Security auditing and vulnerability detection using OWASP patterns, CWE analysis, and threat modeling. Use when auditing code for security issues, reviewing authentication/authorization, evaluating input validation, analyzing cryptographic usage, reviewing dependency security, or when security-audit, vulnerability-scan, OWASP, threat-model, or --security are mentioned.
/plugin marketplace add outfitter-dev/agents/plugin install baselayer@outfitterThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/owasp-top-10.mdThreat-aware code review → vulnerability detection → risk-ranked remediation.
<when_to_use>
NOT for: performance optimization, general code review without security focus, feature implementation </when_to_use>
<phases> Track with TodoWrite. Phases build comprehensive security assessment.| Phase | Trigger | activeForm |
|---|---|---|
| Threat Model | Session start, feature review | "Building threat model" |
| Attack Surface | Threat model complete | "Mapping attack surface" |
| Vulnerability Scan | Attack surface mapped | "Scanning for vulnerabilities" |
| Risk Assessment | Vulnerabilities identified | "Assessing risk levels" |
| Remediation Plan | Risks assessed | "Planning remediation" |
Workflow:
in_progresscompleted, add next in_progress<severity_levels> Risk indicator with CVSS-aligned severity:
◆◆ Critical (9.0–10.0)
◆ High (7.0–8.9)
◇ Medium (4.0–6.9)
△ Low (0.1–3.9)
Use indicators in findings: "◆◆ Remote code execution via unsanitized shell command" </severity_levels>
<threat_modeling>
Spoofing — can attacker impersonate users/systems?
Tampering — can attacker modify data?
Repudiation — can actions be denied?
Information Disclosure — can attacker access sensitive data?
Denial of Service — can attacker disrupt service?
Elevation of Privilege — can attacker gain unauthorized access?
Map attack paths from goal to entry points:
Goal: Steal user credentials
├─ Attack login endpoint
│ ├─ SQL injection in username field
│ ├─ Brute force (no rate limiting)
│ └─ Session fixation
├─ Intercept network traffic
│ ├─ HTTPS downgrade
│ └─ Man-in-the-middle
└─ Social engineering
├─ Phishing (out of scope)
└─ Password reset exploit
For each branch, assess:
<attack_surface>
External Interfaces:
Data Inputs:
Authentication Boundaries:
Trust Boundaries:
For each entry point document:
Prioritize review:
<vulnerability_patterns>
SQL Injection:
// VULNERABLE
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
// SECURE — parameterized queries
const query = 'SELECT * FROM users WHERE email = ?';
db.execute(query, [userEmail]);
XSS (Cross-Site Scripting):
// VULNERABLE — direct HTML insertion
element.innerHTML = userInput;
// SECURE — sanitized or use textContent
element.textContent = userInput;
// OR use DOMPurify for rich content
element.innerHTML = DOMPurify.sanitize(userInput);
Command Injection:
// VULNERABLE
exec(`convert ${userFilename} output.png`);
// SECURE — parameterized or whitelist
execFile('convert', [userFilename, 'output.png']);
Path Traversal:
// VULNERABLE
const filePath = `/uploads/${userFileName}`;
// SECURE — validate and normalize
const safeName = path.basename(userFileName);
const filePath = path.join('/uploads', safeName);
if (!filePath.startsWith('/uploads/')) {
throw new Error('Invalid path');
}
XML External Entity (XXE):
// VULNERABLE
const parser = new DOMParser();
const doc = parser.parseFromString(xmlInput, 'text/xml');
// SECURE — disable external entities
const parser = new DOMParser({
locator: {},
errorHandler: {},
// Disable DTD processing
entityResolver: () => null,
});
Password Storage:
// VULNERABLE — plain text or weak hash
const hash = md5(password);
// SECURE — bcrypt/argon2 with salt
const hash = await bcrypt.hash(password, 12);
Session Management:
// VULNERABLE — predictable session IDs
const sessionId = userId + Date.now();
// SECURE — cryptographically random
const sessionId = crypto.randomBytes(32).toString('hex');
// Add security attributes
res.cookie('session', sessionId, {
httpOnly: true,
secure: true, // HTTPS only
sameSite: 'strict',
maxAge: 3600000, // 1 hour
});
JWT Handling:
// VULNERABLE — no signature verification
const payload = JSON.parse(atob(token.split('.')[1]));
// SECURE — verify signature
const payload = jwt.verify(token, SECRET_KEY, {
algorithms: ['HS256'], // Specify allowed algorithms
issuer: 'your-app',
audience: 'your-api',
});
Password Reset:
// VULNERABLE — predictable tokens
const resetToken = userId + '-' + Date.now();
// SECURE — cryptographically random with expiry
const resetToken = crypto.randomBytes(32).toString('hex');
await db.execute(
'INSERT INTO reset_tokens (user_id, token, expires_at) VALUES (?, ?, ?)',
[userId, await bcrypt.hash(resetToken, 10), Date.now() + 3600000]
);
Broken Access Control:
// VULNERABLE — client-side only check
if (user.isAdmin) {
// show admin panel
}
// SECURE — server-side enforcement
app.get('/admin/users', requireAdmin, (req, res) => {
// Verify on every request
if (!req.user?.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
// Admin operation
});
Insecure Direct Object Reference (IDOR):
// VULNERABLE — no ownership check
app.get('/api/documents/:id', async (req, res) => {
const doc = await db.getDocument(req.params.id);
res.json(doc);
});
// SECURE — verify ownership
app.get('/api/documents/:id', async (req, res) => {
const doc = await db.getDocument(req.params.id);
if (doc.userId !== req.user.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(doc);
});
Privilege Escalation:
// VULNERABLE — role from client input
app.post('/api/users', async (req, res) => {
const user = await createUser({
...req.body, // Includes role: 'admin' from malicious client
});
});
// SECURE — explicit allowlist
app.post('/api/users', async (req, res) => {
const allowedFields = ['name', 'email', 'password'];
const userData = pick(req.body, allowedFields);
const user = await createUser({
...userData,
role: 'user', // Server controls role
});
});
Weak Algorithms:
// VULNERABLE — deprecated algorithms
const hash = crypto.createHash('md5').update(data).digest('hex');
const cipher = crypto.createCipher('des', key);
// SECURE — modern algorithms
const hash = crypto.createHash('sha256').update(data).digest('hex');
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
Hardcoded Secrets:
// VULNERABLE
const API_KEY = 'sk-1234567890abcdef';
const DB_PASSWORD = 'admin123';
// SECURE — environment variables
const API_KEY = process.env.API_KEY;
const DB_PASSWORD = process.env.DB_PASSWORD;
if (!API_KEY || !DB_PASSWORD) {
throw new Error('Missing required environment variables');
}
Insufficient Randomness:
// VULNERABLE — predictable
const token = Math.random().toString(36);
// SECURE — cryptographically secure
const token = crypto.randomBytes(32).toString('hex');
Sensitive Data in Logs:
// VULNERABLE
logger.info('User login', { email, password, ssn });
// SECURE — redact sensitive fields
logger.info('User login', {
email,
password: '[REDACTED]',
ssn: '[REDACTED]',
});
Error Message Disclosure:
// VULNERABLE — exposes internals
catch (err) {
res.status(500).json({ error: err.stack });
}
// SECURE — generic message
catch (err) {
logger.error('Internal error', err);
res.status(500).json({ error: 'Internal server error' });
}
Timing Attacks:
// VULNERABLE — early exit leaks info
if (user.password !== inputPassword) {
return false;
}
// SECURE — constant-time comparison
return crypto.timingSafeEqual(
Buffer.from(user.password),
Buffer.from(inputPassword)
);
</vulnerability_patterns>
<owasp_top_10> 2021 OWASP Top 10 — primary vulnerability categories.
A01:2021 – Broken Access Control
CWE: 200, 201, 352, 359, 377, 402, 425, 639, 759, 639, 918, 1275
A02:2021 – Cryptographic Failures
CWE: 259, 327, 331
A03:2021 – Injection
CWE: 20, 74, 75, 77, 78, 79, 80, 83, 89, 91, 93, 94, 95, 96, 97, 183, 184
A04:2021 – Insecure Design
CWE: 209, 256, 257, 266, 269, 280, 311, 312, 313, 316, 419, 430, 434, 444
A05:2021 – Security Misconfiguration
CWE: 2, 11, 13, 15, 16, 260, 315, 520, 526, 537, 541, 547, 611, 614, 756, 776
A06:2021 – Vulnerable & Outdated Components
CWE: 1035, 1104
A07:2021 – Identification & Authentication Failures
CWE: 287, 288, 290, 294, 295, 297, 300, 302, 304, 306, 307, 346, 384, 521, 613, 640, 798, 940, 1216
A08:2021 – Software & Data Integrity Failures
CWE: 345, 353, 426, 494, 502, 565, 784, 829
A09:2021 – Security Logging & Monitoring Failures
CWE: 117, 223, 532, 778
A10:2021 – Server-Side Request Forgery (SSRF)
CWE: 918
See owasp-top-10.md for detailed breakdowns. </owasp_top_10>
<workflow> Loop: Model Threats → Map Surface → Scan Vulnerabilities → Assess Risk → Plan RemediationThreat Model — identify what could go wrong
Attack Surface — map entry points
Vulnerability Scan — systematic code review
Risk Assessment — severity and likelihood
Remediation Plan — prioritized fixes
Update todos as you progress through phases. </workflow>
<security_review_checklist> Before completing security review, verify:
Authentication:
Authorization:
Input Validation:
Cryptography:
Data Protection:
Dependencies:
Logging & Monitoring:
For each vulnerability found:
## {SEVERITY_INDICATOR} {VULNERABILITY_NAME}
**Category**: {OWASP_CATEGORY}
**CWE**: {CWE_IDS}
**Severity**: {CRITICAL/HIGH/MEDIUM/LOW}
### Location
- File: {FILE_PATH}
- Lines: {LINE_RANGE}
- Function: {FUNCTION_NAME}
### Description
{CLEAR_EXPLANATION_OF_VULNERABILITY}
### Impact
{WHAT_ATTACKER_COULD_DO}
### Proof of Concept
{CODE_SNIPPET_OR_STEPS_TO_EXPLOIT}
### Remediation
{SPECIFIC_FIX_WITH_CODE_EXAMPLE}
### References
- OWASP: {URL}
- CWE: {URL}
# Security Audit Report
**Date**: {DATE}
**Scope**: {COMPONENTS_REVIEWED}
**Reviewer**: {NAME}
## Executive Summary
{HIGH_LEVEL_OVERVIEW}
## Risk Summary
- Critical (◆◆): {COUNT}
- High (◆): {COUNT}
- Medium (◇): {COUNT}
- Low (△): {COUNT}
## Key Findings
{TOP_3_MOST_CRITICAL}
## Detailed Findings
{FULL_VULNERABILITY_LIST}
## Recommendations
{PRIORITIZED_REMEDIATION_PLAN}
## Conclusion
{OVERALL_SECURITY_POSTURE_ASSESSMENT}
NEVER:
Related skills:
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.