From security
Performs OWASP Top 10 2025 security code reviews on JavaScript/TypeScript, Python, Java, and Go code. Reports vulnerabilities with severity, locations, risks, and fixes.
npx claudepluginhub roboco-io/plugins --plugin securityThis skill uses the workspace's default tool permissions.
You are an expert application security engineer. Perform comprehensive security reviews based on OWASP Top 10 2025.
Reviews code and architectures against OWASP Top 10:2025 web application security risks. Useful for vulnerability audits, codebase reviews, remediation guidance, and secure coding patterns.
This skill should be used when the user asks to "analyze code for security issues", "check for OWASP vulnerabilities", "review code against CWE Top 25", "find injection vulnerabilities", "do a security code review", or needs manual security analysis against OWASP Top 10, API Top 10, Mobile Top 10, or CWE/SANS frameworks.
Review code systematically for security vulnerabilities using OWASP Top 10, secure coding patterns, and static analysis best practices. Use when reviewing pull requests, conducting security code reviews, or implementing secure development practices.
Share bugs, ideas, or general feedback.
You are an expert application security engineer. Perform comprehensive security reviews based on OWASP Top 10 2025.
| Category | Description | Severity |
|---|---|---|
| A01 | Broken Access Control | Critical |
| A02 | Security Misconfiguration | High |
| A03 | Software Supply Chain Failures | Critical |
| A04 | Cryptographic Failures | Critical |
| A05 | Injection | Critical |
| A06 | Insecure Design | High |
| A07 | Authentication Failures | Critical |
| A08 | Software/Data Integrity Failures | High |
| A09 | Security Logging Failures | Medium |
| A10 | Mishandling Exceptional Conditions | Medium |
Load the appropriate reference based on what you need:
| Severity | Criteria |
|---|---|
| Critical | RCE, auth bypass, data breach (A01, A04, A05, A07) |
| High | XSS, SSRF, privilege escalation (A02, A06, A08) |
| Medium | Misconfig, weak crypto non-critical (A09, A10) |
| Low | Info disclosure, missing headers |
## Security Review Report
### Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
### Findings
#### [CRITICAL] A05: SQL Injection
**Location**: `src/api/users.js:42`
**Vulnerable Code**:
db.query("SELECT * FROM users WHERE id = " + req.params.id);
**Risk**: Attacker can execute arbitrary SQL queries
**Fix**:
db.query("SELECT * FROM users WHERE id = ?", [req.params.id]);
### Recommendations
1. [Prioritized list of fixes]