Skill

code-security

Performs security audits with dependency scans (npm audit, pip-audit, cargo-audit), checklists for OWASP top 10 issues like SQL injection, XSS, auth flaws, and fixes in JavaScript, Python, Rust code.

Javascript

Python

Rust

Node

security

npx claudepluginhub martinffx/atelier --plugin python

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Security audit workflow and checklist.

Supporting Assets

references/owasp-top-10.mdreferences/security-tools.mdreferences/vulnerability-patterns.md

SKILL.md

Similar Skills

scan

Scans code for security vulnerabilities like auth bypass, injection, IDOR, mass assignment, race conditions, secrets, and insecure defaults. Audits Node.js/Python dependencies.

1 file5 tools

universe

security-scanner

Scans code for hardcoded secrets like API keys, SQL injection, XSS, insecure dependencies via npm/pip/cargo audits, and OWASP Top 10 issues using grep and bash.

1 file4 tools

glincker-claude-code-marketplace

security-ops

Orchestrates parallel security audits with dependency scanning (pip-audit, npm audit), SAST pattern detection, and auth/config reviews. Consolidates into OWASP-mapped severity reports.

7 files1 tool

claude-mods

Stats

Stars19

Forks2

Last CommitApr 12, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Code Security

Security audit workflow and checklist.

The Workflow

1. Scan

Run automated security tools.

# Check dependencies
npm audit
pip audit
cargo audit

# Run security scanner
trivy fs .
snyk test

2. Review

Manual code review against checklist.

See references/owasp-top-10.md for common vulnerabilities.

3. Fix

Remediate vulnerabilities found.

4. Verify

Re-scan to confirm fixes.

Security Checklist

Injection

Check	Pattern
SQL	Parameterized queries
Command	No shell execution with user input
XSS	Escape/validate output
LDAP	Escape DN components

Authentication

Check	Pattern
Passwords	Hash with bcrypt/argon2
Sessions	Secure, httpOnly cookies
Tokens	Short-lived, proper validation
MFA	Consider for sensitive ops

Data Protection

Check	Pattern
Secrets	Never in code
PII	Encrypt at rest
Transport	HTTPS only
Logs	No sensitive data

Dependencies

Check	Pattern
Vulnerabilities	Scan regularly
Outdated	Update promptly
Sources	Trusted packages only

Common Vulnerabilities

See references/vulnerability-patterns.md for detailed patterns:

SQL Injection

# BAD
query = f"SELECT * FROM users WHERE id = {user_id}"

# GOOD
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))

XSS

// BAD
element.innerHTML = userInput;

// GOOD
element.textContent = userInput;
// or
element.setAttribute('title', sanitize(userInput))

Command Injection

# BAD
os.system(f"ping {host}")

# GOOD
subprocess.run(['ping', host])

Hardcoded Secrets

// BAD
const apiKey = "sk_live_12345";

// GOOD (environment variable)
const apiKey = process.env.API_KEY;

Tools

See references/security-tools.md for setup and usage:

Tool	Ecosystem	Purpose
npm audit	Node.js	Dependency vulnerabilities
pip-audit	Python	Dependency vulnerabilities
cargo-audit	Rust	Dependency vulnerabilities
Snyk	Multi	Vulnerability scanning
Trivy	Multi	Container/infra scanning
OWASP ZAP	Multi	Web app scanning
bandit	Python	Static analysis
ESLint security	JS/TS	Static analysis

Output Format

After security audit:

## Security Audit

### Scan Results
- Dependencies: 0 vulnerabilities
- Static analysis: 1 issue found

### Issues Found

| Severity | Issue | Location | Fix |
|----------|-------|----------|-----|
| High | SQL injection | users.py:42 | Use parameterized query |
| Medium | Hardcoded secret | config.js:5 | Use env var |

### Recommendations
1. Enable 2FA for admin accounts
2. Rotate API keys quarterly
3. Set up automated dependency scanning

Skill Loading

For database issues → load python-sqlalchemy or typescript-drizzle-orm
For auth issues → load relevant auth patterns
For deployment security → load infra skills if available