sast-graphql

Detects GraphQL injection vulnerabilities using a three-phase approach to enhance code security.

Install this skill

46/100

Security score

The sast-graphql skill was audited on Jun 13, 2026 and we found 8 security issues across 3 threat categories, including 3 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 30

Template literal with variable interpolation in command context

SourceSKILL.md

30	- Concatenating or interpolating user input into an operation string: `` `query { user(id: "${id}") { name } }` ``, `"query { user(id: \"" + id + "\") { name } }"`

medium line 85

Template literal with variable interpolation in command context

SourceSKILL.md

85	const query = `query { me { ${fragment} } }`;

high line 149

Template literal with variable interpolation in command context

SourceSKILL.md

149	> - `` `query { ... ${x} ...}` ``, `"mutation { " + userFragment + " }"`

high line 157

Template literal with variable interpolation in command context

SourceSKILL.md

157	> - `JSON.stringify({ query: `...${userPart}...` })`, `axios.post(url, { query: builtFromInput })`

low line 86

Fetch to external URL

SourceSKILL.md

86	const data = await fetch('https://api.internal/graphql', {

low line 95

Fetch to external URL

SourceSKILL.md

95	const data = await fetch('https://api.internal/graphql', {

low line 86

External URL reference

SourceSKILL.md

86	const data = await fetch('https://api.internal/graphql', {

low line 95

External URL reference

SourceSKILL.md

95	const data = await fetch('https://api.internal/graphql', {

Scanned on Jun 13, 2026

View Security Dashboard

Installation guide →

GitHub Stars 661

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw api backend security-engineer backend-developer devops-sre development

utkusen/sast-skills