scanning-input-validation-practices

This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis.

Install with Tessl CLI

npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill scanning-input-validation-practices

What are skills?

1.09x

Quality

60%

Does it follow best practices?

Impact

90%

1.09x

Average score across 12 eval scenarios

Optimize this skill with Tessl

npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/input-validation-scanner/skills/input-validation-scanner/SKILL.md

SKILL.md

Review

Evals

Evaluation results

100%

28%

Security Audit: User Profile Module

XSS vulnerability scanning

Criteria

Without context

With context

Plugin invoked

100%

Plugin on target file

100%

XSS in template literals

100%

XSS in script block

100%

SQL injection in SELECT

100%

SQL injection in UPDATE

100%

Code locations reported

100%

Contextual impact assessment

100%

Website URL XSS vector

100%

Both routes covered

100%

Without context: $0.1769 · 2m 53s · 9 turns · 10 in / 3,605 out tokens

With context: $0.4891 · 5m 23s · 25 turns · 25 in / 7,160 out tokens

86%

14%

Security Review: Inventory Management Backend

SQL injection and command injection scanning

Criteria

Without context

With context

Plugin invoked

40%

Plugin on target file

75%

SQL injection in search_products

100%

SQL injection in get_order_history

100%

Non-parameterized query detail

100%

Command injection in export_report

100%

Command injection in delete_product

100%

Code locations reported

100%

Contextual risk assessment

100%

SQL injection in delete_product

100%

Without context: $0.2439 · 2m 51s · 12 turns · 13 in / 4,162 out tokens

With context: $0.4655 · 5m 3s · 26 turns · 296 in / 6,072 out tokens

86%

Hardening Review: Customer Support Portal

Comprehensive multi-surface input validation audit

Criteria

Without context

With context

Plugin invoked

22%

Web form surface covered

100%

API surface covered

100%

Webhook surface covered

100%

XSS in tickets.js

100%

SQL injection findings

100%

Command injection in API

100%

XSS in webhook handler

100%

Code locations reported

100%

Contextual severity assessment

100%

Methodology soundness

100%

Without context: $0.3406 · 4m 13s · 15 turns · 16 in / 6,164 out tokens

With context: $0.5112 · 5m 2s · 24 turns · 1,124 in / 7,562 out tokens

83%

FinTech API Security Review

Dependency and code validation audit

Criteria

Without context

With context

Plugin invoked

33%

SQL injection in payment creation

100%

SQL injection in refund route

100%

SQL injection in history query

100%

SQL injection in merchant search

100%

Command injection in refund logger

100%

Dependency check performed

21%

35%

Dependency findings noted

100%

Code locations reported

100%

Financial contextual severity

100%

Both layers covered

100%

Without context: $0.3865 · 4m 6s · 12 turns · 15 in / 8,846 out tokens

With context: $0.8049 · 7m 18s · 31 turns · 325 in / 13,543 out tokens

97%

Authentication Service Security Audit and Hardening Plan

Security workflow integration

Criteria

Without context

With context

Plugin invoked

70%

SQL injection in register

100%

SQL injection in login

100%

SQL injection in admin search

100%

SQL injection in password change

100%

Command injection in audit logger

100%

All five routes covered

100%

Regular scanning recommendation

100%

Actionable integration steps

100%

Code locations reported

100%

Contextual severity

100%

Without context: $0.2938 · 4m · 12 turns · 15 in / 6,099 out tokens

With context: $0.6147 · 6m 10s · 25 turns · 287 in / 10,039 out tokens

91%

Registration API Security Verification

Insufficient validation detection

Criteria

Without context

With context

Plugin invoked

25%

Insufficient validation framing

100%

Reset-password SQL injection

100%

Comments XSS via content

100%

Comments XSS via author

100%

Search SQL injection

100%

All four endpoints analyzed

100%

Bypass mechanism in register

100%

Bypass mechanism in comments

100%

Without context: $0.3409 · 3m 42s · 16 turns · 16 in / 6,011 out tokens

With context: $0.6075 · 7m 12s · 29 turns · 111 in / 9,089 out tokens

100%

12%

Shipping Aggregator Webhook Security Review

External source data validation

Criteria

Without context

With context

Plugin invoked

100%

External sources framed as untrusted

100%

SQL injection in handleDeliveryEvent

100%

SQL injection in handleLocationUpdate

100%

Command injection in handleLocationUpdate

100%

SQL injection in syncPartnerStatus

100%

XSS in generateStatusPage

100%

addslashes inadequacy noted

100%

Code locations specified

100%

Contextual impact assessment

100%

Both files scanned

100%

Without context: $0.2929 · 2m 51s · 10 turns · 11 in / 5,932 out tokens

With context: $0.5198 · 5m 29s · 24 turns · 57 in / 8,507 out tokens

92%

Community Forum User Content Security Review

Frontend React XSS scanning

Criteria

Without context

With context

Plugin invoked

33%

XSS in UserProfile bio

100%

XSS in UserProfile badges

100%

URL XSS in UserProfile website

100%

XSS in PostRenderer body

100%

XSS in PostRenderer editReason

100%

XSS in PostRenderer dmPreview

100%

XSS in MessageThread messages

100%

Component-level locations

100%

All three files scanned

100%

Contextual impact assessment

100%

dangerouslySetInnerHTML identified as risk pattern

100%

Without context: $0.2323 · 2m 50s · 10 turns · 11 in / 4,886 out tokens

With context: $0.6818 · 7m 23s · 34 turns · 29 in / 10,388 out tokens

99%

Healthcare Portal Comprehensive Security Assessment

Security skill integration audit

Criteria

Without context

With context

Plugin invoked for code

90%

Dependency scanning mentioned

100%

SQL injection in search_appointments

100%

SQL injection in submit_intake

100%

Command injection in submit_intake

100%

SQL injection in send_message

100%

SQL injection in view_profile

100%

XSS in view_profile

100%

Jinja2 safe filter risk

100%

Vulnerable dependency identified

100%

Healthcare contextual impact

100%

Integrated remediation output

100%

Without context: $0.5030 · 5m 27s · 18 turns · 19 in / 9,974 out tokens

With context: $0.7125 · 7m 4s · 26 turns · 107 in / 13,238 out tokens

93%

Security Review: Financial Reporting API

Go REST API comprehensive input validation audit

Criteria

Without context

With context

Plugin invoked

75%

SQL injection in user search

100%

SQL injection in report query

100%

Command injection in file processor

100%

XSS in HTML report endpoint

100%

Go-specific SQL safe pattern noted

100%

50%

text/template vs html/template distinction

100%

All three surfaces covered

100%

Code locations reported

100%

Contextual severity assessment

100%

External data sources treated as untrusted

100%

Without context: $0.3761 · 3m 37s · 14 turns · 15 in / 6,432 out tokens

With context: $0.6205 · 6m 2s · 26 turns · 26 in / 9,415 out tokens

69%

-1%

Security Assessment: Employee Portal Web Application

Java servlet scanning with static analysis integration

Criteria

Without context

With context

Plugin invoked

70%

Static analysis tool mentioned

SQL injection in LoginServlet

100%

SQL injection in SearchServlet

100%

XSS in SearchServlet output

100%

XSS in ProfileServlet output

100%

Command injection in ReportServlet

100%

JDBC PreparedStatement noted as fix

100%

Code locations reported

100%

Contextual severity assessment

100%

Combined output produced

Without context: $0.2919 · 2m 57s · 11 turns · 12 in / 5,272 out tokens

With context: $0.7008 · 6m 45s · 33 turns · 28 in / 10,808 out tokens

94%

Security Audit: Community Publishing Platform

Ruby on Rails XSS and SQL injection scanning

Criteria

Without context

With context

Plugin invoked

50%

html_safe XSS in comments

100%

html_safe XSS in user bio

100%

SQL injection in search

100%

SQL injection in user lookup

100%

Command injection in file processing

100%

html_safe vs sanitize distinction

87%

100%

ActiveRecord string interpolation explained

100%

Code locations reported

100%

Contextual impact assessment

100%

All input surfaces covered

100%

Without context: $0.2452 · 3m 5s · 10 turns · 11 in / 4,639 out tokens

With context: $0.5997 · 3m 20s · 31 turns · 30 in / 8,223 out tokens

Evaluated: 5 days ago
Agent: Claude Code
Model: Claude Sonnet 4.6

Table of Contents

Security Audit: User Profile Module Security Review: Inventory Management Backend Hardening Review: Customer Support Portal FinTech API Security Review Authentication Service Security Audit and Hardening Plan Registration API Security Verification Shipping Aggregator Webhook Security Review Community Forum User Content Security Review Healthcare Portal Comprehensive Security Assessment Security Review: Financial Reporting API Security Assessment: Employee Portal Web Application Security Audit: Community Publishing Platform

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.