From bitwarden-security-engineer
This skill should be used when the user asks to "analyze code for security issues", "check for OWASP vulnerabilities", "review code against CWE Top 25", "find injection vulnerabilities", "do a security code review", or needs manual security analysis against OWASP Top 10, API Top 10, Mobile Top 10, or CWE/SANS frameworks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bitwarden-security-engineer:analyzing-code-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Follow these steps when conducting a manual security code review:
Follow these steps when conducting a manual security code review:
references/framework-checklists.md for OWASP Web/API/Mobile Top 10 and CWE Top 25. Check each applicable category against the code under review.The most frequently encountered categories across Bitwarden's stack:
innerHTML and bypassSecurityTrust* with untrusted content.TypeNameHandling.All in JSON.NET.reviewing-security-architecture skill for approved algorithms.For complete framework checklists (all OWASP and CWE categories), consult references/framework-checklists.md.
For CORRECT/WRONG code examples in C#, TypeScript, and SQL, consult references/vulnerability-patterns.md.
Adopt an adversarial mindset during security code review — this differs from regular code review which seeks to strengthen code.
How to think adversarially:
For detailed checklists and code examples, consult:
references/framework-checklists.md — OWASP Web Top 10, API Top 10, Mobile Top 10 (2024), CWE Top 25 lookup tablesreferences/vulnerability-patterns.md — CORRECT/WRONG code examples for C#/.NET, TypeScript/Angular, and SQLnpx claudepluginhub denobotion/ai-plugins --plugin bitwarden-security-engineerThis skill should be used when the user asks to "analyze code for security issues", "check for OWASP vulnerabilities", "review code against CWE Top 25", "find injection vulnerabilities", "do a security code review", or needs manual security analysis against OWASP Top 10, API Top 10, Mobile Top 10, or CWE/SANS frameworks.
Reviews project code against OWASP Top 10 vulnerabilities: broken access control, injections (SQL, XSS, CSRF), cryptographic failures, insecure design, misconfigurations, and authentication issues.
Reviews code for OWASP Top 10 security vulnerabilities: injection, XSS, broken access control, and cryptographic failures. Excludes readability and test design.