appsec
Application security - OWASP, validation, secrets. Use when securing the app.
Best use case
appsec is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Application security - OWASP, validation, secrets. Use when securing the app.
Teams using appsec should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/appsec/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How appsec Compares
| Feature / Agent | appsec | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Application security - OWASP, validation, secrets. Use when securing the app.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# AppSec Guideline ## Tech Stack * **Rate Limiting**: Upstash Redis * **Framework**: Next.js * **Platform**: Vercel ## Non-Negotiables * OWASP Top 10:2025 vulnerabilities must be addressed * CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers must be present * CSRF protection on state-changing requests * No plaintext passwords in logs, returns, storage, or telemetry * MFA required for Admin/SUPER_ADMIN roles * Required configuration must fail-fast at build/startup if missing * Secrets must not be hardcoded or committed ## Context Security isn't a feature — it's a foundational property. A single vulnerability can compromise everything else. The review should think like an attacker: where are the weak points? What would I exploit? Beyond fixing vulnerabilities, consider the security architecture holistically. Is defense-in-depth implemented? Are there single points of failure? Would you trust this system with your own data? ## Driving Questions * What would an attacker target first? * Where is rate limiting missing or insufficient? * What attack vectors exist in authentication flows? * How are secrets managed and what's the rotation strategy? * What happens when a secret is compromised — is incident response exercisable? * Where does "security by obscurity" substitute for real controls?
Related Skills
appsec-expert
Elite Application Security engineer specializing in secure SDLC, OWASP Top 10 2025, SAST/DAST/SCA integration, threat modeling (STRIDE), and vulnerability remediation. Expert in security testing, cryptography, authentication patterns, and DevSecOps automation. Use when securing applications, implementing security controls, or conducting security assessments.
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
eng-spec
Generate an Engineering Specification. Use when the user says /eng-spec, asks to create a technical spec, engineering spec, system design document, or translate a PRD into a technical plan. Triggers: eng-spec, engineering spec, technical spec, system design, technical design, architecture spec.
e2e
E2E Command - generate and run end-to-end tests with Playwright
e2e-testing
End-to-end testing workflow with Playwright for browser automation, visual regression, cross-browser testing, and CI/CD integration.
e2e-testing-patterns
Master end-to-end testing with Playwright and Cypress to build reliable test suites that catch bugs, improve confidence, and enable fast deployment. Use when implementing E2E tests, debugging flaky tests, or establishing testing standards.
e2e-outside-in-test-generator
Generates comprehensive end-to-end Playwright tests using outside-in methodology
dropbox
No description provided.
dotnet
.NET development standards and practices for zero-fabrication, test-driven development with strict quality gates. Use when working on .NET/C# projects that require rigorous testing, real integrations only, and co-located tests.
dotnet-uno-testing
Tests Uno Platform apps. Playwright for WASM, platform-specific patterns, runtime heads.
dotnet-security-owasp
Hardens .NET apps per OWASP Top 10 -- injection, auth, XSS, deprecated security APIs.
done
Complete current expedition - run tests, commit, push, and update kanban status