From buyoung-skills
Performs OWASP-based code security audits on any codebase using ASVS 5.0.0, API Security Top 10 2023, CheatSheets, and WSTG. Outputs detailed Markdown reports for audits and vulnerability assessments.
npx claudepluginhub buyoung/skills --plugin backend-skillsThis skill uses the workspace's default tool permissions.
OWASP 4-source integrated code security audit system for universal codebase analysis.
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
OWASP 4-source integrated code security audit system for universal codebase analysis.
| Source | Role | Usage |
|---|---|---|
| ASVS 5.0.0 | Verification requirements baseline | Defines what to check — structured requirements per domain |
| API Security Top 10 2023 | Risk taxonomy | Defines what to look for — API-specific threat patterns |
| CheatSheet Series | Implementation guidance | Defines how to fix — secure coding patterns and practices |
| WSTG | Test methodology | Defines how to verify — concrete test scenarios per vulnerability |
| Field | Required | Description |
|---|---|---|
| Codebase path | Yes | The current workspace or repository the agent is operating in. Defaults to the active codebase; users may narrow scope to specific directories or files (e.g., src/auth/, api/controllers/) |
| Audit level | No | ASVS verification level (default: L2). See level definitions below |
| Focus areas | No | Security domains to prioritize. See focus area catalog below |
| Tech context | No | Language, framework, or architecture notes for targeted analysis |
| Level | Target Application | Requirements | Description |
|---|---|---|---|
| L1 | All applications | ~86 | Essential baseline — covers critical vulnerabilities that are typically exploitable and must be addressed in every application (e.g., SQL injection, OS command injection, basic auth checks) |
| L2 | Applications handling sensitive data (PII, financial, health) | ~230 | Standard security — includes L1 plus defense-in-depth controls such as SSRF protection, template injection prevention, secure session management, and proper cryptographic usage |
| L3 | Mission-critical systems (banking, healthcare, military, infrastructure) | ~345 | Comprehensive defense — includes L1+L2 plus advanced controls such as formula injection prevention, full input canonicalization, and exhaustive cryptographic verification |
| Focus Area | Domains | Example Checks |
|---|---|---|
| authentication | V6, V7, V9, V10 | Password storage, MFA, OAuth/OIDC flow, credential rotation |
| authorization | V8 | Object-level (BOLA), function-level, property-level access control |
| injection | V1, V2 | SQLi, XSS, command injection, LDAP/XPath injection, template injection, XXE |
| cryptography | V11, V12 | Weak algorithms, key management, TLS configuration, secret storage |
| api-security | V4, V17 | Rate limiting, resource consumption, REST/GraphQL/WebSocket security |
| session | V7, V9, V10 | Token handling, session fixation, cookie attributes, JWT validation, CSRF |
| file-handling | V5 | Path traversal, unrestricted upload, file type validation, storage security |
| data-protection | V14 | Sensitive data exposure, privacy controls, client-side data leakage |
| configuration | V13, V16 | Security headers, CORS, error handling, logging, deployment hardening |
| secure-coding | V3, V15 | Frontend security, concurrency safety, architecture patterns, defensive coding |
1. Reconnaissance → Identify stack, structure, entry points
2. Scope Definition → Select applicable ASVS domains and level
3. Domain Analysis → Audit each security domain systematically
4. Finding Synthesis → Deduplicate, correlate across sources, assign severity
5. Remediation Map → Attach fix patterns per finding
6. Report Generation → Produce structured Markdown report
The audit produces a Markdown report containing:
| Level | Criteria |
|---|---|
| Critical | Exploitable vulnerability with direct security impact (RCE, SQLi, auth bypass, data breach) |
| High | Significant security weakness requiring prompt remediation (broken access control, weak crypto, SSRF) |
| Medium | Security concern with conditional exploitability (missing headers, verbose errors, weak validation) |
| Low | Defense-in-depth improvement or best practice deviation (logging gaps, minor config issues) |
| Info | Observation or recommendation with no direct security impact |