Conduct comprehensive security audits covering OWASP Top 10, AI/MCP security, secrets management, and secrets management.
/plugin marketplace add cameronsjo/claude-marketplace/plugin install security@cameronsjoThis skill inherits all available tools. When active, it can use any tool Claude has access to.
README.mdresources/owasp-checklist.jsonresources/secret-patterns.jsonresources/security-test-cases.mdscripts/find-secrets.pyscripts/generate-sentinelpolicy.pyscripts/owasp-checklist.pyscripts/security-audit.pyConduct comprehensive security audits covering OWASP Top 10, AI/MCP security, secrets management, and secrets management.
Identify security vulnerabilities, validate secure coding practices, and provide actionable remediation guidance.
Validate against current OWASP Top 10:
For AI/LLM features and MCP servers:
Gather context about the application:
Review the codebase against OWASP Top 10 2021:
Search patterns:
@require, @authorize, check_permission, verify_accessjwt.decode, jwt.verify, validateTokenrateLimit, throttle, @limitSearch patterns:
scripts/find-secrets.pyMD5, SHA1, DES, RC4process.env, os.environ, hardcoded keysSearch patterns:
exec, eval, subprocess.call with user inputManual review required - check design documents and architecture diagrams.
Search patterns:
default_password, admin/admin, root/rootDEBUG=true, NODE_ENV=development in productionTools:
npm audit or npm audit --jsonpip-audit or uv pip auditSearch patterns:
session, cookie, Set-CookieSearch patterns:
pickle.loads, JSON.parse, yaml.load.github/workflows, Looper configsSearch patterns:
logger, console.log, print (ensure structured)Search patterns:
fetch, axios, requests.getFor applications using AI/LLM or implementing MCP servers:
Search patterns:
openai, anthropic, completion, generateSearch patterns:
@mcp/server, tool handlersSearch patterns:
PII detection: email, SSN, phone, address patterns
External API calls: data sent to LLM providers
Review latest CodeGate scan results
Prioritize Critical, High, Medium findings (build blockers)
Validate false positive marking with clear comments
Document non-exploitable findings properly
Note: CodeGate findings cannot be downgraded, only marked as "Non Exploitable" with explanation.
Run comprehensive security checks:
python scripts/security-audit.py [--path PATH] [--output report.json]
Checks:
Interactive checklist for manual review:
python scripts/owasp-checklist.py
Walks through OWASP Top 10 with file-specific guidance.
Find potential secrets:
python scripts/find-secrets.py [--path PATH] [--output findings.json]
Generate .sentinelpolicy entries:
python scripts/generate-sentinelpolicy.py --key SUPPRESSION_KEY --reason "Explanation"
Create a comprehensive report:
# Security Audit Report - [Project Name]
**Date:** YYYY-MM-DD
**Auditor:** [Name]
**Scope:** [Description]
## Executive Summary
[High-level overview of findings]
## Critical Findings
### Finding 1: [Title]
- **Severity:** Critical/High/Medium/Low
- **Category:** [OWASP Category]
- **Location:** [File:Line]
- **Description:** [What was found]
- **Impact:** [Security impact]
- **Remediation:** [How to fix]
- **References:** [Links to docs/standards]
## OWASP Top 10 Checklist
- [x] A01: Broken Access Control - PASS
- [ ] A02: Cryptographic Failures - 2 findings
- ...
## AI/MCP Security (if applicable)
[Findings specific to AI/MCP]
## Secrets Management
[Review of .sentinelpolicy, findings from secrets scanner]
## Recommendations
1. [Priority recommendation]
2. [Next recommendation]
...
## Conclusion
[Overall security posture assessment]
For each finding, create GitHub issues:
## Security: [Title]
**Severity:** Critical/High/Medium/Low
**Category:** [OWASP Category]
**Description:**
[Detailed explanation]
**Impact:**
[Security implications]
**Remediation:**
```python
# Before (vulnerable)
query = f"SELECT * FROM users WHERE id = {user_id}"
# After (secure)
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
References:
Labels: security, [severity]
## Best Practices
### Review Approach
1. **Automated first:** Run automated tools to catch low-hanging fruit
2. **Manual review:** Deep dive into business logic and architecture
3. **Threat modeling:** Think like an attacker
4. **Document everything:** Create clear, actionable findings
5. **Prioritize:** Critical and High findings first
6. **Verify fixes:** Re-scan after remediation
### Communication
- Be clear and specific about vulnerabilities
- Provide context and impact assessment
- Offer concrete remediation guidance with code examples
- Link to authoritative references (OWASP, CWE)
- Avoid security theater - focus on real risks
### False Positives
- Validate before reporting
- Understand the context (test vs production code)
- Document why something is safe
- Use proper suppression mechanisms
## Resources
### Documentation
- `~/.claude/docs/security/owasp-top-10.md`
- `~/.claude/docs/security/codegate-checkmarx.md`
- `Security scanning documentation`
### Tools
- `scripts/security-audit.py` - Automated security scanning
- `scripts/find-secrets.py` - Secrets detection
- `scripts/generate-sentinelpolicy.py` - Sentinel policy management
- `scripts/owasp-checklist.py` - Interactive checklist
### External References
- OWASP Top 10 2021: https://owasp.org/Top10/
- OWASP AI Security: https://owasp.org/www-project-top-10-for-large-language-model-applications/
- CWE Top 25: https://cwe.mitre.org/top25/
- OWASP: https://owasp.org/
## Usage
Invoke this skill when:
- Conducting security code reviews
- Auditing new or existing applications
- Responding to security scan findings
- Creating `.sentinelpolicy` suppressions
- Validating secure coding practices
- Preparing for security assessments
- Investigating potential vulnerabilities
The skill provides systematic security review methodology with automated tools and actionable guidance.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.