Skill

hotspots

Maps security hotspots in codebases by scanning for auth, access control, data queries, crypto ops, external calls, and trust boundaries to prioritize reviews.

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Maps security-sensitive code so reviewers know where to focus. Missed hotspots mean

SKILL.md

Similar Skills

security

Audits code security using STRIDE threat modeling, attack trees, CVSS severity ranking, OWASP patterns, and CWE analysis for vulnerabilities in auth, inputs, crypto, and dependencies.

4 files

outfitter

security-review

Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.

claude-impl-tools

security-review

Performs exploitability review of targeted code, tracing untrusted inputs through validation/processing/output, checking authorization completeness like IDOR, using shieldkit_scan baseline.

1 file5 tools

universe

Stats

Stars13

Forks0

Last CommitApr 16, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Hotspot Analysis (A06:2025)

What this checks

Maps security-sensitive code so reviewers know where to focus. Missed hotspots mean entire attack surfaces go unreviewed.

Vulnerable patterns

This skill does not target a single antipattern — it identifies areas where vulnerabilities are statistically most likely:

Route/endpoint handlers accepting external input
Authentication, session, and credential management code
Authorization and role-checking middleware
Database queries and ORM calls
File I/O with user-influenced paths
Cryptographic operations and secret loading
Serialization/deserialization of untrusted data
HTTP client calls to third-party services

Procedure

Step 1 — Architecture summary. Read README*, ARCHITECTURE*, docs/, SECURITY*, and CONTRIBUTING*. Produce a 3–6 bullet summary: what the system does, major components, trust boundaries, auth model, data stores, external integrations. Without this framing you cannot tell a critical boundary from a helper.

Step 2 — Hotspot scan. Skip node_modules/, .venv/, dist/, build/, target/.

For each file, look for:

TRUST BOUNDARIES — route handlers, CLI arg parsing, file upload
  endpoints, WebSocket/SSE handlers, IPC listeners
AUTH & SESSIONS — login/logout, signup, password reset, JWT
  creation/validation, OAuth callbacks, API key checks
ACCESS CONTROL — role/permission checks, object-level lookups by ID
DATA LAYER — SQL/ORM queries, deserialization (pickle, YAML, marshal),
  file read/write with dynamic paths
CRYPTO & SECRETS — encrypt/decrypt, hashing, key generation, TLS
  config, secret loading from env/vault/config
EXTERNAL CALLS — HTTP clients, LLM API calls, email/SMS/payment,
  cloud SDK usage

Output format:

Priority	Category	File	Lines	What

Priority: Critical (auth, crypto, direct user input), High (access control, data persistence), Medium (logging, external calls, config).

After producing the table, recommend which Soundcheck skills to run against each hotspot category.

Verification

Architecture summary produced from available documentation
All route/endpoint entry points identified
Authentication and authorization code located
Database and file I/O hotspots listed
Crypto and secret-handling code flagged
Output table produced with priorities and line ranges

References

CWE-693 (Protection Mechanism Failure)
CWE-657 (Violation of Secure Design Principles)
OWASP A06:2025 Insecure Design