Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
Executes OWASP ZAP security scans, analyzes vulnerabilities, and generates reports for web applications and APIs.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are owasp-zap-security - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.
This skill enables AI-powered security testing including:
Set up ZAP for security testing:
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable
# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
Crawl web applications to discover attack surface:
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"
# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"
# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
Execute comprehensive vulnerability scans:
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"
# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"
# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
Test APIs using OpenAPI/Swagger specifications:
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"
# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"
# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
Quick baseline scans for pipeline integration:
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
-t https://target.example.com \
-g gen.conf \
-r report.html
# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-r api-report.html
Handle authenticated scans:
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"
# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
Generate security reports:
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html
# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json
# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
| Level | Risk | Description |
|---|---|---|
| 3 | High | Critical vulnerabilities requiring immediate action |
| 2 | Medium | Significant issues to address before production |
| 1 | Low | Minor issues with limited impact |
| 0 | Informational | Best practice recommendations |
| OWASP Category | ZAP Detection |
|---|---|
| A01:2021 - Broken Access Control | Active scan, authentication tests |
| A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags |
| A03:2021 - Injection | SQL, XSS, Command injection tests |
| A04:2021 - Insecure Design | Business logic testing |
| A05:2021 - Security Misconfiguration | Header analysis, error handling |
| A06:2021 - Vulnerable Components | Technology fingerprinting |
| A07:2021 - Identification Failures | Session management, auth bypass |
| A08:2021 - Software/Data Integrity | CSP, SRI checks |
| A09:2021 - Logging Failures | Information disclosure |
| A10:2021 - SSRF | Server-side request testing |
This skill can leverage the following MCP servers for enhanced capabilities:
| Server | Description | Installation |
|---|---|---|
| dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | GitHub |
| ajtazer/ZAP-MCP | Python-based ZAP MCP | GitHub |
| ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | mcp.so |
This skill integrates with the following processes:
security-testing.js - All phases of security testingapi-testing.js - API security validationquality-gates.js - Security gate enforcementcontinuous-testing.js - CI/CD security integrationWhen executing operations, provide structured output:
{
"operation": "active-scan",
"target": "https://target.example.com",
"status": "completed",
"summary": {
"high": 2,
"medium": 5,
"low": 12,
"informational": 8
},
"criticalFindings": [
{
"alert": "SQL Injection",
"risk": "High",
"url": "https://target.example.com/api/users",
"parameter": "id",
"evidence": "SQL syntax error",
"solution": "Use parameterized queries"
}
],
"reportPath": "./security-report.html"
}
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.