Stats
Actions
Tags
From acc
Audits PHP projects for OWASP Top 10 and PHP-specific vulnerabilities including injection, XSS, CSRF, auth issues; reports severity, CWE IDs, attack vectors.
How this command is triggered — by the user, by Claude, or both
Slash command
/acc:audit-security <path> [level] [-- meta-instructions]opusThis command is limited to the following tools:
The summary Claude sees in its command listing — used to decide when to auto-load this command
# Security Audit Perform a comprehensive security audit focusing on OWASP Top 10 and PHP-specific vulnerabilities. ## Input Parsing Parse `$ARGUMENTS` to extract path, level, and optional meta-instructions: **Parsing rules:** 1. Split `$ARGUMENTS` by ` -- ` (space-dash-dash-space) 2. First part = positional arguments, Second part = meta-instructions 3. In positional arguments, check if last word is a valid level (`quick|standard|deep`) 4. If level found → extract it; remaining = path 5. Also accept `level:quick|standard|deep` in meta-instructions (backward compatibility) 6. Priority: ...
Perform a comprehensive security audit focusing on OWASP Top 10 and PHP-specific vulnerabilities.
Parse $ARGUMENTS to extract path, level, and optional meta-instructions:
Format: <path> [level] [-- <meta-instructions>]
Arguments:
- path: Target directory or file (required, default: current directory)
- level: Audit depth - quick|standard|deep (optional, default: standard)
- -- meta-instructions: Additional focus areas or filters (optional)
Examples:
- /acc:audit-security ./src
- /acc:audit-security ./src deep
- /acc:audit-security ./src quick
- /acc:audit-security ./src -- focus on OWASP A01-A03
- /acc:audit-security ./src deep -- focus on injection
- /acc:audit-security ./src -- level:deep (backward compatible)
Parsing rules:
$ARGUMENTS by -- (space-dash-dash-space)quick|standard|deep)level:quick|standard|deep in meta-instructions (backward compatibility)standard)$ARGUMENTS (before --)--) — customize audit focusIf meta-instructions provided, adjust audit to:
Verify the path exists:
$ARGUMENTS is empty, ask user for the project pathVerify it's a PHP project:
composer.json or *.php filesUse the acc:security-reviewer agent to perform a comprehensive security audit:
Task tool with subagent_type="acc:security-reviewer"
prompt: "Perform security audit on [PATH]. Audit level: [LEVEL]. [META-INSTRUCTIONS if provided]
Analyze for:
1. Input Validation (A03:2021)
2. Output Encoding / XSS (A03:2021)
3. SQL Injection (A03:2021)
4. Command Injection (A03:2021)
5. Authentication Issues (A07:2021)
6. Authorization / Access Control (A01:2021)
7. CSRF Protection (A01:2021)
8. Sensitive Data Exposure (A02:2021)
9. Cryptographic Failures (A02:2021)
10. SSRF (A10:2021)
11. XXE (A05:2021)
12. Insecure Deserialization (A08:2021)
13. Path Traversal (A01:2021)
14. Dependency Vulnerabilities (A06:2021)
Provide:
- Severity classification (Critical/Major/Minor)
- CWE identifiers
- Attack vectors
- Code examples (vulnerable and fixed)
- OWASP references"
| OWASP ID | Category | Checks |
|---|---|---|
| A01:2021 | Broken Access Control | IDOR, missing auth checks, CSRF, path traversal |
| A02:2021 | Cryptographic Failures | Weak crypto, exposed secrets, plaintext storage |
| A03:2021 | Injection | SQL, Command, XPath, LDAP, XSS |
| A04:2021 | Insecure Design | Business logic flaws, missing controls |
| A05:2021 | Security Misconfiguration | XXE, default configs, exposed endpoints |
| A06:2021 | Vulnerable Components | Outdated dependencies, known CVEs |
| A07:2021 | Auth Failures | Weak passwords, session issues, token flaws |
| A08:2021 | Software Integrity | Deserialization, unsigned updates |
| A09:2021 | Logging Failures | Missing audit, log injection |
| A10:2021 | SSRF | User-controlled URLs, internal network access |
unserialize() with user inputeval() / preg_replace() with e modifiershell_exec() / exec() / system() without escapinginclude() / require() with user inputfile_get_contents, fopen)extract() and variable overwritingA structured markdown report containing:
| Severity | Count | Categories |
|---|---|---|
| 🔴 Critical | N | SQL Injection, RCE |
| 🟠 Major | N | XSS, CSRF, Auth |
| 🟡 Minor | N | Best practices |
For each critical issue:
### [OWASP Category]: [Brief Description]
**Severity:** 🔴 Critical
**Location:** `file.php:line`
**CWE:** CWE-XXX
**Issue:**
[Detailed description]
**Attack Vector:**
[How an attacker could exploit this]
**Vulnerable Code:**
```php
// Vulnerable code
Secure Fix:
// Fixed code
References:
### 4. Major Vulnerabilities
[Same format as Critical]
### 5. Minor Issues / Best Practices
[Condensed list format]
### 6. Recommendations Summary
| Priority | Action | Location | Fix |
|----------|--------|----------|-----|
| 1 | Fix SQL injection | `UserRepository.php:45` | Use prepared statements |
| 2 | Add CSRF tokens | `LoginAction.php:23` | Implement token validation |
### 7. Compliance Checklist
| OWASP Category | Status | Issues |
|----------------|--------|--------|
| A01 Access Control | ⚠️ | 3 issues |
| A02 Crypto Failures | ✅ | 0 issues |
| A03 Injection | ❌ | 5 issues |
| ... | ... | ... |
## Audit Levels
Level is an optional positional parameter. Default: `standard`.
| Level | Scope | What's Checked |
|-------|-------|----------------|
| `quick` | Critical patterns only | `eval()`, `unserialize()`, SQL injection, command injection |
| `standard` | Full OWASP analysis | All 14 vulnerability categories, CWE references, fix suggestions |
| `deep` | Standard + extended | Standard + dependency vulnerability scan, attack vector mapping, CWE chains |
## Severity Levels
| Level | Symbol | Criteria |
|-------|--------|----------|
| Critical | 🔴 | RCE, SQL injection, auth bypass, data breach, deserialization |
| High | 🟠 | XSS, CSRF, information disclosure, privilege escalation |
| Medium | 🟡 | Missing best practices, theoretical attacks, low-impact issues |
| Low | 🟢 | Code hardening suggestions, defense-in-depth improvements |
## Meta-Instructions Guide
| Instruction | Effect |
|-------------|--------|
| `focus on injection` | Deep injection analysis (SQL, Command, XSS) |
| `focus on A01-A03` | Analyze specific OWASP categories only |
| `skip A06` | Exclude vulnerable components check |
| `injection only` | Only check injection vulnerabilities |
| `level:quick` | Quick audit (same as positional `quick`) |
| `level:standard` | Standard audit (same as positional `standard`) |
| `level:deep` | Deep audit (same as positional `deep`) |
| `detailed report` | Maximum detail with CWE references |
| `на русском` | Report in Russian |
## Usage Examples
```bash
/acc:audit-security ./src
/acc:audit-security ./src quick
/acc:audit-security ./src deep
/acc:audit-security ./src/Api -- focus on input validation
/acc:audit-security ./src deep -- check A01-A03 only
/acc:audit-security ./src -- level:deep
npx claudepluginhub dykyi-roman/awesome-claude-code --plugin acc/kasi-securityRuns security audit on project codebase: detects stack (PHP/Node/Python/etc.), loads checklist, scans files for SQLi/XSS/CSRF/auth bypass/etc., outputs prioritized findings with confidence labels.
/security-scanScans codebase for vulnerabilities, hardcoded secrets, OWASP Top 10 compliance, and security best practices violations. Produces report with issues and fix recommendations.
/security-scanScans codebase for OWASP Top 10 vulnerabilities and common security patterns. Defaults to entire project or limits to specified path.
/check-owaspScans the current codebase for OWASP Top 10 vulnerabilities including injection, broken access control, and cryptographic failures, then outputs a security assessment with remediation advice.
/securityConducts security reviews of apps, APIs, scripts, and configs using OWASP Top 10 best practices and threat modeling; detects vulnerabilities and suggests fixes.
/auditPerforms security audit of codebase for dependency vulnerabilities, secrets, OWASP Top 10, input validation, auth issues, and misconfigs. Outputs findings report by severity with fixes and references.