From appsec
This skill should be used when the user asks to "map data flows", "trace data through the system", "show how data moves", "identify trust boundaries", "find where data is encrypted or decrypted", "map PII flows", or "trace input to storage". Also triggers when the user asks about data transformation pipelines, where sensitive data is processed, or how user input reaches databases or external services.
npx claudepluginhub florianbuetow/claude-code --plugin appsecThis skill uses the workspace's default tool permissions.
Trace how data moves through the application from input to storage to output.
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
Trace how data moves through the application from input to storage to output. Identify trust boundary crossings, encryption/decryption points, serialization steps, and data transformation operations. Produces annotated data flow maps with security observations at each transition.
Read ../../shared/schemas/flags.md for the full flag specification.
| Flag | Data Flow Behavior |
|---|---|
--scope | Default full. Data flow mapping requires broad visibility. Narrow scopes trace only flows touching scoped files. |
--depth quick | Entry points and data stores only, no intermediate tracing. |
--depth standard | Trace major data paths from input through processing to storage/output. |
--depth deep | Full taint analysis: every transformation, validation, and boundary crossing. |
--depth expert | Deep + annotate with threat categories, identify covert channels, DREAD scoring on flow weaknesses. |
--format | Default text. Use md for Mermaid diagrams, json for structured flow graph. |
--scope flag. Default to full for comprehensive flow mapping.Catalog every point where data enters the system:
| Source Type | What to Look For |
|---|---|
| HTTP requests | Request body, query params, headers, cookies, path params, uploaded files |
| Database reads | Queries returning user data, config data, or cached content |
| External APIs | Responses from third-party services, webhook payloads |
| Message queues | Consumed messages from Kafka, RabbitMQ, SQS, etc. |
| File system | File reads, config loading, uploaded file processing |
| Environment | Environment variables, secrets managers, config services |
| User sessions | Session data, cached user state |
Catalog every point where data exits or is persisted:
| Sink Type | What to Look For |
|---|---|
| Database writes | INSERT, UPDATE, ORM save/create operations |
| HTTP responses | Response body, headers, cookies set |
| External APIs | Requests to third-party services |
| Message queues | Published messages |
| File system | File writes, log files, exported data |
| Logs | Application logs, audit logs, error tracking |
| Browser | Rendered HTML, JavaScript context, DOM injection points |
| Email/SMS | Outbound notification content |
For each source, trace data through the codebase to its sinks:
At each node in the data flow, annotate:
| Property | Values |
|---|---|
| Encrypted | In transit (TLS), at rest (AES/etc.), both, neither |
| Validated | Yes (with method), no, partial |
| Sanitized | Yes (with method), no |
| Logged | Yes (check for sensitive data in logs), no |
| Access controlled | Auth required, role checked, none |
| PII/Sensitive | Contains PII, financial, health, credentials, or other sensitive data |
Flag security concerns at data flow transitions:
pickle.loads, JSON.parse on unvalidated
external input without schema validation, ObjectInputStream on network data.Produce Mermaid data flow diagrams:
graph LR
subgraph External
User[User Browser]
ExtAPI[Payment API]
end
subgraph Application
API[API Handler]
Valid[Validator]
Logic[Business Logic]
Encrypt[Encryption Layer]
end
subgraph Storage
DB[(Database)]
Cache[(Redis Cache)]
end
User -->|HTTPS, JSON body| API
API -->|raw input| Valid
Valid -->|validated data| Logic
Logic -->|PII: encrypted| Encrypt
Encrypt -->|ciphertext| DB
Logic -->|session token| Cache
Logic -->|payment request, TLS| ExtAPI
Annotate edges with: protocol, encryption status, data sensitivity level.
Output the data flow map with security annotations and any findings.
This skill produces a data flow map plus findings for flow weaknesses.
Finding ID prefix: FLOW (e.g., FLOW-001).
## Data Flow Analysis
### Summary
- Data sources identified: N
- Data sinks identified: N
- Trust boundary crossings: N
- Unvalidated crossings: N
- Sensitive data flows: N
### Data Flow Diagram
[Mermaid diagram]
### Flow Inventory
| # | Source | Path | Sink | Sensitivity | Encrypted | Validated | Issue |
|---|--------|------|------|-------------|-----------|-----------|-------|
| 1 | POST /api/login | -> auth.verify -> db.query | users table | Credentials | TLS only | Yes | None |
| 2 | POST /api/upload | -> fileHandler -> fs.write | /uploads/ | User files | No | No | FLOW-001 |
### Trust Boundary Crossings
[Table of all boundary crossings with security annotations]
### Findings
[Standard findings for flow weaknesses]
Findings follow ../../shared/schemas/findings.md with:
metadata.tool: "data-flows"references.cwe: CWE-319 (Cleartext Transmission), CWE-312 (Cleartext Storage),
CWE-532 (Info Exposure Through Log), CWE-502 (Deserialization of Untrusted Data)--depth quick, a high-level source-to-sink map is more useful than
exhaustive intermediate tracing.