ask-owasp-security-review

Original：🇺🇸 English

Translated

1 scriptsChecked / no sensitive code detected

Static security analysis for code, auditing for OWASP Top 10 risks. Triggers: "security audit", "is this secure", "check for vulnerabilities". Capabilities: - Static analysis of code snippets. - Mapping findings to OWASP Top 10 (2021). - Providing remediation code patterns.

1installs

Sourcenavanithans/agent-skill-kit

Added on2026-02-16

NPX Install

npx skill4agent add navanithans/agent-skill-kit ask-owasp-security-review

SKILL.md Content

View Translation Comparison →

OWASP Security Review Protocol

<critical_constraints>

❌ NO code execution or dynamic analysis.
❌ NO false positives. Only report with evidence.
✅ MUST map findings to OWASP Top 10.
✅ MUST provide
```
Severity
```
,
```
Location
```
, and
```
Remediation
```
. </critical_constraints>

<process>

Context Analysis: Identify language/framework. Trace data flow (Source → Sink).
<thinking> Vulnerability Scan:
- Check input validation (Injection, Broken Access).
- Check for hardcoded secrets (Cryptographic Failures).
- Check logging (Logging Failures). </thinking>
Report Generation: Format findings in Markdown Table. If none, state "No immediate risks found".
<validation_gate>: Run validation script. Ensure no errors.
Remediation: Provide corrected code for Critical/High issues. </process>

<owasp_checklist>

A01 Broken Access: IDOR, path traversal.
A02 Crypto Failures: Weak keys/algos.
A03 Injection: SQLi, XSS, Command Injection.
A04 Insecure Design: No rate limiting.
A05 Misconfig: Default creds, verbose errors.
A06 Vulnerable Components: Old libs.
A07 Auth Failures: Weak passwords.
A08 Integrity: Insecure deserialization.
A09 Logging: Missing/PII logs.
A10 SSRF: Unvalidated URLs. </owasp_checklist>

<output_template>

Security Audit Results

Vuln	OWASP	Sev	Loc	Desc	Fix
Name	Cat	High	File:10	Issue	Fix

Summary

[Risk assessment] </output_template>

<examples>

See

assets/examples.md

. </examples>