From aidoc-flow
Validates security requirements and scans code, dependencies, infrastructure, and configuration for vulnerabilities. Produces a compliance report with OWASP mapping, STRIDE threat modeling, and prioritized remediation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aidoc-flow:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Ensure security requirements are properly defined, implemented, and tested, and
Ensure security requirements are properly defined, implemented, and tested, and identify vulnerabilities across code, dependencies, infrastructure, and configuration. Validates compliance against recognized standards (OWASP Top 10, CWE, GDPR/HIPAA/SOC 2/PCI DSS where relevant) and performs STRIDE threat modeling. Security requirements trace from SPEC (Layer 6) and the EARS/ADR security topics upstream of it.
Use security-audit when:
Do not use it for general (non-security) artifact quality (use
../quality-advisor/SKILL.md) or traceability validation (use
../trace-check/SKILL.md).
The audit runs as a pipeline, producing a single report:
Targets: zero critical vulnerabilities, no secrets in the repository, 100% coverage of MUST security requirements, OWASP Top 10 fully covered.
Limitations: cannot detect all business-logic flaws, may produce false positives requiring manual review, and depends on current tool vulnerability databases.
framework/layers/06_SPEC/README.md ·
framework/layers/06_SPEC/SPEC-TEMPLATE.yamlframework/layers/03_EARS/README.md ·
framework/layers/05_ADR/README.mdframework/governance/ (ID, tagging, traceability standards)../quality-advisor/SKILL.md · ../trace-check/SKILL.md ·
../doc-spec/SKILL.mdnpx claudepluginhub vladm3105/aidoc-flow-framework --plugin aidoc-flowAudits code for security vulnerabilities including OWASP Top 10, auth flaws, injection, data exposure, and dependency risks. Supports multiple engagement modes from express to meticulous.
Runs a structured adversarial security audit using STRIDE, OWASP Top 10, supply-chain checks, secrets scans, and auth analysis. Apply before production releases or when changes touch auth, input parsing, dependencies, or network I/O.
Executes STRIDE threat modeling, OWASP Top 10 vulnerability scanning, security control validation, privacy assessment, and risk-prioritized reporting for code components.