Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cms-cultivator
Runs OWASP Top 10 security audits with configurable depth, scope, and output formats. Supports Drupal and WordPress codebases.
npx claudepluginhub kanopi/claude-toolbox --plugin cms-cultivatorHow this skill is triggered — by the user, by Claude, or both
Slash command
/cms-cultivator:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Comprehensive OWASP Top 10 security vulnerability scanning using the security-specialist agent.
Scans codebases for OWASP Top 10 web security risks including injections, auth flaws, and misconfigurations. Generates reports with remediation guidance for audits.
Audits web applications against OWASP Top 10 (2021) vulnerabilities with quick and deep scan modes, outputting actionable findings per category.
Audits source code against OWASP Top 10 (2021) vulnerabilities — broken access control, injection, SSRF, cryptographic failures, and more. Useful when reviewing application security or checking for common weaknesses.
Share bugs, ideas, or general feedback.
Comprehensive OWASP Top 10 security vulnerability scanning using the security-specialist agent.
/audit-security — Full OWASP Top 10 audit (standard depth)/audit-security --quick --scope=current-pr — Pre-commit security check/audit-security --comprehensive --format=summary — Pre-release deep audit with executive summary/audit-security --standard --format=sarif — Security tools integration/audit-security xss — Legacy focus area (still supported)--quick — OWASP Top 3 only (~5 min): SQL injection, XSS, auth issues--standard — OWASP Top 10 (default, ~15 min)--comprehensive — OWASP Top 10 + CVE scanning + config review (~30 min)--scope=current-pr — Only files changed in current PR--scope=user-input — Forms, queries, file uploads, API endpoints--scope=auth — Authentication/authorization logic--scope=api — API endpoints and integrations--scope=module=<name> — Specific module/directory--scope=file=<path> — Single file--scope=entire — Full codebase (default)--format=report — Detailed security report with remediation steps (default)--format=json — Structured JSON for CI/CD--format=summary — Executive summary with risk assessment--format=sarif — SARIF format for security tools integration--min-severity=high — Only high and critical issues--min-severity=medium — Medium, high, and critical (default)--min-severity=low — All findings including informationalinjection, xss, csrf, auth, encryption, dependencies
When Task() or bash tools are unavailable, perform security analysis directly:
audit-security-YYYY-MM-DD-HHMM.md and present path to userSupported checks in Tier 1: code pattern analysis for OWASP Top 10, CMS-specific vulnerability patterns.
When running in Claude Code with Task() available:
--scope=current-pr:
git diff --name-only origin/main...HEAD | grep -E '\.(php|tsx?|jsx?|sql)$'
--scope=user-input: find *Form*.php, *Controller*.php, *API*.php
For --scope=auth: find *Auth*.php, *Login*.php, *Permission*.phpTask(cms-cultivator:security-specialist:security-specialist,
prompt="Perform comprehensive OWASP security audit with:
- Depth mode: {depth}
- Scope: {scope}
- Format: {format}
- Minimum severity: {min_severity}
- Focus area: {focus or 'complete audit'}
- Files to analyze: {file_list}
Scan for OWASP Top 10 vulnerabilities, check input validation and output encoding, analyze authentication/authorization, review CMS-specific security for Drupal and WordPress, and check dependencies for CVEs. Save report to audit-security-YYYY-MM-DD-HHMM.md and present the file path.")
Drupal: Form API CSRF tokens, db_query() with placeholders, render API XSS prevention, node access system, permissions.yml review
WordPress: $wpdb->prepare(), nonce verification, capability checks, sanitize_/esc_ usage, wp_verify_nonce(), update_option() security