cyber-owasp-review
Map application security findings to OWASP Top 10 categories and generate remediation checklists. Use for normalized AppSec review outputs and category-level prioritization.
About this skill
The `cyber-owasp-review` skill is designed to automate and standardize the analysis of application security findings. It takes raw security outputs from various sources—such as scanners, penetration tests, or manual reviews—and systematically maps them to the widely recognized OWASP Top 10 categories. Following this categorization, the skill aggregates findings by their respective OWASP category and severity, providing a clear, high-level overview of the application's security posture. A key function of this skill is the generation of category-specific remediation checklists. This translates complex security vulnerabilities into actionable steps, making it easier for development and security teams to understand and address identified issues efficiently. By leveraging bundled resources like `scripts/map_findings_to_owasp.py` and `references/owasp-mapping-guide.md`, the skill ensures deterministic mapping and adherence to established security heuristics. This skill is particularly useful for organizations looking to standardize their application security review processes, ensure consistent reporting, and accelerate the remediation lifecycle. It helps bridge the gap between technical vulnerability data and practical security improvements, all while adhering to guardrails that focus on remediation rather than offensive techniques.
Best use case
The primary use case for `cyber-owasp-review` is to standardize and accelerate the vulnerability management process within application development lifecycles. Security analysts, developers, and QA teams benefit most, as it translates often disparate security findings into a unified, actionable format based on the OWASP Top 10, facilitating clearer prioritization and efficient resolution of security issues.
Map application security findings to OWASP Top 10 categories and generate remediation checklists. Use for normalized AppSec review outputs and category-level prioritization.
Users should expect a clear, categorized list of application security findings mapped to OWASP Top 10, accompanied by a severity-prioritized checklist of actionable remediation steps.
Practical example
Example input
Analyze the provided `appsec_report.json` for application security findings, categorize them by OWASP Top 10, and generate a remediation checklist. Prioritize findings by severity.
Example output
**OWASP Top 10 Categorization & Remediation Checklist:** **A01:2021 - Broken Access Control (High)** - **Findings:** Unauthorized API endpoint access, missing authentication on admin pages. - **Remediation:** Implement robust access control checks; enforce least privilege; review API endpoint permissions. **A03:2021 - Injection (Medium)** - **Findings:** Potential SQL injection in user input forms. - **Remediation:** Use parameterized queries; sanitize all user inputs; implement input validation.
When to use this skill
- When needing to categorize diverse application security findings to OWASP Top 10.
- When generating prioritized remediation checklists from security scan results.
- When standardizing AppSec review outputs across multiple projects or tools.
- When preparing for security audits or compliance checks related to OWASP standards.
When not to use this skill
- When the security findings are not related to application security or OWASP categories.
- When detailed exploit payloads or offensive attack playbooks are required.
- When performing manual, in-depth security research that requires human intuition beyond structured mapping.
- When the findings are for network or infrastructure security, rather than application security.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cyber-owasp-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cyber-owasp-review Compares
| Feature / Agent | cyber-owasp-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Map application security findings to OWASP Top 10 categories and generate remediation checklists. Use for normalized AppSec review outputs and category-level prioritization.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Cyber OWASP Review ## Overview Normalize application security findings into OWASP categories and produce remediation actions. ## Workflow 1. Ingest raw findings from scanners, tests, or reviews. 2. Map findings to OWASP categories using keyword and context matching. 3. Aggregate findings by category and severity. 4. Produce category-specific remediation checklist output. ## Use Bundled Resources - Run `scripts/map_findings_to_owasp.py` for deterministic mapping. - Read `references/owasp-mapping-guide.md` for category heuristics. ## Guardrails - Keep guidance remediation-focused. - Do not provide exploit payloads or offensive attack playbooks.
Related Skills
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
cyber-kev-triage
Prioritize vulnerability remediation using KEV-style exploitation context plus asset criticality. Use for CVE triage, patch order decisions, and remediation reporting.
cyber-ir-playbook
Build incident response timelines and report packs from event logs. Use for detection-to-recovery reporting, phase tracking, and stakeholder-ready incident summaries.
HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
mema-vault
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys, database credentials, and other sensitive tokens.