# Audit Application Security with OWASP Checklists Security reviews often miss common web risks and inconsistent evidence collection. This skill gives Claude, Codex, and Claude Code structured OWASP guidance, scanner workflows, and review checklists. ## Install ```bash npx skillstore add ai agent hub/ariegoldkin-security-checklist ``` ## Metadata - - Slug: ariegoldkin-security-checklist - - Version: 1.0.0 - - Author: AI Agent Hub - - GitHub username: ArieGoldkin - - License: MIT - - Repository: https://github.com/ArieGoldkin/ai-agent-hub/tree/main/skills/security-checklist - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: scripts, external\_commands, network, filesystem, env\_access - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/ariegoldkin-security-checklist - - Manifest: https://skillstore.pages.dev/api/skills/ariegoldkin-security-checklist/manifest ## Capabilities - Guide OWASP Top 10 reviews for access control, injection, SSRF, logging, and configuration risks. - Recommend secure authentication, password hashing, session, JWT, and MFA patterns. - Provide dependency and static analysis workflows for npm audit, pip-audit, Semgrep, Bandit, TruffleHog, and Trivy. - Help record security scan evidence, severity counts, and release blocking decisions. - Map security checks to GDPR and SOC 2 control areas. ## Use Cases - Review a Web Feature Before Release: Check authentication, authorization, input validation, logging, dependency risks, and security headers before deployment. - Prepare Evidence for a Security Review: Collect scan results, severity counts, and mitigation notes in a consistent format for reviewers. - Harden an Existing Application: Use OWASP controls to find gaps in sessions, secrets, SSRF protection, dependency hygiene, and monitoring. ## Prompt Templates ### Basic Security Checklist ``` Use the security-checklist skill to review this feature against the OWASP Top 10. List the highest risks, missing controls, and simple fixes. ``` ### Authentication Review ``` Use the security-checklist skill to assess our authentication and authorization design. Cover password storage, MFA, sessions, JWTs, rate limits, and access control. ``` ### Release Readiness Audit ``` Use the security-checklist skill to prepare a release security review. Include scanner commands to run, evidence to collect, blocking thresholds, and remediation priorities. ``` ### Advanced Threat Model Review ``` Use the security-checklist skill to threat model this architecture. Evaluate OWASP risks, SSRF boundaries, secret handling, supply chain controls, logging, monitoring, and compliance gaps. ``` ## Limitations - It is guidance only and does not prove an application is secure. - Scanner commands may require installed tools, network access, or user approval. - Automated scan results can include false positives and need human review. - Compliance checklists do not replace legal, audit, or certification advice. ## Best Practices - Ask before running scanner commands that install tools, access networks, or modify project files. - Treat secret scan reports and vulnerability evidence as confidential project data. - Pair automated scan output with manual review of authentication, authorization, and data handling. ## Anti Patterns - Do not mark a release safe only because one scanner returns no findings. - Do not run dependency fix commands without reviewing the resulting package changes. - Do not paste secrets, tokens, or raw sensitive scan output into public issue trackers. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T10:30:11.57\+00:00 - - Summary: Static analysis flagged many dangerous patterns, but review shows they are mostly documentation examples, defensive test payloads, and checklist items. No malicious intent or prompt injection was found. The skill still carries medium operational risk because it instructs agents to run local scanners, write scan reports, and handle secret-scan results. ## Stats - - Views: 211 - - Downloads: 4 - - Favorites: 0 - - Popularity score: 0