Stats
Actions
Tags
From web-security
Create jxscout bookmarks and bookmark groups via the CLI to document interesting code during security research. Use when analyzing JS/HTML files, reviewing findings, documenting client-side flows, or when the user asks to bookmark security-relevant code patterns, gadgets, or sinks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/web-security:jxscout-bookmarksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Bookmark interesting code during security research -- client-side flows, sinks, gadgets, postMessage handlers, authentication logic, request construction patterns, etc. Bookmarks appear in the VS Code extension sidebar with highlight decorations and markdown notes.
Bookmark interesting code during security research -- client-side flows, sinks, gadgets, postMessage handlers, authentication logic, request construction patterns, etc. Bookmarks appear in the VS Code extension sidebar with highlight decorations and markdown notes.
jxscout works with JS, HTML, and HTTP-related files. Bookmarks should point to code in these web assets.
The JXSCOUT_PROJECT_NAME environment variable must be set. It is available in the project's .env file at the root of the working directory. All commands use jxscout-pro-v2 -c (client mode).
jxscout-pro-v2 -c bookmark list-groups
Returns JSON array of { id, name, highlight_color, created_at }.
jxscout-pro-v2 -c bookmark create-group --name "postMessage handlers" --highlight-color "rgba(255,165,0,0.15)"
--name -- descriptive category name--highlight-color -- optional CSS color string for code highlighting in VS Code (e.g. rgba(255,0,0,0.1))Returns JSON with the created group.
jxscout-pro-v2 -c bookmark update-group --name "Old Name" --new-name "New Name" --highlight-color "rgba(0,255,0,0.1)"
Pass empty string to --highlight-color to clear it.
jxscout-pro-v2 -c bookmark delete-group --name "Group Name"
Deletes the group and all bookmarks in it.
jxscout-pro-v2 -c bookmark create \
--group "postMessage handlers" \
--file-path /absolute/path/to/file.js \
--start-line 10 --start-column 0 \
--end-line 15 --end-column 42 \
--note "Accepts messages from any origin, passes event.data.url to location.href"
--group -- group name (must already exist)--file-path -- absolute path to the file--start-line, --end-line -- 1-indexed line numbers--start-column, --end-column -- 0-indexed column numbers--note -- optional, supports markdownjxscout-pro-v2 -c bookmark list [--group "Group Name"] [--file-path /path/to/file.js]
Returns JSON array of all bookmarks, optionally filtered by group or file path.
jxscout-pro-v2 -c bookmark update --id <bookmark_id> [--group "New Group"] [--note "Updated note"] [--file-path /new/path] [--start-line N --start-column N --end-line N --end-column N]
Pass empty string to --note to clear it.
jxscout-pro-v2 -c bookmark delete --id <bookmark_id>
jxscout-pro-v2 -c bookmark list-groupsjxscout-pro-v2 -c bookmark create-group --name "XSS sinks"Bookmark things the user would want to review or come back to:
innerHTML assignments, document.write, eval, location.href assignments with user-controlled inputwindow.addEventListener("message", ...) -- especially without origin checksNotes should explain why the code is interesting, not just describe what it does.
Good notes:
event.data.redirect to window.location"req.query.callback -- potential JSONP abuse"Bad notes:
If http_requests/ exists in the project working directory, bookmarks can also point to raw .req/.res files captured by jxscout -- not just JS/HTML code. This is useful for marking interesting API calls, auth flows, or responses that contain relevant security data (tokens, error messages, internal paths).
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub s3cr1z/capabilities --plugin web-security