Run automated security audits via /security-review to detect OWASP Web Top 10:2025, LLM Top 10:2025, and API Security Top 10:2023 vulnerabilities like injections, broken auth, prompt injection, SSRF, and supply chain risks. Get hotspot maps, framework-specific fixes, and remediations for web apps, APIs, LLMs across Python, JS, Go, Java, and more.
npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckUse when writing code that checks authorization, enforces resource ownership, handles IDOR (object-level authorization), processes server-side requests to external URLs, or implements access control middleware.
Use when writing code that encrypts or decrypts data, hashes passwords or tokens, generates random values for security purposes, manages cryptographic keys, or configures TLS/SSL settings. Also invoke when storing sensitive data at rest.
Use when writing HTML forms that submit POST/PUT/DELETE requests, configuring session cookies, or setting up CSRF middleware for web applications. Also invoke when disabling or bypassing CSRF protections in framework configuration.
Use when writing error handlers, exception catching blocks, try/catch/finally constructs, or API error responses. Also invoke when an application could fail open on exception, or when stack traces might reach end users.
Use when building autonomous LLM agents, implementing multi-step agent pipelines, writing code where LLM output triggers real-world actions (file writes, API calls, emails, database changes, code execution), or designing agentic workflows with tool use.
Use when writing file upload handlers, processing multipart form data, saving uploaded files to disk or cloud storage. Also invoke when accepting user-supplied filenames or storing uploads in a web-accessible directory.
Use when writing GraphQL schemas, resolvers, or server configuration. Also invoke when setting up Apollo Server, graphql-yoga, Strawberry, gqlgen, or any GraphQL framework without explicit depth limiting, cost analysis, or introspection controls.
Use when writing code that contains API keys, passwords, tokens, connection strings, or private keys as string literals. Also invoke when embedding credentials in configuration files, environment setup scripts, or test fixtures that could be committed to version control.
Use when writing code that sets HTTP response headers using values from user input, request parameters, or external data. Also invoke when constructing email headers, Content-Disposition filenames, or Location headers from caller-controlled strings.
Use when the user asks to identify security-sensitive areas in a codebase, map the attack surface, or find where a security review should focus. Also invoke when asked to triage or prioritize security effort across a repository.
Use when writing code that constructs database queries, builds SQL strings, executes shell commands, processes templates with user input, evaluates code dynamically, or passes user-controlled data to any external interpreter.
Use when designing authentication flows, implementing rate limiting, building business logic for financial or access-sensitive operations, or writing code that enforces security requirements at the application layer.
Use when writing code that stores sensitive data (credentials, tokens, PII) to local files, platform preference stores (NSUserDefaults, SharedPreferences, UserDefaults), SQLite databases, or localStorage without encryption at rest.
Use when writing code that renders LLM output to a UI, executes LLM-generated code or shell commands, or passes LLM responses to downstream APIs or databases. Also invoke when displaying markdown or HTML from an LLM response.
Use when writing LLM tool definitions, function schemas for tool use, plugin or extension handlers, or any code that defines what actions an LLM can take via tools. Also invoke when implementing tool parameter validation.
Use when writing deserialization code, processing pickled or marshalled data, implementing software update mechanisms, consuming CI/CD artifact downloads, or handling data from untrusted sources that gets reconstructed into objects.
Use when writing URL scheme handlers, Android intent receivers or exported activities, named pipe or socket listeners, XPC service handlers, or any IPC endpoint that processes caller-supplied input without validating the caller's identity or origin.
Use when writing code that downloads pre-trained models, loads models from registries or file paths, integrates third-party LLM providers, or manages model version selection. Also invoke when setting up automated model updates.
Use when writing logging code, audit trails, error handlers that log, authentication event recording, or any code that writes security-relevant events. Also invoke when logging user inputs, API responses, or system actions that touch sensitive data.
Use when writing code that creates or updates database records from request body, form data, or JSON input. Also invoke when spreading, merging, or destructuring request payloads directly into ORM model create/update calls without an explicit field allowlist.
Use when writing MCP server definitions, tool schemas, or tool handler code. Also invoke when registering tools with Claude or building Claude Code extensions that expose file system, shell, or network access.
Use when writing LLM API call handlers, setting up inference endpoints, implementing chatbot backends, or configuring token limits for LLM services. Also invoke when accepting user-provided prompts without length constraints.
Use when writing inference API endpoints, deploying LLM-serving infrastructure, implementing model access controls, or configuring rate limiting and authentication for model endpoints.
Use when writing code that calls other agents, spawns subagents, builds multi-agent pipelines, or passes messages between LLM agents. Also invoke when an orchestrator delegates tasks to worker agents or when agents share tools and permissions.
Use when writing MongoDB queries, Elasticsearch queries, or other NoSQL database operations that include user-supplied input. Also invoke when building query filters from request parameters or constructing aggregation pipelines with dynamic values.
Use when writing OAuth2 or OpenID Connect flows, JWT validation logic, token endpoint handling, or redirect URI processing. Also invoke when implementing any code that parses or verifies JWTs.
Use when writing code that redirects users to a URL from request parameters, form input, or any caller-controlled source. Also invoke when building login flows with "return to" URLs or OAuth callback redirects.
Use when writing code that displays LLM output as authoritative fact, uses LLM decisions to gate consequential outcomes without human review, or builds automated pipelines where LLM judgment drives downstream actions.
Use when writing code that opens, reads, writes, or deletes files using paths constructed from user input. Also invoke when serving static files, handling file downloads by name, or resolving paths from URL parameters or request bodies.
Use when writing code that constructs LLM prompts from user input, builds system prompts, implements RAG pipelines, or processes external documents fed to a model. Also invoke when external data can influence LLM context.
Use when writing JavaScript or TypeScript code that deep-merges, clones, or extends objects using user-controlled input. Also invoke when using lodash merge/set, Object.assign with dynamic keys, or recursive property copy on untrusted data.
Use when writing check-then-act sequences on shared state, file operations that check existence before read/write, balance updates without locking, or any code where two operations on the same resource are not atomic.
Use when building RAG pipelines, ingesting external documents into vector stores, or retrieving content from external sources to include in LLM context. Also invoke when writing code that fetches URLs or parses documents for LLM prompts.
Use when writing regular expressions that will be applied to user-supplied input. Also invoke when compiling regexes from external configuration, building input validation patterns, or parsing untrusted strings with regex.
Use when the user wants to fix security issues found by /security-review or when they ask to clean up, remediate, or apply fixes for security findings.
Use when writing server configuration, setting environment variables, configuring CORS policies, enabling debug modes, setting up default credentials, or deploying application infrastructure. Also invoke when writing security headers middleware.
Use when the user types /security-review or explicitly requests a full security audit of the current code.
Use when writing code that passes sensitive data (PII, credentials, health data) to an LLM API, constructs system prompts containing secrets, returns LLM responses that could contain training data, or implements memory/context persistence.
Use when writing code that makes HTTP requests to URLs constructed from user input, fetches resources from caller-specified addresses, or proxies requests on behalf of users. Also invoke when implementing webhook receivers or URL preview features.
Use when writing package installation commands, dependency manifests, CI/CD pipeline configs, build scripts, or code that loads external packages. Also invoke when pinning or unpinning dependency versions.
Use when writing an implementation plan for a new feature, API endpoint, data pipeline, or system component. Also invoke when a plan introduces new trust boundaries, handles user-supplied data, adds authentication flows, or integrates external services.
Use when writing code that passes user-supplied strings to an LLM, constructs prompts from external data, or processes text that may contain Unicode control characters, homoglyphs, or invisible formatting characters.
Use when writing fine-tuning pipelines, dataset ingestion scripts, external training data loaders, or code that collects and processes data for model training. Also invoke when automating dataset curation from web scraping or user-contributed sources.
Use when writing code that calls third-party APIs, parses responses from external services, or integrates with webhooks and callbacks from external systems. Also invoke when deserializing or acting on data received from partner or vendor APIs without validation.
Use when writing login flows, session management, password storage, JWT handling, MFA implementation, credential validation, or any code that authenticates users. Also invoke when implementing "remember me" functionality or API key management.
Security code review skill based on Project CodeGuard's comprehensive security rules. Helps AI coding agents write secure code and prevent common vulnerabilities.
Share bugs, ideas, or general feedback.
AI-powered cybersecurity code review with 8 specialist agents, OWASP Top 10:2021, CWE Top 25:2024, MITRE ATT&CK v15, and framework-aware false-positive suppression
AI-powered security auditing with interactive skills, automated agents, web dependency scanning, and supply chain hardening for comprehensive vulnerability detection and reporting
Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues
Open-source cybersecurity analysis agent. Scans any local project for vulnerabilities: code security (SAST), dependency CVEs (SCA), secret leaks, authentication/authorization flaws, cryptographic weaknesses, misconfigurations, supply chain risks, and CI/CD security. Covers all OWASP 2025 Top 10 and CWE Top 25 categories. Generates prioritized reports with remediation guidance. Invoke with /cyber-neo [path].
Security scanning, dependency CVE audits, and exposure-aware risk prioritization.