Plugins listed here belong to this category and are auto-indexed from public GitHub repositories.
Plugins listed here belong to this category and are auto-indexed from public GitHub repositories.
Plugins for security auditing, vulnerability scanning, secrets detection, and secure coding practices.
Dependency vulnerability scanning, OWASP compliance checks, secrets detection, permission auditing, and security-focused code review. Some include agents for multi-file security analysis.
Plugins with hooks can run security checks on every file save or commit. However, they supplement — not replace — dedicated security tools and manual review for production applications.
Some detect hardcoded secrets and suggest remediation. Plugins with MCP servers marked as requiring secrets are flagged with a warning — check the risk indicators before installing.
Enhance Claude Code with 1300+ agents, skills, and commands covering full-stack development — coding, testing, security, deployment, automation, and operations across dozens of languages and frameworks.
Automatically review Claude-generated code for security vulnerabilities during editing, committing, and pushing. Uses pattern-based warnings, LLM-powered diff reviews, and agentic commit analysis to catch injection, XSS, SSRF, hardcoded secrets, and 25+ other vulnerability classes.
Author, evaluate, and iteratively improve Claude Code skills with automated blind comparisons, performance analysis, and grading against predefined expectations.
Reverse engineer binaries, analyze malware, and research firmware security using disassembly, memory forensics, and network traffic analysis for authorized security research and CTF competitions.
Automates security scanning, threat modeling, and compliance auditing across multi-language projects, integrating SAST, dependency vulnerability detection, and remediation into CI/CD pipelines.
Orchestrate multi-dimensional code reviews with specialized agents covering architecture, security, performance, and best practices. Analyze git diffs between branches to generate detailed PR descriptions, file stats, and impact assessments.
Accelerate full-stack development with 66 specialized skills covering 12 languages, frontend/backend frameworks, infrastructure, DevOps, security, and testing, plus Jira/Confluence project management commands for epic planning, discovery, and retrospectives.
Master essential developer workflows across Git, code review, debugging, error handling, authentication, SQL optimization, E2E testing, and monorepo management with Nx, Turborepo, and Bazel.
Provides structured guidance for executing cybersecurity operations across penetration testing, incident response, threat hunting, cloud security, and malware analysis, with step-by-step procedures and tool usage.
Orchestrate end-to-end full-stack feature development from requirements to deployment, with integrated agents for CI/CD pipelines, performance optimization, security auditing, and AI-powered test automation.
Design, build, and deploy MCP servers for Claude by interrogating your use case to select deployment models like remote HTTP, MCPB, or local stdio, implementing tool patterns with auth, adding interactive UI widgets such as forms, pickers, and dashboards for inline chat rendering, and packaging into standalone Node or Python .mcpb bundles for local distribution without user toolchain.
Guides secure development across the full stack—implementing authentication, authorization, API security patterns, vulnerability prevention, and PCI DSS compliance for payment systems.
Harden backend APIs with authentication, authorization, rate limiting, input validation, and vulnerability fixes using expert security agents that implement secure coding patterns across REST, GraphQL, and gRPC services.
Conduct end-to-end security assessments including web vulnerability scanning with Burp Suite, cloud infrastructure auditing across AWS/Azure/GCP, Linux privilege escalation enumeration, and penetration testing through reconnaissance, exploitation, and reporting
Run SEO audits that detect content cannibalization across pages, flag outdated content with prioritized refresh plans, and evaluate E-E-A-T signals to build authority and trust for YMYL topics.
Scan dependencies for known vulnerabilities, license compliance issues, and outdated packages across multiple languages, then safely update dependencies and refactor legacy codebases using the strangler fig pattern to reduce technical debt.
Manage Kubernetes clusters with GitOps workflows (ArgoCD/Flux), generate production-ready manifests, scaffold Helm charts, and enforce security policies for network isolation, pod security, and RBAC.
Scans frontend code (React, Vue, Angular, JS) for XSS vulnerabilities with severity and fix guidance, and provides agent expertise for secure mobile coding (input validation, WebView security, secure storage) and modern React/Next.js UI development with performance and accessibility focus.
Delegate expert-level code reviews, security audits, penetration tests, QA automation, accessibility compliance checks, performance optimizations, chaos engineering, and compliance validations to specialized sub-agents across codebases, infrastructure, and systems.
Manage Firebase projects through Claude: query and write Firestore data, manage authentication users, deploy and invoke Cloud Functions, and handle Storage and Hosting configurations directly from the chat interface.
Run autonomous Claude-powered iteration loops that modify code, verify against metrics, and refine until success, automating debugging, bug fixes, security audits, documentation generation, task planning, issue prediction, adversarial reasoning, test scenario creation, and multi-phase project shipping.
Run CodeQL and Semgrep to scan multi-language codebases (Python, JavaScript/TS, Go, Java, C#, Ruby, Rust) for security vulnerabilities via taint tracking and pattern matching. Parse, deduplicate, and aggregate SARIF outputs from scans, then integrate findings into CI/CD pipelines using GitHub Actions or bash scripts.
Audit a codebase to identify bugs, performance issues, tech debt, and recommended next steps, then generate prioritized implementation plans that other agents can execute, optionally delegating work to cheaper models and reviewing results — without ever editing code.
Develop and troubleshoot Ginkgo/Gomega test suites in Go, enabling spec authoring, table-driven tests, filtering, parallel execution, flake handling, async timeouts, CI setup, and JSON-based failure diagnosis.
Run cloud security compliance checks and remediate issues across AWS, GCP, and Azure using Prowler's assessment platform. Automates framework selection, provider configuration, and step-by-step compliance checking to make accounts compliant with security/industry frameworks.
Generate structured engineering documents and analyses for code reviews, incident postmortems, API docs, architecture decisions, system design, runbooks, CI/CD, SLOs, database migrations, security threat models, and more — all from natural language prompts in Claude Code.
Discover, evaluate, and install community legal skills from curated registries with security review gates, update checks, and profile-based recommendations — all managed through a single hub.
Create and repair Redpanda Connect pipeline configurations and Bloblang transformation scripts using natural language. Automates component search, config generation, and script debugging with optional sample data validation.
Implement Trail of Bits handbook security testing workflows: fuzz Rust, Python, C/C++, Ruby code with AFL++, libFuzzer, cargo-fuzz, Atheris; instrument AddressSanitizer; run static analysis via Semgrep, CodeQL; generate coverage reports, dictionaries, and bypass obstacles for vulnerability detection.
Audit smart contracts for vulnerabilities across Cosmos, Solana, Polkadot, TON, Algorand, and StarkNet blockchains using specialized scanners. Assess codebase maturity with scorecards, prepare for professional audits via static analysis and test improvements, analyze token integrations for ERC standards and risks, and apply Trail of Bits guidelines for architecture reviews and secure workflows.
Integrate Stripe payments, manage subscriptions, and troubleshoot API errors with guided assistance for Connect platforms, API upgrades, and test card scenarios, plus remote access to Stripe's MCP server for payment processing and billing queries.
Orchestrate authorized penetration tests and red team engagements with 50+ specialist AI agents covering recon, web/API, Active Directory, cloud, mobile, wireless, exploitation, post-exploitation, detection, forensics, and reporting.
Create and validate custom Semgrep rules for detecting security vulnerabilities, bugs, code patterns, and standards using test-first methodology, conversation context for patterns and languages, plus taint mode support.
Scan smart contract codebases in Solidity, Vyper, Solana/Rust, Move, TON, or CosmWasm to identify externally callable state-changing functions, categorize them by access levels, and generate structured reports for security audits and access control reviews.
Develop Next.js applications with App Router, Server Components, Route Handlers, Server Actions, and authentication using NextAuth.js v5. Includes performance analysis and scaffolding for common patterns.
Build multi-language code graphs to map call graphs, attack surfaces, blast radius, taint propagation, privilege boundaries, and complexity hotspots for security audits. Visualize architecture with Mermaid diagrams, compare snapshots across git commits for evolution analysis, triage mutation testing survivors, generate crypto test vectors, diagram protocols, and project SARIF findings onto graphs.
Combine multiple Git repositories into unified archives for AI-powered codebase analysis, with built-in security scanning and file search capabilities.
Perform security reviews of pull requests, commits, or code diffs using git history for context, blast radius estimation, test coverage checks, and markdown report generation.
Parse Burp Suite .burp project files from the command line to search headers and bodies with regex, extract security findings like audit items, and dump filtered proxy history or sitemap for targeted HTTP security analysis workflows.
Scaffold full-stack TypeScript projects and monorepos with type-safe stacks (Next.js, Hono, TanStack, tRPC), then extend them with addons like PWA, Tauri, or linters — all through an MCP-driven plan-and-generate workflow.
Scan Python, JavaScript, Ruby, and Docker configurations for insecure defaults like hardcoded secrets, fallback credentials, weak authentication, permissive settings, and dangerous production values. Run during security audits, config reviews, and pre-deployment checks to block fail-open vulnerabilities.
Scan Android APK files or directories for Firebase security misconfigurations like open Realtime Database, Firestore, storage buckets, authentication issues, and exposed Cloud Functions to conduct mobile security audits and authorized pentesting.
Implement, customize, secure, deploy, troubleshoot, and scale Clerk authentication in Next.js apps using 24 skills for SDK installation, sign-up/sign-in UIs, middleware protection, error debugging, webhook handling, performance tuning, cost optimization, RBAC/SSO, GDPR compliance, production checklists, CI/CD pipelines, local dev loops, and migrations from Auth0, Firebase, or Supabase.
Enforce use of the n8nac CLI for GitHub-related Bash commands instead of direct curl/wget calls, with automated environment, schema, credential, and migration checks on session start and feedback capture on session end.
Audit GitHub Actions workflows to detect security vulnerabilities in AI agent integrations like Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Identify prompt injection risks and unsafe input flows in CI/CD pipelines before deployment.
Monitor new token launches on Ethereum, BSC, Polygon, and Arbitrum DEXes to detect rugpulls and security risks. Analyze contracts for honeypots, ownership renouncement, liquidity locks, mint functions, proxies, blacklists, and perform verification plus social legitimacy checks.
Detect error-prone APIs, dangerous configurations, and security footguns in your codebase. Review API designs, config schemas, and crypto ergonomics to build secure-by-default software, preventing common security mistakes during development.
Automate OWASP Top 10 vulnerability scans and penetration testing on JavaScript, Python, and Java codebases using Semgrep, ESLint-security, Bandit, and dependency audits. Delegate comprehensive security audits to a specialized agent covering injections, XSS, CSRF, authentication flaws, access control, and misconfigurations.
Integrate secrets managers like Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault into applications and infrastructure. Generate policies, auth configs, rotation schedules, Kubernetes manifests, retrieval code, setup scripts, and documentation from simple inputs.
Audit codebases with a security agent that scans for vulnerabilities like SQL injection, XSS, CSRF, auth flaws, insecure dependencies, and secrets; generates severity-rated reports including file locations, explanations, compliance checks, and code fixes with examples.
Manage the full AWS application lifecycle: author infrastructure with CDK/CloudFormation, deploy serverless and containerized workloads, configure messaging and observability, optimize costs, enforce security with IAM and secret safety, and build generative AI apps on Bedrock using SDK patterns for Python, TypeScript, and Swift.
Scan codebases for data privacy risks, identifying PII exposures, hardcoded sensitive data, unsafe logging practices, unencrypted storage, insecure transmission, missing consent mechanisms, and retention policy violations to audit and remediate compliance issues.
Audit dependencies across Node.js, Python, PHP, Ruby, Go, and Rust projects for vulnerabilities, outdated versions, transitive issues, and license compliance. Generate detailed reports with CVE information, upgrade recommendations, and fix commands using tools like npm audit and pip-audit.
Write expressive, correct Gomega assertions in Go tests using Expect/Ω notation, synchronous and asynchronous (Eventually/Consistently) patterns, the full built-in matcher catalog, composite matchers for nested structs, custom matcher authoring, and sub-libraries for HTTP, streaming I/O, goroutine leak detection, and performance measurement.
Build complete API authentication and authorization systems supporting JWT, OAuth2, API keys, sessions, MFA, RBAC, token refresh, validation, and brute-force protection. Generates models, middleware, and services for JavaScript/Node.js, Python, and Java backends.
Author, review, and optimize YARA-X detection rules for malware analysis using guided best practices for naming conventions, string selection, performance tuning, legacy rule migration, and false positive mitigation, with built-in linting and quality analysis.
Authenticate Claude Code with Composio API key to connect to 500+ apps like Gmail, Slack, and GitHub. Validate setup via script, configure MCP, and perform real actions such as sending emails, creating issues, posting messages directly in your workflow.
Scaffold, deploy, and operate AI agent applications on AWS using Amazon Bedrock AgentCore, with skills for project creation, multi-agent orchestration, tool connectivity via Gateway and MCP, cross-session memory, evaluation, observability, and production hardening.
Write, debug, and verify Quint formal specifications (.qnt files) with language reference, CLI toolchain commands, and guidance for building specs from ideas, code, or TLA+, plus auditing existing specs.
Audit PostgreSQL, MySQL, and MongoDB databases for security risks including misconfigurations, privileges, encryption, network exposure, default credentials, and SQL injection in app code. Run scans for 50+ OWASP vulnerabilities, generate compliance reports, automated remediation scripts, and audit trails from your IDE.
Scan your codebase for OWASP Top 10 web security risks including injections, broken authentication, access control flaws, cryptographic failures, and misconfigurations. Generate detailed reports with remediation guidance to audit compliance and strengthen security.
Audit web app session management for vulnerabilities like fixation, ID generation flaws, expiration issues, cookie misconfigurations, insecure storage, and poor invalidation in Express, Django, Rails, Python, and Java apps. Check current Claude Code session status, including active state and user details.
Follow NIST SP 800-61 to handle security incidents: classify breaches, preserve evidence, analyze logs using Bash tools on Linux, contain threats, investigate IOCs, eradicate malware, and recover systems. Invoke playbook with 'sir' shortcut for quick response workflow.
Scan REST API code and endpoints for OWASP Top 10 vulnerabilities like injection, BOLA, broken auth, mass assignment, and rate limit issues. Run OWASP ZAP scans to detect misconfigurations and attack vectors, generating HTML reports, JSON findings, remediation guides, evidence, and Python regression tests.
Audit authentication in JavaScript, Python, and Java web apps/APIs against OWASP/NIST standards—covering password hashing, JWT handling, sessions, OAuth flows, MFA, and account controls. Validate project setups by checking credentials, tokens, and config files for errors and compliance status.
Analyze any website's HTTP/HTTPS security headers to detect vulnerabilities, misconfigurations, OWASP compliance gaps, cookie problems, and info leaks. Receive overall grades plus targeted configuration fixes for Nginx, Apache, or Cloudflare servers.
Scan your current codebase for security vulnerabilities using SAST on code, CVE detection in npm, pip, and composer dependencies, plus configuration issues. Receive a structured report with severity ratings, detailed findings, and remediation steps to fix them quickly.
Run interactive penetration tests on web apps and codebases: scan HTTP security headers for CSP/HSTS issues, audit npm/pip dependencies for vulnerabilities, analyze code for secrets/injections with bandit, get severity-prioritized findings, fix suggestions, and JSON reports.
Audit codebases, configurations, and documentation for HIPAA compliance in healthcare applications. Detect PHI protection gaps, access control weaknesses, encryption issues, logging deficiencies, and BAA adherence problems via targeted skills and commands.
Manage and monitor Datadog resources (monitors, logs, APM traces, dashboards, security signals, SLOs) via CLI commands and specialized agents, enabling observability workflows for infrastructure, applications, and CI/CD pipelines.
Initialize Firestore Admin SDK in Node.js projects with authentication, manage safe CRUD operations batch writes queries schema design data migrations indexes, generate validate production-ready security rules using least privilege and emulator testing, and optimize performance costs.
Monitor cross-chain bridge activity across protocols like Wormhole, Stargate, Arbitrum, and Optimism. Track transfers, TVL, volume, fees, and transaction status. Analyze security models and validators while detecting exploits and anomalies.
Design, implement, and deploy secure Firebase apps with Vertex AI Gemini integration in Cloud Functions for authentication, Firestore, storage, and hosting.
Provision secure GCP infrastructure for Vertex AI ADK and Agent Engine deployments using Terraform. Automate setup of Agent Engine runtime, code execution sandbox, Memory Bank, VPC Service Controls, IAM roles, and networking to enable scalable AI agent workflows.
Scan codebases for SQL injection vulnerabilities by tracing user inputs through code to database queries, identifying unsafe patterns like string concatenation and unparameterized ORM usage in Django, Rails, Express, and Go apps. Get risk reports and mitigation recommendations via skills or direct commands.
Build production-ready API gateways for microservices, implementing intelligent routing, authentication, rate limiting, load balancing, circuit breakers, health checks, and response transformations. Deploy to Kong, Express Gateway, AWS API Gateway, or custom Node.js/Go/Express servers to proxy and manage backend traffic securely.
Bootstrap production-ready fullstack MVPs with React+Vite+Tailwind frontend, Express/FastAPI backend, PostgreSQL+Prisma database, JWT/OAuth authentication, tests, Docker containers, and GitHub Actions CI/CD pipelines from a single command. Delegate to AI agents for designing APIs, database schemas, scalable architectures, UI/UX improvements, and deployment strategies.
Validate CSRF protections in Express, Django, Rails, and Laravel web apps by inventorying state-changing endpoints and auditing synchronizer tokens, double-submit cookies, SameSite attributes, and Origin/Referer headers to uncover compliance gaps and security issues.
Generate Kubernetes NetworkPolicy manifests enforcing zero-trust networking via ingress/egress rules with pod labels, namespaces, CIDRs, and ports. Create production-ready configurations, setup code, and documentation matching your infrastructure and security requirements.
Automate SOC 2 audit preparation by assessing Trust Service Criteria controls (CC1-CC9), gathering evidence from documents, logs, and IaC, identifying gaps, and generating readiness reports across AWS, GCP, and Azure environments.
Validate Vertex AI Agent Engine deployments for production readiness, generating weighted scores across security, monitoring, performance, compliance, and best practices, plus actionable remediation plans.
Scan codebases for reflected, stored, and DOM-based XSS vulnerabilities across HTML, JavaScript, CSS, and URLs. Test WAF bypass techniques and CSP protections, then receive reports on risks with remediation suggestions via commands or natural language triggers.
Encrypt and decrypt data with various algorithms using the /encrypt command and shortcut. Audit encryption implementations, validate crypto algorithms, and verify key management in codebases and configs during security reviews.
Audit IaC templates like Terraform and CloudFormation, Docker and Kubernetes manifests, nginx configs, and app settings for security misconfigurations against OWASP and CIS benchmarks. Scan current projects for issues in code and settings, reporting problems with potential fixes.
Conduct professional security audits on code, infrastructure, and configurations. Identify OWASP Top 10 vulnerabilities, verify compliance with HIPAA, PCI-DSS, GDPR, and SOC 2 standards, and perform cryptography reviews to evaluate and strengthen your security posture.
Monitor SSL/TLS certificate expiry dates, automate renewals, list installed certificates, diagnose chain issues, and manage project configurations including setup, renewal, and verification tasks.
Validate CORS configurations in Express, Django, Flask, Nginx, and Python web apps/APIs to detect security misconfigurations like wildcard origins, origin reflection, permissive methods/headers, and ensure compliance with origins, methods, credentials.
Generate automated backup scripts, cron schedules, restore procedures, monitoring setups, and recovery plans for PostgreSQL, MySQL, MongoDB, and SQLite databases, including compression, encryption, and retention policies with AWS support.
Scan your codebase and Git history for exposed secrets like API keys, passwords, tokens, and credentials using pattern matching and entropy analysis. Receive detailed reports pinpointing file locations, secret types, severity ratings, and step-by-step remediation guidance to secure your project fast.
Scan codebases and projects for GDPR compliance issues including consent flows, data erasure rights, transfers, processing agreements, and privacy risks. Generate detailed reports with identified gaps and remediation recommendations.
Audit EVM wallet security by scanning ERC20 approvals, transaction patterns, and contract interactions to compute risk scores and generate revoke lists via Python scripts.
Generate comprehensive security audit reports from vulnerability scans, configs, and compliance data, featuring CVSS scoring, findings tables, remediation plans, status matrices, and exports in PDF, HTML, JSON, or Markdown formats.
Fuzz test REST and GraphQL APIs using OpenAPI specs to detect crashes, vulnerabilities, edge cases, and unexpected behaviors with tools like Schemathesis, RESTler, OWASP ZAP. Generate test suites, security reports, and reproducible payloads for input validation and security auditing.
Validate PCI-DSS compliance in payment systems by scanning codebases, configurations, and infrastructure for cardholder data security issues, generating status reports or detailed audits.
Audit Terraform, Kubernetes, and cloud configurations for CIS, SOC2, HIPAA, PCI-DSS compliance using Checkov, tfsec, and OPA. Generate detailed reports, remediation patches, CI/CD gating steps, plus production-ready secure DevOps configurations, setup code, and documentation with security-first best practices.
Audit access controls including IAM policies, RBAC, ACLs, file permissions, and API authorizations in AWS, GCP, Azure, and local projects to detect vulnerabilities, privilege escalation paths, and least privilege violations, generating detailed compliance reports.