owasp-security-review
Review code and architectures against the OWASP Top 10:2025 — the ten most critical web application security risks. Use when: (1) reviewing code for security vulnerabilities, (2) auditing a feature or codebase against OWASP categories, (3) providing remediation guidance for identified vulnerabilities, (4) writing new code and needing secure coding patterns. Triggers: 'review for security', 'OWASP audit', 'check for vulnerabilities','security checklist', 'is this code secure', 'security review', 'fix vulnerability'.
Best use case
owasp-security-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Review code and architectures against the OWASP Top 10:2025 — the ten most critical web application security risks. Use when: (1) reviewing code for security vulnerabilities, (2) auditing a feature or codebase against OWASP categories, (3) providing remediation guidance for identified vulnerabilities, (4) writing new code and needing secure coding patterns. Triggers: 'review for security', 'OWASP audit', 'check for vulnerabilities','security checklist', 'is this code secure', 'security review', 'fix vulnerability'.
Teams using owasp-security-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/owasp-security-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How owasp-security-review Compares
| Feature / Agent | owasp-security-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Review code and architectures against the OWASP Top 10:2025 — the ten most critical web application security risks. Use when: (1) reviewing code for security vulnerabilities, (2) auditing a feature or codebase against OWASP categories, (3) providing remediation guidance for identified vulnerabilities, (4) writing new code and needing secure coding patterns. Triggers: 'review for security', 'OWASP audit', 'check for vulnerabilities','security checklist', 'is this code secure', 'security review', 'fix vulnerability'.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# OWASP Top 10:2025 Security Review ## Quick reference | # | Category | Key risk | Avg incidence | | --- | ------------------------------------- | ---------------------------------------------------------------------- | ------------- | | A01 | Broken Access Control | Unauthorized data access, privilege escalation, SSRF, CSRF | 3.74% | | A02 | Security Misconfiguration | Default creds, verbose errors, missing hardening, XXE | 3.00% | | A03 | Software Supply Chain Failures | Vulnerable/malicious dependencies, compromised build pipelines | 5.72% | | A04 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing encryption, weak hashing | 3.80% | | A05 | Injection | SQLi, XSS, command injection, LDAP/XPath/EL injection | 3.08% | | A06 | Insecure Design | Missing threat modeling, business logic flaws, insufficient controls | 1.86% | | A07 | Authentication Failures | Credential stuffing, weak passwords, session fixation, missing MFA | 2.92% | | A08 | Software/Data Integrity Failures | Unsigned updates, insecure deserialization, untrusted CDN code | 2.75% | | A09 | Security Logging & Alerting Failures | Missing audit logs, no alerting, log injection, sensitive data in logs | 3.91% | | A10 | Mishandling of Exceptional Conditions | Failing open, info leakage via errors, unchecked return values | 2.95% | ## Workflows ### 1. Code review for security Systematically check the code against each relevant category: 1. **Identify the code's surface area** — Does it handle auth? User input? File uploads? External data? Crypto? Error responses? 2. **Select relevant categories** from the table above based on the surface area. 3. **Load the reference file** for each relevant category and check the code against the "What to look for" section. 4. **Report findings** grouped by category with severity (Critical/High/Medium/Low), the specific code location, and a concrete fix. Priority order for review (highest impact first): - `[CRITICAL]` Input handling code → A05 (Injection), A01 (Access Control) - `[CRITICAL]` Auth/session code → A07 (Authentication), A01 (Access Control) - `[HIGH]` Data storage/transmission → A04 (Cryptographic Failures) - `[HIGH]` Configuration/deployment → A02 (Security Misconfiguration) - `[HIGH]` Dependencies → A03 (Supply Chain) - `[MEDIUM]` Error handling → A10 (Exceptional Conditions), A09 (Logging) - `[MEDIUM]` Architecture/design → A06 (Insecure Design) - `[MEDIUM]` Data integrity → A08 (Integrity Failures) ### 2. Security audit checklist Generate a checklist for a feature or codebase: 1. Read the feature/codebase to understand its scope. 2. For each of the 10 categories, determine if it applies. 3. For applicable categories, load the reference file and produce a checklist of items to verify. 4. Output a markdown checklist grouped by category. ### 3. Remediation guidance When a vulnerability is identified: 1. Classify it into the correct OWASP category. 2. Load the corresponding reference file. 3. Apply the prevention checklist to produce a specific, actionable fix. 4. Provide a code example of the fix when possible. ## Reference files Load the relevant file when you need detailed guidance for a specific category: - **A01 Broken Access Control** — authorization checks, IDOR, CORS, CSRF, path traversal: [references/a01-broken-access-control.md](references/a01-broken-access-control.md) - **A02 Security Misconfiguration** — hardening, default creds, error messages, headers, XXE: [references/a02-security-misconfiguration.md](references/a02-security-misconfiguration.md) - **A03 Supply Chain Failures** — dependency management, SBOM, build pipeline security: [references/a03-supply-chain-failures.md](references/a03-supply-chain-failures.md) - **A04 Cryptographic Failures** — encryption, hashing, key management, TLS, PRNG: [references/a04-cryptographic-failures.md](references/a04-cryptographic-failures.md) - **A05 Injection** — SQL, XSS, command, ORM, LDAP, template injection: [references/a05-injection.md](references/a05-injection.md) - **A06 Insecure Design** — threat modeling, business logic, secure SDLC: [references/a06-insecure-design.md](references/a06-insecure-design.md) - **A07 Authentication Failures** — credential stuffing, MFA, session management, password policy: [references/a07-authentication-failures.md](references/a07-authentication-failures.md) - **A08 Integrity Failures** — deserialization, code signing, untrusted sources, CDN trust: [references/a08-integrity-failures.md](references/a08-integrity-failures.md) - **A09 Logging & Alerting** — audit trails, log injection, alerting, sensitive data in logs: [references/a09-logging-alerting-failures.md](references/a09-logging-alerting-failures.md) - **A10 Exceptional Conditions** — error handling, fail-closed, resource cleanup, info leakage: [references/a10-exceptional-conditions.md](references/a10-exceptional-conditions.md) ## Severity classification Use these severity levels when reporting findings: - **Critical**: Directly exploitable, leads to full system compromise or mass data breach (e.g., SQLi with no parameterization, hardcoded admin credentials, missing auth on admin endpoints). - **High**: Exploitable with moderate effort, significant data exposure or privilege escalation (e.g., IDOR, weak password hashing, SSRF, deserialization of untrusted data). - **Medium**: Exploitable under specific conditions, limited impact (e.g., missing CSRF protection, verbose error messages, missing security headers). - **Low**: Defense-in-depth issue, minimal direct impact (e.g., missing rate limiting, incomplete logging, suboptimal crypto configuration). ## Output format When reporting security findings, use this structure: ``` ### [SEVERITY] A0X: Category Name — Brief title **Location**: `file:line` **Risk**: What can go wrong and the impact. **Finding**: What the code does wrong. **Fix**: Specific remediation with code example. ```
Related Skills
security-auditor
Activates when user needs security review, vulnerability scanning, or secure coding guidance. Triggers on "security review", "find vulnerabilities", "is this secure", "check for injection", "security audit", "OWASP", "secure this code", or security-related questions.
security-audit
Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.
security-audit-scanner
Automated security scanning for Vigil Guard v2.0.0. Use for OWASP Top 10 checks, TruffleHog secret detection, npm/pip vulnerability scanning, 3-branch service security, heuristics-service audit, and CI/CD security pipelines.
security-audit-example
Example security audit skill demonstrating how to audit code for security vulnerabilities. Use when the user asks to perform security reviews, check for vulnerabilities, or audit code security.
security-audit-agent
Performs comprehensive security audits of codebases, identifying vulnerabilities and security best practices
security-assessment
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
security
Security Engineer and application security expert. Performs threat modeling, security architecture review, penetration testing, vulnerability assessment, and security compliance. Handles OWASP Top 10, authentication security, authorization, encryption, secrets management, HTTPS/TLS, CORS, CSRF, XSS, SQL injection prevention, secure coding practices, security audits, and compliance (GDPR, HIPAA, PCI-DSS, SOC 2). Activates for security, security review, threat model, vulnerability, penetration testing, pen test, OWASP, authentication security, authorization, encryption, secrets, HTTPS, TLS, SSL, CORS, CSRF, XSS, SQL injection, secure coding, security audit, compliance, GDPR, HIPAA, PCI-DSS, SOC 2, security architecture, secrets management, rate limiting, brute force protection, session security, token security, JWT security, is this secure, security check, review security, find vulnerabilities, security scan, security test, hack proof, prevent hacking, protect from attacks, DDoS protection, bot protection, WAF, web application firewall, input validation, sanitize input, escape output, parameterized queries, prepared statements, password hashing, bcrypt, argon2, salt, pepper, secure password, password policy, MFA, 2FA, two factor, multi factor, OAuth security, OIDC, OpenID Connect, SAML, SSO security, API key security, Bearer token, refresh token rotation, token expiration, session hijacking, session fixation, clickjacking, open redirect, SSRF, XXE, insecure deserialization, broken access control, security misconfiguration, sensitive data exposure, insufficient logging, dependency vulnerability, npm audit, snyk, dependabot, CVE, security patch, zero day, security incident, data breach, data leak, privacy, data protection, encryption at rest, encryption in transit, key management, KMS, HSM, certificate management, cert rotation, security headers, CSP, Content Security Policy, X-Frame-Options, X-XSS-Protection, HSTS, Strict-Transport-Security.
security-analysis
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
reviewing-security
Executes security design and implementation reviews with threat modeling, OWASP-based checks, and risk-ranked remediation guidance. Activates when reviewing security, threat modeling, checking for vulnerabilities, auditing auth flows, performing OWASP reviews, or assessing security posture. Does not handle code quality or test coverage (code-reviewer), writing production code (backend-developer or frontend-developer), or infrastructure deployment (devops).
reviewer
Activate when reviewing code, before committing, after committing, or before merging a PR. Activate when user asks to review, audit, check for security issues, or find regressions. Analyzes code for logic errors, regressions, edge cases, security issues, and test gaps. Fixes findings AUTOMATICALLY. Required at process skill quality gates.
redis-security
Master Redis security - authentication, ACL, TLS encryption, network hardening, and production security best practices
QE Security Compliance
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.