Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From backend-skills
Performs OWASP-based code security audits on any codebase. Analyzes against ASVS 5.0.0, API Security Top 10 2023, CheatSheet, and WSTG. Outputs a detailed Markdown report.
npx claudepluginhub buyoung/skills --plugin backend-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/backend-skills:code-security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
OWASP 4-source integrated code security audit system for universal codebase analysis.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.
Audits code for security vulnerabilities including OWASP Top 10, auth flaws, injection, data exposure, and dependency risks using STRIDE threat modeling and phased reviews.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Share bugs, ideas, or general feedback.
OWASP 4-source integrated code security audit system for universal codebase analysis.
| Source | Role | Usage |
|---|---|---|
| ASVS 5.0.0 | Verification requirements baseline | Defines what to check — structured requirements per domain |
| API Security Top 10 2023 | Risk taxonomy | Defines what to look for — API-specific threat patterns |
| CheatSheet Series | Implementation guidance | Defines how to fix — secure coding patterns and practices |
| WSTG | Test methodology | Defines how to verify — concrete test scenarios per vulnerability |
| Field | Required | Description |
|---|---|---|
| Codebase path | Yes | The current workspace or repository the agent is operating in. Defaults to the active codebase; users may narrow scope to specific directories or files (e.g., src/auth/, api/controllers/) |
| Audit level | No | ASVS verification level (default: L2). See level definitions below |
| Focus areas | No | Security domains to prioritize. See focus area catalog below |
| Tech context | No | Language, framework, or architecture notes for targeted analysis |
| Level | Target Application | Requirements | Description |
|---|---|---|---|
| L1 | All applications | ~86 | Essential baseline — covers critical vulnerabilities that are typically exploitable and must be addressed in every application (e.g., SQL injection, OS command injection, basic auth checks) |
| L2 | Applications handling sensitive data (PII, financial, health) | ~230 | Standard security — includes L1 plus defense-in-depth controls such as SSRF protection, template injection prevention, secure session management, and proper cryptographic usage |
| L3 | Mission-critical systems (banking, healthcare, military, infrastructure) | ~345 | Comprehensive defense — includes L1+L2 plus advanced controls such as formula injection prevention, full input canonicalization, and exhaustive cryptographic verification |
| Focus Area | Domains | Example Checks |
|---|---|---|
| authentication | V6, V7, V9, V10 | Password storage, MFA, OAuth/OIDC flow, credential rotation |
| authorization | V8 | Object-level (BOLA), function-level, property-level access control |
| injection | V1, V2 | SQLi, XSS, command injection, LDAP/XPath injection, template injection, XXE |
| cryptography | V11, V12 | Weak algorithms, key management, TLS configuration, secret storage |
| api-security | V4, V17 | Rate limiting, resource consumption, REST/GraphQL/WebSocket security |
| session | V7, V9, V10 | Token handling, session fixation, cookie attributes, JWT validation, CSRF |
| file-handling | V5 | Path traversal, unrestricted upload, file type validation, storage security |
| data-protection | V14 | Sensitive data exposure, privacy controls, client-side data leakage |
| configuration | V13, V16 | Security headers, CORS, error handling, logging, deployment hardening |
| secure-coding | V3, V15 | Frontend security, concurrency safety, architecture patterns, defensive coding |
1. Reconnaissance → Identify stack, structure, entry points
2. Scope Definition → Select applicable ASVS domains and level
3. Domain Analysis → Audit each security domain systematically
4. Finding Synthesis → Deduplicate, correlate across sources, assign severity
5. Remediation Map → Attach fix patterns per finding
6. Report Generation → Produce structured Markdown report
The audit produces a Markdown report containing:
| Level | Criteria |
|---|---|
| Critical | Exploitable vulnerability with direct security impact (RCE, SQLi, auth bypass, data breach) |
| High | Significant security weakness requiring prompt remediation (broken access control, weak crypto, SSRF) |
| Medium | Security concern with conditional exploitability (missing headers, verbose errors, weak validation) |
| Low | Defense-in-depth improvement or best practice deviation (logging gaps, minor config issues) |
| Info | Observation or recommendation with no direct security impact |