A community-driven registry for Claude, Cursor, Windsurf, Cline & more. Not affiliated with Anthropic.
Are you the author? Sign in to claim
A Claude Code skill that performs static analysis on JavaScript files to find API endpoints, URLs, secrets, emails, and
🤖 Claude Code skill for JavaScript static analysis - detect endpoints, URLs, secrets, and security issues with TOON format support for efficient LLM consumption.
Primary use: Claude Code skill via /analyze-js command
Secondary use: Standalone CLI tool via npx js-analyzer-cli
Simplest way to use this tool - as a Claude Code skill:
User: analyze-js bundle.js
User: analyze-js src/ dist/
User: analyze-js --verbose frontend/
file:line:column)That's it! No installation needed if using in this project.
Claude Code skills are reusable commands that you can invoke directly in conversations with Claude. This project provides an analyze-js skill that makes JavaScript security analysis seamless and context-aware.
Benefits:
Option 1: Use in this project (no installation)
The skill is automatically available when you're in this project directory. Claude Code detects skills from the .claude/skills/ directory.
Option 2: Install globally for use anywhere
# 1. Install the CLI tool globally
bun install -g js-analyzer-cli
# or: npm install -g js-analyzer-cli
# 2. Copy the skill to your project
mkdir -p .claude/skills/analyze-js
curl -o .claude/skills/analyze-js/SKILL.md \
https://raw.githubusercontent.com/xrip/claude-skill-analyze-js/master/.claude/skills/analyze-js/SKILL.md
# 3. Update SKILL.md to use global command
# Change: bunx --bun js-analyzer-cli
# To: js-analyzer
Option 3: Use with npx (no installation)
# Copy the skill file
mkdir -p .claude/skills/analyze-js
curl -o .claude/skills/analyze-js/SKILL.md \
https://raw.githubusercontent.com/xrip/claude-skill-analyze-js/master/.claude/skills/analyze-js/SKILL.md
# The skill will use: npx js-analyzer-cli
# (already configured in SKILL.md)
In Claude Code, simply use the skill naturally:
User: analyze-js bundle.js
User: analyze-js src/
User: analyze-js --verbose dist/
User: analyze-js frontend/ backend/
User: analyze-js --format=json app.js
Or in natural language:
User: Can you analyze the bundle.js file for security issues?
User: Check dist/ for API endpoints and secrets
User: What bundler is this application using?
When you invoke the skill, Claude will:
file:line:column format (clickable in most IDEs)1. Security Analysis:
User: I downloaded bundle.js from example.com. Can you analyze it for security issues?
Claude: [Runs analyze-js bundle.js]
Found 23 findings:
- 🔴 2 AWS keys at bundle.js:1247:15 and bundle.js:2891:22
- ⚠️ Admin endpoint /admin/users at bundle.js:234:12
- 12 API endpoints
- Webpack 5.88.2 detected
2. Technology Fingerprinting:
User: analyze-js dist/app.js
Claude: Detected build tools:
- Vite 4.3.9
- Rollup 3.26.0 (used by Vite internally)
3. Multiple Directories:
User: analyze-js src/ public/js/
Claude: Scanning 45 files across 2 directories...
Summary: 67 findings
- 34 endpoints
- 12 URLs
- 3 secrets (masked)
- 18 other items
4. Combined Workflows:
User: Download JS from https://example.com/app.js and analyze it
Claude: [Downloads file]
Claude: [Runs analyze-js app.js]
Claude: Security analysis complete. Here's what I found...
User: Create a security report from those findings
Claude: [Generates detailed report with recommendations]
📊 Analysis Results for bundle.js
Summary:
- Total findings: 28
- Endpoints: 12
- Secrets: 3 (masked for safety)
- URLs: 5
- Bundler: Webpack 5.88.2
🔴 Critical Findings:
• AWS Access Key at bundle.js:1247:15
Value: AKIA...AMPLE (masked)
• Stripe Live Key at bundle.js:3891:22
Value: sk_live_51...d9sK (masked)
• Admin endpoint: /admin/users/delete at bundle.js:234:12
⚠️ Notable Endpoints:
• /api/v1/users at bundle.js:42:15
• /oauth/token at bundle.js:105:18
• /graphql at bundle.js:67:14
🔧 Build Information:
• Webpack 5.88.2 at bundle.js:1:15
To use this skill in any project:
Quick method (npx/bunx - no installation):
# In your project directory
mkdir -p .claude/skills/analyze-js
# Download the skill file
curl -o .claude/skills/analyze-js/SKILL.md \
https://raw.githubusercontent.com/xrip/claude-skill-analyze-js/master/.claude/skills/analyze-js/SKILL.md
The skill is pre-configured to use npx js-analyzer-cli which works without installation.
For better performance, use bunx:
Edit .claude/skills/analyze-js/SKILL.md and change the command to:
bunx --bun js-analyzer-cli [OPTIONS] <paths...>
For fastest execution (global install):
# Install globally first
bun install -g js-analyzer-cli
# Then in SKILL.md, use:
js-analyzer [OPTIONS] <paths...>
While the primary use case is as a Claude Code skill, you can also use this as a standalone CLI tool.
Option 1: npx (no installation)
npx js-analyzer-cli <files>
Option 2: bunx (faster)
bunx --bun js-analyzer-cli <files>
Option 3: Global installation
# With bun (recommended)
bun install -g js-analyzer-cli
# Or with npm
npm install -g js-analyzer-cli
# Then use:
js-analyzer <files>
# Analyze a single file
js-analyzer file.js
# Analyze a directory (recursive)
js-analyzer src/
# Analyze multiple paths
js-analyzer dist/ lib/ app.js
The tool automatically:
.js, .jsx, .mjs filesnode_modules/ and hidden directories (.git/, etc.)# Recursive scan (default)
js-analyzer src/
# Non-recursive (only top-level files)
js-analyzer --no-recursive src/
# Multiple directories
js-analyzer frontend/ backend/
# Pretty print JSON output
js-analyzer --pretty dist/
# Verbose mode (shows progress and file count)
js-analyzer --verbose src/
# TOON format output (optimized for LLMs)
js-analyzer --format=toon src/
# Combine flags
js-analyzer --pretty --verbose --no-recursive bundle/
TOON (default):
js-analyzer app.js
TOON format is the default output, optimized for Large Language Models (LLMs) with:
file:line:column location format@toon-format/toon libraryExample TOON output:
__comment: "JS Analyzer Results - Generated: 2026-01-06T20:45:12.345Z"
summary:
total: 13
endpoints: 4
urls: 1
secrets: 0
emails: 0
files: 0
bundlers: 1
findings:
endpoints[4 ]{value location}:
/api/v1/users app.js:42:15
/api/v1/posts app.js:58:23
/oauth/token app.js:105:18
/graphql app.js:9:14
urls[1 ]{value location}:
https://api.example.com app.js:67:20
bundlers[1 ]{value location}:
Webpack 5.88.2 app.js:1:15
Location format: file:line:column - click to navigate in most IDEs and terminals.
Learn more: TOON Format
JSON (optional):
js-analyzer --format=json app.js
# With pretty printing
js-analyzer --format=json --pretty app.js
js-analyzer --help
js-analyzer --version
The tool outputs JSON with three main sections:
{
"files": [
{
"path": "test.js",
"status": "analyzed",
"findings": 13
}
],
"summary": {
"total": 13,
"endpoints": 4,
"urls": 2,
"secrets": 3,
"emails": 2,
"files": 2,
"bundlers": 0
},
"findings": {
"endpoints": [...],
"urls": [...],
"secrets": [...],
"emails": [...],
"files": [...],
"bundlers": [...]
}
}
JSON Format:
Each finding includes:
Example finding:
{
"category": "endpoints",
"value": "/api/v1/users",
"source": "app.js",
"position": {
"line": 42,
"column": 15
}
}
TOON Format (default):
Uses compact file:line:column notation:
endpoints[4 ]{value location}:
/api/v1/users app.js:42:15
/api/v1/posts app.js:58:23
/oauth/token app.js:105:18
/admin/dashboard app.js:234:12
This allows easy navigation to POI (Points of Interest) in your editor:
app.js:42:15:e app.js | :42 | norm 15|app.js:42/api/v1/users, /api/auth/login/graphql, /graphql/v1/oauth/token, /oauth/authorize/admin/dashboard, /admin/users/.well-known/openid-configurationhttps://api.example.com/datawss://realtime.example.com/wshttps://bucket.s3.amazonaws.com/file.jsonhttps://storage.googleapis.com/project/datahttps://account.blob.core.windows.net/container/fileAKIAIOSFOD...AMPLE (AWS Key)AIzaSyDaGm...ewQe (Google API)sk_live_51...d9sK (Stripe Live Key)ghp_123456...uvwx (GitHub PAT)eyJhbGciOi...sw5c (JWT)-----BEGIN PRIVATE KEY-----admin@company.com, support@example.io.env, .env.production, .env.localdatabase.config.yml, aws.config.jsonssl/server.pem, cert.keybackup.sql, db_dump.sqlid_rsa, id_ed25519__vite__ signature./utils/helper, ../lib/dbwebpack, polyfill, chunk.js.css, .png, .woffexample.com, test.com, localhostThe tool automatically detects JavaScript bundlers and their versions in compiled/bundled code:
__webpack_require__, __webpack_modules__, webpackJsonp)__vite__ runtime signature/*** Rollup (3.26.0) ***/)__parcel__ runtime signature/* esbuild 0.18.11 */)@swc/core version strings{
"category": "bundlers",
"value": "Webpack 5.88.2",
"source": "bundle.js",
"position": {
"line": 1,
"column": 25
}
}
For runtime signatures without explicit versions:
{
"category": "bundlers",
"value": "Webpack (detected)",
"source": "app.js",
"position": {
"line": 42,
"column": 5
}
}
This is useful for:
This tool is designed for authorized security testing only:
Always ensure you have permission to analyze the code you're testing.
tools/
├── bin/
│ └── cli.js # CLI entry point (Bun shebang)
├── lib/
│ ├── analyzer.js # Core analyzer with deduplication
│ ├── patterns.js # Regex patterns for detection
│ └── validators.js # Validation and noise filtering
├── .claude/
│ └── skills/
│ └── analyze-js.md # Claude Code skill definition
├── package.json # NPM package config
└── README.md
Based on the Burp Suite JS Analyzer extension. This is a Claude Code skill and standalone CLI port optimized for:
MIT
1000+ skills curated from Anthropic, Vercel, Stripe, and other engineering teams
A Claude Code skill by Hao (駱君昊) that learns your Facebook voice and auto-posts to FB / IG / Threads / X with a 14-day c
Claude Code skill for YouTube creators — channel audits, video SEO, retention scripts, thumbnails, content strategy, Sho
AI image generation skill for Claude Code -- Creative Director powered by Gemini