Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From security-audit
Conducts security assessments covering OWASP Top 10, CWE Top 25, CVSS scoring, cloud/IaC (AWS, Azure, GCP, Terraform, K8s, Docker), PHP/TYPO3 v14.3, APIs, frontend, AI agent configs, and dependency scanning.
npx claudepluginhub fabiensalles/claude-marketplace --plugin security-auditHow this skill is triggered — by the user, by Claude, or both
Slash command
/security-audit:security-auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security audit patterns (OWASP Top 10, LLM Top 10 2025, CWE Top 25 2025, CVSS v4.0), cloud/IaC checks, GitHub security. 80+ PHP/TYPO3 checkpoints (v14.3 LTS in `typo3-security.md`).
checkpoints.yamlevals/evals.jsonreferences/android-sdk-security.mdreferences/angular-security.mdreferences/api-key-encryption.mdreferences/api-security.mdreferences/authentication-patterns.mdreferences/automated-scanning.mdreferences/aws-security.mdreferences/azure-security.mdreferences/blazor-security.mdreferences/ci-security-pipeline.mdreferences/cryptography-guide.mdreferences/csharp-security-features.mdreferences/cve-database.mdreferences/cve-patterns.mdreferences/cvss-scoring.mdreferences/cwe-top25.mdreferences/deserialization-prevention.mdreferences/django-security.mdConducts security audits using OWASP Top 10/API/LLM, CWE Top 25, CVSS scoring for PHP/TYPO3, APIs, frontend, Terraform/K8s/Docker IaC, AWS/Azure/GCP cloud, AI agents, dependencies.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.
Audits code for OWASP Top 10 vulnerabilities, detects secrets like API keys and DB credentials, scans dependencies for CVEs, reviews IaC and Docker for security risks.
Share bugs, ideas, or general feedback.
Security audit patterns (OWASP Top 10, LLM Top 10 2025, CWE Top 25 2025, CVSS v4.0), cloud/IaC checks, GitHub security. 80+ PHP/TYPO3 checkpoints (v14.3 LTS in typo3-security.md).
references/, .md implied)*-security-features): php, python, javascript-typescript, nodejs, java, csharp, go, rust, ruby*-security): typo3, typo3-fluid, typo3-typoscript, symfony, laravel, django, flask, fastapi, spring, dotnet, blazor, rails, gin, react, vue, angular, nextjs, nuxt, express, nestjsXML parsing (prevent XXE):
$doc->loadXML($input, LIBXML_NONET);
SQL (prevent injection):
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
Output (prevent XSS):
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
API keys, passwords, randomness:
$n = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$enc = 'enc:' . base64_encode($n . sodium_crypto_secretbox($apiKey, $n, $key));
password_hash($pw, PASSWORD_ARGON2ID);
bin2hex(random_bytes(32)); // never mt_rand/rand
Automated scanners: references/automated-scanning.md.
semgrep/opengrep, trivy fs --severity HIGH,CRITICAL, gitleaks clean${{ inputs.* }} / ${{ github.event.* }} in run: — use env:references/gha-security.md../scripts/security-audit-dispatcher.sh /path/to/project # auto-detect stack
./scripts/security-audit.sh /path/to/project # PHP-only
./scripts/github-security-audit.sh owner/repo # GH repo
Dispatcher detects the stack from indicator files and runs matching scripts/scanners/*.sh (17 ecosystems; see references/ index).
Contributing: https://github.com/netresearch/security-audit-skill