From loopkit
Verifies that API endpoints check resource ownership, not just authentication. Catches IDOR vulnerabilities and missing authorization in handlers that read or mutate user data.
How this skill is triggered — by the user, by Claude, or both
Slash command
/loopkit:authz-checkWhen to use
new/changed endpoint, "get user X's data", a mutation, an admin action
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The most common security hole: the code checks you're logged IN, but not that you OWN the thing.
The most common security hole: the code checks you're logged IN, but not that you OWN the thing.
WHERE id = ? AND owner_id = current_user — not just WHERE id = ?.npx claudepluginhub archive228/loopkitDetects missing ownership checks, broken role enforcement, and IDOR vulnerabilities in authorization code. Use when implementing access control middleware or resource ownership checks.
Enforces object-level authorization by scoping database queries to the authenticated user and centralizing ownership checks in a dedicated service.
Enforces deny-by-default authorization at every resource access point using RBAC or ABAC patterns. Use when implementing access control decisions for APIs, web apps, or services.