npx claudepluginhub thejefflarson/soundcheckAutomated OWASP security checks — Web Top 10:2025, LLM Top 10:2025, API Security Top 10:2023
Claude Code marketplace entries for the plugin-safe Antigravity Awesome Skills library and its compatible editorial bundles.
Production-ready workflow orchestration with 79 focused plugins, 184 specialized agents, and 150 skills - optimized for granular installation and minimal token usage
Directory of popular Claude Code extensions including development tools, productivity plugins, and MCP integrations
Share bugs, ideas, or general feedback.
Automated OWASP security checks for Claude Code. 29 skills covering OWASP Web Top 10:2025 and OWASP LLM Top 10:2025 that auto-invoke when Claude writes vulnerable code patterns, rewrite the vulnerable section inline, explain the fix, and continue with your original task.
No configuration needed. No user intervention required.
claude plugin marketplace add thejefflarson/soundcheck
claude plugin install soundcheck
After installation, all 29 skills are active in every Claude Code session. Claude will automatically invoke the relevant skill whenever it detects vulnerable code patterns.
Try it without installing (current session only):
claude --plugin-dir /path/to/soundcheck
Each skill has a description field that tells Claude when to invoke it. When you ask
Claude to write code matching that description, Claude:
You do not need to ask Claude to check for security issues. Soundcheck runs in the background on every relevant code-writing task.
| Code pattern | Skill invoked | OWASP |
|---|---|---|
| Authorization checks, resource ownership, IDOR, SSRF | broken-access-control | A01:2025 |
| Server config, CORS, debug flags, security headers, secrets | security-misconfiguration | A02:2025 |
npm install, pip install, dependency manifests, CI/CD pipelines | supply-chain | A03:2025 |
| Encryption, password hashing, random token generation, TLS config | cryptographic-failures | A04:2025 |
SQL queries, shell commands, templates with user input, eval, ORM raw queries | injection | A05:2025 |
| Rate limiting, login flows, business logic, multi-step workflows | insecure-design | A06:2025 |
| Login, sessions, JWT, password storage, MFA, API key management | authentication-failures | A07:2025 |
| Deserialization, pickle/yaml load, software update verification, CI artifacts | integrity-failures | A08:2025 |
| Logging, audit trails, error handlers that log, security event recording | logging-failures | A09:2025 |
| Error handlers, try/catch, API error responses, exception propagation | exceptional-conditions | A10:2025 |
| LLM prompt construction with user input, RAG pipelines, system prompts | prompt-injection | LLM01:2025 |
| Rendering LLM output to UI, executing LLM-generated code, downstream LLM output use | insecure-output-handling | LLM02:2025 |
| Fine-tuning pipelines, dataset ingestion, training data from external sources | training-data-poisoning | LLM03:2025 |
| LLM input limits, inference backends, chatbot request handling, token budgets | model-dos | LLM04:2025 |
| Loading pre-trained models, model registries, third-party LLM providers | llm-supply-chain | LLM05:2025 |
| Sending PII/secrets to LLM, system prompts with sensitive data, LLM memory | sensitive-disclosure | LLM06:2025 |
| LLM tool definitions, function schemas, plugin access controls | insecure-plugin-design | LLM07:2025 |
| Autonomous agents, LLM-triggered write/delete/send actions, multi-step pipelines | excessive-agency | LLM08:2025 |
| Displaying LLM output as fact, LLM-driven consequential decisions, no human review | overreliance | LLM09:2025 |
| Inference API endpoints, model access controls, rate limiting on model serving | model-theft | LLM10:2025 |
| MCP server definitions, tool schemas, tool handlers with file/shell/network access | mcp-security | LLM07:2025 |
| OAuth2/OIDC flows, JWT validation, redirect URI handling, token endpoints | oauth-implementation | A07:2025 |
| RAG pipelines, vector store ingestion, external document retrieval for LLM context | rag-security | LLM01:2025 |
| Implementation plans for features, APIs, or components touching user data or auth | threat-model | A06:2025 |
| Storing credentials/tokens/PII to local files, prefs stores, SQLite, or temp dirs | insecure-local-storage | A02:2025 |
| URL scheme handlers, exported Android activities, IPC sockets, XPC service handlers | ipc-security | A01:2025 |
| Agent-to-agent calls, subagent spawning, multi-agent pipelines | multi-agent-trust | LLM08:2025 |
| User-supplied strings to LLM with Unicode control chars, homoglyphs, RTL override | token-smuggling | LLM01:2025 |
| Command | What it does |
|---|---|
/security-review | Full OWASP sweep — invokes all 29 skills, produces a severity-ranked findings report, rewrites Critical/High/Medium issues |
Runs a full Soundcheck security review against your repository, rewrites Critical/High/Medium findings, and opens a pull request with the changes and a severity-ranked findings table.