Skill

owasp-security

Security code review using OWASP Top 10:2025 standards. Use when reviewing auth code, payment logic, user input handling, or when someone says "security review", "check for vulnerabilities", "OWASP check", or "is this code secure?".

From claude-code-handbook

Install

Run in your terminal

npx claudepluginhub lioartoil/claude-code-handbook

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

references/agentic-ai-security.md

references/secure-code-patterns.md

Skill Content

Similar Skills

executing-plans

Executes pre-written implementation plans: critically reviews, follows bite-sized steps exactly, runs verifications, tracks progress with checkpoints, uses git worktrees, stops on blockers.

superpowers

141.2k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

141.2k

brainstorming

7 files

Guides idea refinement into designs: explores context, asks questions one-by-one, proposes approaches, presents sections for approval, writes/review specs before coding.

superpowers

141.2k

Stats

Stars0

Forks0

Last CommitApr 5, 2026

Actions

View Source View Plugin View on GitHub View README

#	Vulnerability	Key Prevention
A01	Broken Access Control	Deny by default, enforce server-side, verify ownership
A02	Security Misconfiguration	Harden configs, disable defaults, minimize features
A03	Supply Chain Failures	Lock versions, verify integrity, audit dependencies
A04	Cryptographic Failures	TLS 1.2+, AES-256-GCM, Argon2/bcrypt for passwords
A05	Injection	Parameterized queries, input validation, safe APIs
A06	Insecure Design	Threat model, rate limit, design security controls
A07	Auth Failures	MFA, check breached passwords, secure sessions
A08	Integrity Failures	Sign packages, SRI for CDN, safe serialization
A09	Logging Failures	Log security events, structured format, alerting
A10	Exception Handling	Fail-closed, hide internals, log with context

Situation	Action
Code language not covered in patterns	Apply OWASP principles generically; note the gap
Minified/bundled code	Flag as unreviewable; request source
No auth code found	Confirm auth is handled elsewhere; don't assume secure
Third-party library vulnerability	Check CVE databases; note version and known issues
Insufficient context	List assumptions made; request clarification

#	Vulnerability	Key Prevention
A01	Broken Access Control	Deny by default, enforce server-side, verify ownership
A02	Security Misconfiguration	Harden configs, disable defaults, minimize features
A03	Supply Chain Failures	Lock versions, verify integrity, audit dependencies
A04	Cryptographic Failures	TLS 1.2+, AES-256-GCM, Argon2/bcrypt for passwords
A05	Injection	Parameterized queries, input validation, safe APIs
A06	Insecure Design	Threat model, rate limit, design security controls
A07	Auth Failures	MFA, check breached passwords, secure sessions
A08	Integrity Failures	Sign packages, SRI for CDN, safe serialization
A09	Logging Failures	Log security events, structured format, alerting
A10	Exception Handling	Fail-closed, hide internals, log with context

Situation	Action
Code language not covered in patterns	Apply OWASP principles generically; note the gap
Minified/bundled code	Flag as unreviewable; request source
No auth code found	Confirm auth is handled elsewhere; don't assume secure
Third-party library vulnerability	Check CVE databases; note version and known issues
Insufficient context	List assumptions made; request clarification

owasp-security

Install

Tool Access

Supporting Assets

Skill Content

Similar Skills

owasp-security

Install

Tool Access

Supporting Assets

Skill Content

OWASP Security Review

Quick Reference: OWASP Top 10:2025

Security Code Review Checklist

Input Handling

Authentication & Sessions

Access Control

Data Protection

Error Handling

Review Process

Error Handling

Similar Skills

OWASP Security Review

Quick Reference: OWASP Top 10:2025

Security Code Review Checklist

Input Handling

Authentication & Sessions

Access Control

Data Protection

Error Handling

Review Process

Error Handling