svelte-sveltekit-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Svelte / SvelteKit Security Audit
Audit Svelte and SvelteKit apps. Covers Svelte 3/4/5 and SvelteKit 1/2.
## When this skill applies
- Reviewing Svelte components for XSS sinks
- Auditing SvelteKit server load functions, form actions, `+server.ts` routes
- Reviewing `hooks.server.ts` middleware
- Checking `$env` module usage for accidental leaks
- Auditing form actions for auth and CSRF
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '"(svelte|@sveltejs/kit)":' package.json
find . -name 'svelte.config.*' -name '*.svelte' -not -path '*/node_modules/*' | head
```
### Phase 2: Inventory
```bash
# XSS sinks
grep -rn '@html' src/ 2>/dev/null
# Server load functions (run on server)
find src -name '+page.server.ts' -o -name '+layout.server.ts' 2>/dev/null
# Universal load (runs both server and client)
find src -name '+page.ts' -o -name '+layout.ts' 2>/dev/null
# Endpoint handlers
find src -name '+server.ts' 2>/dev/null
# Form actions
grep -rn 'export const actions' src/ 2>/dev/null
# Hooks (middleware)
find src -name 'hooks.server.ts' -o -name 'hooks.client.ts' 2>/dev/null
# Env modules
grep -rn '\$env/static/private\|\$env/static/public\|\$env/dynamic/private\|\$env/dynamic/public' src/ 2>/dev/null
```
### Phase 3: Detection — the checks
#### `{@html}` XSS
- **SVK-XSS-1** Every `{@html foo}` reviewed. Same sink as `dangerouslySetInnerHTML`. Sanitize with DOMPurify or use a safe Markdown renderer.
```svelte
<!-- BA