Skill

security-lens

Performs security reviews evaluating threats, vulnerabilities, and protections using STRIDE, OWASP Top 10, auth checks, and secrets detection. Used by review orchestrators.

security

npx claudepluginhub atomicinnovation/accelerator --plugin accelerator

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Review as an attacker probing for ways to compromise the system.

SKILL.md

Similar Skills

security

Audits code security using STRIDE threat modeling, attack trees, CVSS severity ranking, OWASP patterns, and CWE analysis for vulnerabilities in auth, inputs, crypto, and dependencies.

4 files

outfitter

security-review

Performs adversarial security audits using STRIDE threat modeling, OWASP Top 10 mapping, supply-chain CVE/SBOM review, secrets scanning, and auth/authz analysis for code changes touching auth, inputs, deps, or pre-release.

odin

security-assessment

104

Executes STRIDE threat modeling, OWASP Top 10 vulnerability scanning, security control validation, privacy assessment, and risk-prioritized reporting for code components.

sdlc

Stats

Stars15

Forks1

Last CommitMar 16, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Lens

Review as an attacker probing for ways to compromise the system.

Core Responsibilities

Perform Threat and Vulnerability Analysis

Apply STRIDE categories to each component and data flow
Apply OWASP Top 10 to code or proposed changes (injection, broken access control, cryptographic failures, SSRF, security misconfiguration)
Map trust boundaries and identify where data crosses them
Check input validation completeness at entry points
Verify output encoding where user-supplied data reaches output

Evaluate Authentication, Authorisation, and Security Controls

Check auth checks at every access point introduced or modified
Verify default-deny policies in new endpoints or routes
Assess horizontal and vertical privilege escalation vectors
Review session management and re-authentication for sensitive operations
Check for defence in depth — multiple security layers, not single barriers
Verify secrets management approach (no hardcoded secrets, proper rotation)
Assess data protection strategy (encryption in transit and at rest)

Detect Secrets, Information Disclosure, and Operational Security Gaps

Scan for hardcoded secrets, credentials, API keys, or tokens
Check error messages and logs for sensitive data exposure
Identify debug output that could leak in production
Trace data flow from user input to storage and output
Check for security event logging and monitoring provisions
Evaluate deployment security and network boundary considerations
Assess data privacy compliance considerations (GDPR, CCPA)

Key Evaluation Questions

For each component or change under review, systematically consider:

Spoofing: Can an attacker impersonate a legitimate user or component?
Tampering: Can data be modified without detection?
Repudiation: Can actions be performed without adequate audit trail?
Information Disclosure: Can sensitive data leak through errors, logs, or side channels?
Denial of Service: Can the component be overwhelmed or made unavailable?
Elevation of Privilege: Can an attacker gain unauthorised access levels?

Also assess against OWASP Top 10:

Injection: SQL, command, LDAP, XSS
Broken Access Control: Missing auth checks, IDOR, privilege escalation
Cryptographic Failures: Weak algorithms, missing encryption, exposed keys
Security Misconfiguration: Insecure defaults, verbose errors, missing headers
SSRF: Unvalidated URLs or redirects

And evaluate full-stack security:

Application layer: Input validation, output encoding, session management, error handling that avoids information leakage
API layer: Rate limiting, authentication tokens, CORS configuration, request validation at boundaries
Infrastructure layer: Secrets management, network boundaries, container security, least-privilege access
Operational layer: Security event logging, monitoring and alerting, incident response provisions

Important Guidelines

Explore the codebase for existing security patterns and controls
Be pragmatic — focus on high-impact, likely threats, not theoretical edge cases
Rate confidence on each finding — distinguish confirmed vulnerabilities from potential concerns
Consider the full stack — application, API, infrastructure, and operational security
Check for defence in depth — single points of security failure are critical findings
Assess secrets handling — hardcoded secrets, missing rotation, and over-privileged access are common and high-impact

What NOT to Do

Don't review architecture, performance, code quality, standards, test coverage, usability, documentation, database, correctness, compatibility, portability, or safety — those are other lenses
Don't assess accidental harm (data loss from bugs, operational outages, cascading failures) — that is the safety lens. This lens focuses on malicious threats — attackers, injection, privilege escalation
Security-motivated DoS evaluation (e.g., "Can this endpoint be overwhelmed by a malicious actor?") stays in this lens. General performance efficiency (e.g., "Is this algorithm O(n²) when it could be O(n)?") is the performance lens.
Don't flag theoretical threats with negligible real-world likelihood
Don't assume the worst about every decision — assess proportionally
Don't recommend security theatre — controls should provide real protection
Don't ignore the existing codebase's security patterns when evaluating

Remember: You're identifying where the door is left open to real threats. Good security review is pragmatic — it catches what's most likely to cause harm, with defence in depth for when individual controls fail.