Critical:** OS command injection with code execution, SQL injection with data access or authentication bypass, Remote File Inclusion, backdoor credentials\n- **High:** Arbitrary file read via path traversal, XSS in authenticated context or on sensitive page, SQL injection limited to read-only data, stored XSS\n- **Medium:** Reflected XSS in unauthenticated context, open redirect, Local File Inclusion, insecure direct object reference\n- **Low:** Incriminating comments, configuration weaknesses without direct exploitability, verbose error disclosure\n\n**Output format:**\n```\n## Source Code Security Review β [Application Name]\nDate: [date] | Reviewer: [name] | Platform: [Java/PHP/etc]\nScope: [files or modules reviewed]\n\n### FINDING-001 β [Vulnerability Class] β [File:Line]\n- CWE: CWE-XX\n- Severity: [Critical | High | Medium | Low]\n- Location: [path/to/file.java:42]\n- Evidence: [2-5 line code snippet showing the vulnerable pattern]\n- Root cause: [1-2 sentences]\n- Countermeasure: [specific fix]\n\n## Coverage Summary\n[Table: Phase | Files Reviewed | Findings]\n```\n\n---\n\n## Inputs\n\n- Web application source code (all server-side files, client-side JavaScript, database scripts)\n- Platform configuration files (`web.xml`, `Web.config`, `php.ini`)\n- Any existing SAST tool output (to focus manual effort on what tools miss)\n- Scope definition: modules in scope, time budget\n\n## Outputs\n\nA **Source Code Security Review Report** with:\n- Per-finding entries (class, CWE, severity, location, evidence, countermeasure)\n- Coverage summary (phases completed, files reviewed, findings count by severity)\n- Prioritized remediation list\n\n---\n\n## Key Principles\n\n- **White-box finds a different population of bugs than black-box.** Backdoor passwords, condition-guarded logic flaws, and vulnerabilities that only activate for specific secondary parameter values are nearly impossible to find by fuzzing. Code review is not a replacement for behavioral testing β it is a complement that finds what fuzzing cannot.\n\n- **Trace the full data flow β source to sink.** A dangerous API call is only a vulnerability if user-controlled data reaches it without adequate sanitization. Conversely, a piece of code that stores user data in a class field and later passes that field to a dangerous API is vulnerable even if the dangerous API call looks harmless in isolation. Never confirm or dismiss a finding without tracing the full path.\n\n- **Denylists fail; allowlists don't.** Filters that block known-bad patterns (`../`, `\u003cscript\u003e`, single quote) are routinely bypassed via URL encoding, Unicode encoding, case variation, or application-specific decoding. An application that validates input by allowlisting known-safe characters and rejecting everything else is structurally more robust. When you see a denylist filter protecting a dangerous API, treat it as a weak mitigant β look for bypasses.\n\n- **Post-validation canonicalization is always a bug.** Any decoding, unescaping, or canonicalization performed after validation defeats the validation. If an application validates a redirect URL by checking for `//`, then calls `unescape()` on the value before using it, an attacker can encode the slashes as `%252f%252f` (percent-encoding the percent sign), pass validation, then have `unescape()` decode to `//`.\n\n- **Configuration is part of the attack surface.** PHP `register_globals`, ASP.NET debug mode, and Java `listings=true` each create vulnerabilities that are not visible anywhere in the application source files. Always read the configuration files as part of the review scope.\n\n- **Database stored procedures are not automatically safe.** Using parameterized calls from application code to invoke a stored procedure prevents SQL injection in the application tier β but if the stored procedure itself constructs dynamic SQL by concatenating its parameters, the vulnerability simply moves one layer deeper. Include stored procedure and trigger code in the review scope.\n\n---\n\n## Examples\n\n**Scenario: Penetration test with source access β Java banking application**\nTrigger: \"We're granting you source access for this pentest. The application handles fund transfers and user account management.\"\nProcess:\n1. Phase 1: Grep for `getParameter` β finds 47 call sites. Note `request.getParameter(\"title\")` stored in `m_pageTitle` field in `PageController.java:88`.\n2. Phase 2.1 (XSS): Grep for `InnerHtml` β finds `objCell.InnerHtml = link` in `ReportView.java:204`. Trace `link` backward β constructed by string concatenation from `HttpUtility.UrlDecode(Request.QueryString[\"refURL\"])` without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace `m_pageTitle` forward β finds it written into `\u003ctitle\u003e` element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires `type=3`).\n3. Phase 2.2 (SQL injection): Grep for `createStatement` β finds `s.executeQuery(\"SELECT name, accno FROM TblCustomers WHERE \" + SqlWhere)` in `CustomerSearch.java:156`. `SqlWhere` is built from `Request.QueryString[\"CID\"]`. Confirmed SQL injection (CWE-89, Critical).\n4. Phase 2.6 (Backdoor): Line-by-line review of `AuthService.java` β finds `if (checkCredentials(up, password) || \"oculiomnium\".equals(password)) return up;`. Hardcoded backdoor password grants access to any account (CWE-798, Critical).\nOutput: 3 findings β Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace `createStatement` with `prepareStatement`; remove hardcoded password; HTML-encode all output via `HtmlUtils.htmlEscape()`.\n\n---\n\n**Scenario: Pre-launch PHP e-commerce application review**\nTrigger: \"We're launching next month. Please review our PHP codebase for security issues before we go live.\"\nProcess:\n1. Phase 1: Grep for PHP input sources β finds `$_GET`, `$_POST`, `$_COOKIE` in 23 files. Check `php.ini` β `register_globals = On` on their dev server; flag immediately.\n2. Phase 2.3 (Path traversal + RFI): Grep for `include(` β finds `include($_GET['page'] . '.php')` in `main.php:12`. No `allow_url_include` check in code. Check `php.ini` β `allow_url_include = 1`. Confirmed Remote File Inclusion (CWE-98, Critical). Also: `allow_url_fopen = 1` and `display_errors = On` in production config.\n3. Phase 2.2 (SQL injection): Grep for `mysql_query(` β finds `mysql_query(\"SELECT * FROM users WHERE username = '$username' AND password = '$password'\")` in `login.php:34`. Variables from `$_POST` without escaping. Confirmed SQL injection (CWE-89, Critical). `magic_quotes_gpc = Off` confirms no runtime escaping active.\n4. Phase 2.5 (OS command injection): Grep for `exec(` β finds `exec(\"convert \" . $_POST['filename'] . \" -resize 100x100 output.jpg\")` in `image.php:67`. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).\n5. Phase 4 (Config): `display_errors = On` in `php.ini` β leaks stack traces and DB credentials to users (Low). `register_globals = On` β creates uninitialized variable injection vectors (High).\nOutput: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable `allow_url_include` and `allow_url_fopen`; replace `mysql_query` with `mysqli-\u003eprepare`; replace shell `exec` with ImageMagick PHP extension API; set `display_errors = Off` + `log_errors = On`; set `register_globals = Off`.\n\n---\n\n**Scenario: Security audit of a PHP/JavaScript SPA β focus on client-side and database tier**\nTrigger: \"Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture.\"\nProcess:\n1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β finds `url = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;` in `redirect.js:22`. Script checks for `//` to block absolute URLs but calls `unescape()` afterward. Confirmed DOM-based open redirect and XSS via `?redir=%2500javascript:alert(1)` (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.\n2. Phase 2.2 (Stored procedure SQL injection): Review `.sql` migration files β finds `CREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO`. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from `@name` β confirmed stored procedure SQL injection (CWE-89, High).\n3. Phase 3 (Session management): Line-by-line review of `TokenGenerator.java` β uses `java.util.Random` (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).\nOutput: 3 High findings β DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove `unescape()` call from redirect script; rewrite stored procedure using `sp_executesql` with parameterized query; replace `java.util.Random` with `java.security.SecureRandom`.\n\n---\n\n## References\n\n- Per-platform source and sink API tables: [platform-api-reference.md](references/platform-api-reference.md)\n- Environment configuration security settings: [environment-config-reference.md](references/environment-config-reference.md)\n- CWE and OWASP mapping for findings: [vuln-cwe-owasp-mapping.md](references/vuln-cwe-owasp-mapping.md)\n- Source: Stuttard, D. \u0026 Pinto, M. (2011). *The Web Application Hacker's Handbook* (2nd ed.), Chapter 19: \"Finding Vulnerabilities in Source Code,\" pp. 701-745. Wiley.\n\n## License\n\nThis skill is licensed under [CC-BY-SA-4.0](https://creativecommons.org/licenses/by-sa/4.0/).\nSource: [BookForge](https://github.com/bookforge-ai/bookforge-skills) β The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto.\n\n## Related BookForge Skills\n\nThis skill is standalone. Browse more BookForge skills: [bookforge-skills](https://github.com/bookforge-ai/bookforge-skills)\n"])</script><script>self.__next_f.push([1,"1e:[\"$\",\"div\",null,{\"className\":\"skill-page\",\"children\":[[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"SoftwareApplication\\\",\\\"name\\\":\\\"Source Code Security Review\\\",\\\"description\\\":\\\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\\\",\\\"url\\\":\\\"https://bytesagain.com/skill/bookforge-source-code-security-review\\\",\\\"applicationCategory\\\":\\\"clawhub\\\",\\\"operatingSystem\\\":\\\"Any\\\",\\\"offers\\\":{\\\"@type\\\":\\\"Offer\\\",\\\"price\\\":\\\"0\\\",\\\"priceCurrency\\\":\\\"USD\\\"},\\\"publisher\\\":{\\\"@type\\\":\\\"Organization\\\",\\\"name\\\":\\\"BytesAgain\\\",\\\"url\\\":\\\"https://bytesagain.com\\\"}}\"}}],[\"$\",\"div\",null,{\"className\":\"breadcrumb\",\"children\":[[\"$\",\"a\",null,{\"href\":\"/\",\"children\":\"BytesAgain\"}],\" βΊ \",[\"$\",\"a\",null,{\"href\":\"/skills\",\"children\":\"Skills\"}],\" βΊ \",\"Source Code Security Review\"]}],[\"$\",\"div\",null,{\"className\":\"two-col\",\"children\":[[\"$\",\"div\",null,{\"className\":\"two-col-main\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-card\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-badges\",\"children\":[[\"$\",\"span\",null,{\"className\":\"badge\",\"style\":{\"color\":\"#818cf8\",\"background\":\"#818cf822\",\"borderColor\":\"#818cf844\"},\"children\":[\"π¦\",\" \",\"ClawHub\"]}],false]}],[\"$\",\"div\",null,{\"className\":\"skill-top-actions\",\"children\":[\"$\",\"$L20\",null,{\"slug\":\"bookforge-source-code-security-review\"}]}]]}],[\"$\",\"h1\",null,{\"className\":\"skill-title\",\"children\":\"Source Code Security Review\"}],[\"$\",\"p\",null,{\"className\":\"skill-owner\",\"children\":[\"by \",[\"$\",\"span\",null,{\"children\":[\"@\",\"quochungto\"]}]]}],[\"$\",\"p\",null,{\"className\":\"skill-desc\",\"children\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"div\",null,{\"className\":\"skill-meta\",\"children\":[[\"$\",\"div\",null,{\"className\":\"meta-item\",\"children\":[[\"$\",\"span\",null,{\"className\":\"meta-label\",\"children\":\"Version\"}],[\"$\",\"span\",null,{\"className\":\"meta-value\",\"children\":[\"v\",\"1.0.0\"]}]]}],false,false,false,false,[\"$\",\"div\",null,{\"className\":\"meta-item\",\"style\":{\"flexDirection\":\"row\",\"gap\":6,\"alignItems\":\"center\"},\"children\":[[\"$\",\"a\",\"security\",{\"href\":\"/?q=security\",\"className\":\"tag\",\"children\":[\"#\",\"security\"]}],[\"$\",\"a\",\"legal\",{\"href\":\"/?q=legal\",\"className\":\"tag\",\"children\":[\"#\",\"legal\"]}]]}]]}],[\"$\",\"$L21\",null,{\"slug\":\"bookforge-source-code-security-review\",\"owner\":\"quochungto\",\"sections\":{\"examples\":\"$22\",\"configuration\":null,\"tips\":null,\"when_to_use\":\"$23\",\"core_types\":null,\"constraints\":null,\"script\":null},\"fullDesc\":\"$24\"}],\"$L25\"]}],\"$L26\",null,false,\"$L27\",\"$L28\",false]}],\"$L29\"]}]]}]\n"])</script><script>self.__next_f.push([1,"1f:[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn =\u003e {\\n btn.addEventListener('click', () =\u003e {\\n const cmd = btn.getAttribute('data-cmd');\\n if (!cmd) return;\\n navigator.clipboard.writeText(cmd).then(() =\u003e {\\n const orig = btn.textContent;\\n btn.textContent = 'Copied!';\\n setTimeout(() =\u003e btn.textContent = orig, 1500);\\n }).catch(() =\u003e {});\\n });\\n });\\n \"}}]\n"])</script><script>self.__next_f.push([1,"2a:I[71521,[\"/_next/static/chunks/0j7976nc1zlv1.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\",\"/_next/static/chunks/13n0i~5jmm-ff.js?dpl=dpl_A2hgSD3MeXFzVLary6X9Y4AbeWfD\"],\"default\"]\n25:[\"$\",\"div\",null,{\"className\":\"actions-row\",\"style\":{\"marginTop\":8,\"marginBottom\":4,\"gap\":8},\"children\":[[\"$\",\"a\",null,{\"href\":\"https://clawhub.ai/quochungto/bookforge-source-code-security-review\",\"target\":\"_blank\",\"rel\":\"noopener\",\"className\":\"btn-secondary\",\"style\":{\"padding\":\"6px 12px\",\"fontSize\":\".82em\",\"borderRadius\":8,\"background\":\"transparent\",\"border\":\"1px solid #1e1e3f\",\"color\":\"#6b7280\",\"textDecoration\":\"none\",\"whiteSpace\":\"nowrap\"},\"children\":[\"View on \",\"ClawHub\"]}],[\"$\",\"button\",null,{\"className\":\"copy-btn\",\"data-cmd\":\"clawhub install bookforge-source-code-security-review\",\"style\":{\"background\":\"linear-gradient(135deg, #22c55e22, #16a34a22)\",\"color\":\"#22c55e\",\"border\":\"1px solid #22c55e33\",\"borderRadius\":8,\"padding\":\"6px 12px\",\"fontSize\":\".82em\",\"cursor\":\"pointer\",\"whiteSpace\":\"nowrap\",\"fontWeight\":700},\"children\":\"π Copy install\"}]]}]\n26:[\"$\",\"div\",null,{\"className\":\"install-box\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-dots\",\"children\":[[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#ef4444\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#eab308\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#22c55e\"}}]]}],[\"$\",\"span\",null,{\"className\":\"install-label\",\"children\":\"TERMINAL\"}]]}],[\"$\",\"div\",null,{\"className\":\"install-body\",\"style\":{\"flexWrap\":\"wrap\"},\"children\":[[\"$\",\"code\",null,{\"className\":\"install-cmd\",\"children\":\"clawhub install bookforge-source-code-security-review\"}],[\"$\",\"button\",null,{\"className\":\"copy-btn\",\"data-cmd\":\"clawhub install bookforge-source-code-security-review\",\"style\":{\"fontWeight\":700},\"children\":\"Copy\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"27:[\"$\",\"section\",null,{\"className\":\"next-step-card\",\"children\":[[\"$\",\"h2\",null,{\"className\":\"next-step-title\",\"children\":\"π§ͺ Use this skill with your agent\"}],[\"$\",\"p\",null,{\"className\":\"next-step-sub\",\"children\":\"Most visitors already have an agent. Pick your environment, install or copy the workflow, then run the smoke-test prompt above.\"}],[\"$\",\"div\",null,{\"className\":\"agent-grid\",\"children\":[[\"$\",\"a\",\"Manus\",{\"className\":\"agent-card\",\"href\":\"https://manus.im/invitation/PAN0HWLUJPLKA?utm_source=bytesagain\u0026utm_medium=skill_page\u0026utm_campaign=agent_cta\",\"target\":\"_blank\",\"rel\":\"sponsored noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Manus\"}],[\"$\",\"span\",null,{\"className\":\"sponsored-pill\",\"children\":\"invite\"}]]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"Task-oriented agent. Great for testing AI skills end-to-end.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Try Manus\",\" β\"]}]]}],[\"$\",\"a\",\"OpenClaw\",{\"className\":\"agent-card\",\"href\":\"/install\",\"target\":\"$undefined\",\"rel\":\"$undefined\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"OpenClaw\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"Local-first agent. Install skills via ClawHub CLI.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Set up OpenClaw\",\" β\"]}]]}],[\"$\",\"a\",\"Claude Code\",{\"className\":\"agent-card\",\"href\":\"https://code.claude.com/docs\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Claude Code\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"Anthropic's coding agent. Paste the prompt or SKILL.md into your session.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Claude Code docs\",\" β\"]}]]}],[\"$\",\"a\",\"Cursor\",{\"className\":\"agent-card\",\"href\":\"https://cursor.com\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Cursor\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"AI-powered IDE. Use the smoke-test prompt in Cursor Agent.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Open Cursor\",\" β\"]}]]}],[\"$\",\"a\",\"Continue.dev\",{\"className\":\"agent-card\",\"href\":\"https://docs.continue.dev/customize/tools\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Continue.dev\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"Open-source AI code assistant. Add SKILL.md as a custom tool.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Continue docs\",\" β\"]}]]}],[\"$\",\"a\",\"Windsurf\",{\"className\":\"agent-card\",\"href\":\"https://codeium.com/windsurf\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Windsurf\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"Agentic IDE by Codeium. Paste the prompt into Cascade.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Try Windsurf\",\" β\"]}]]}],[\"$\",\"a\",\"Cline\",{\"className\":\"agent-card\",\"href\":\"https://github.com/cline/cline\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Cline\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"VS Code extension for autonomous coding with MCP tools.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Cline on GitHub\",\" β\"]}]]}],[\"$\",\"a\",\"Copilot Workspace\",{\"className\":\"agent-card\",\"href\":\"https://github.com/features/copilot\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"children\":[[\"$\",\"div\",null,{\"className\":\"agent-name\",\"children\":[[\"$\",\"span\",null,{\"children\":\"Copilot Workspace\"}],\"$undefined\"]}],[\"$\",\"div\",null,{\"className\":\"agent-desc\",\"children\":\"GitHub's AI dev environment. Suitable for code-generation skills.\"}],[\"$\",\"div\",null,{\"className\":\"agent-link\",\"children\":[\"Copilot Workspace\",\" β\"]}]]}]]}]]}]\n"])</script><script>self.__next_f.push([1,"28:[\"$\",\"div\",null,{\"className\":\"cta-banner\",\"children\":[[\"$\",\"div\",null,{\"children\":[[\"$\",\"p\",null,{\"className\":\"cta-title\",\"children\":\"π Can't find the right skill?\"}],[\"$\",\"p\",null,{\"className\":\"cta-sub\",\"children\":\"Search 60,000+ AI agent skills β free, no login needed.\"}]]}],[\"$\",\"a\",null,{\"href\":\"/\",\"className\":\"btn-primary\",\"style\":{\"fontSize\":\".88em\",\"padding\":\"10px 22px\"},\"children\":\"Search Skills β\"}]]}]\n29:[\"$\",\"div\",null,{\"className\":\"two-col-side\",\"children\":[\"$\",\"$L2a\",null,{\"category\":\"clawhub\",\"currentSlug\":\"bookforge-source-code-security-review\",\"name\":\"Source Code Security Review\",\"tags\":[\"security\",\"legal\"]}]}]\n"])</script></body></html>
