Use when conducting security assessments, OWASP/CWE audits, CVSS scoring, auditing PHP/TYPO3 projects for vulnerabilities, scanning dependencies, or reviewing code for security concerns.
From security-auditnpx claudepluginhub fabiensalles/claude-marketplace --plugin security-auditThis skill is limited to using the following tools:
checkpoints.yamlevals/evals.jsonreferences/api-key-encryption.mdreferences/authentication-patterns.mdreferences/automated-scanning.mdreferences/ci-security-pipeline.mdreferences/cryptography-guide.mdreferences/cve-patterns.mdreferences/cvss-scoring.mdreferences/cwe-top25.mdreferences/deserialization-prevention.mdreferences/error-message-sanitization.mdreferences/file-upload-security.mdreferences/framework-security.mdreferences/gha-security.mdreferences/input-validation.mdreferences/modern-attacks.mdreferences/owasp-top10.mdreferences/path-traversal-prevention.mdreferences/php-security-features.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Security audit patterns (OWASP Top 10, CWE Top 25 2025, CVSS v4.0) and GitHub project security checks. Deep PHP/TYPO3 code scanning with 80+ checkpoints and 19 reference guides.
owasp-top10.md, cwe-top25.md, xxe-prevention.md, cvss-scoring.md, api-key-encryption.mddeserialization-prevention.md, path-traversal-prevention.md, file-upload-security.md, input-validation.mderror-message-sanitization.md (API key redaction, exception hierarchy)authentication-patterns.md, security-headers.md, security-logging.md, cryptography-guide.mdframework-security.md (TYPO3, Symfony, Laravel)modern-attacks.md, cve-patterns.md, php-security-features.mdci-security-pipeline.md, supply-chain-security.md, automated-scanning.md, gha-security.mdsupply-chain-incident-response.mdAll files located in references/.
XML parsing (prevent XXE):
$doc->loadXML($input, LIBXML_NONET);
SQL (prevent injection):
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
Output (prevent XSS):
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
API keys (encrypt at rest):
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));
Password hashing:
$hash = password_hash($password, PASSWORD_ARGON2ID);
Secure randomness (NOT mt_rand/rand):
$token = bin2hex(random_bytes(32));
For scanning tools (semgrep, trivy, gitleaks), see references/automated-scanning.md.
semgrep --config auto — no high-severity findingstrivy fs --severity HIGH,CRITICAL — no unpatched CVEsgitleaks detect — no leaked secrets${{ inputs.* }} or ${{ github.event.* }} in run: blocks — use env: insteadreferences/gha-security.md for patterns and examples# PHP project security audit
./scripts/security-audit.sh /path/to/project
# GitHub repository security audit
./scripts/github-security-audit.sh owner/repo
Contributing: https://github.com/netresearch/security-audit-skill