owasp-audit
Audit application source code against the OWASP Top 10 (2021) vulnerability categories — broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF. Use when the user mentions 'OWASP,' 'OWASP Top 10,' 'security audit,' 'security review,' 'secure code review,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'appsec review,' 'application security audit,' 'check for security issues,' 'broken access control,' 'IDOR,' 'SQL injection,' 'XSS,' 'SSRF,' or wants to check their codebase for common security weaknesses.
69
85%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its purpose (OWASP Top 10 security auditing), enumerates all 10 vulnerability categories for specificity, and provides an extensive 'Use when' clause with natural trigger terms covering both formal terminology and casual user phrasing. It uses proper third-person voice and is well-structured for skill selection among many options.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists multiple specific concrete actions: auditing source code against OWASP Top 10, and enumerates all 10 vulnerability categories (broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity, logging failures, SSRF). | 3 / 3 |
Completeness | Clearly answers both 'what' (audit application source code against OWASP Top 10 vulnerability categories with all 10 listed) and 'when' (explicit 'Use when' clause with extensive list of trigger phrases and scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say, including 'OWASP,' 'security audit,' 'secure code review,' 'find vulnerabilities,' 'SQL injection,' 'XSS,' 'SSRF,' 'IDOR,' 'check for security issues,' and many more variations. These are terms users would naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in OWASP-specific security auditing of application source code. The specific vulnerability categories and security-focused trigger terms make it unlikely to conflict with general code review or other development skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is an exceptionally thorough and actionable OWASP audit skill with genuinely novel, non-obvious security patterns and concrete executable guidance throughout. Its primary weakness is its monolithic structure — at 600+ lines with no external file references, it consumes enormous context window space and would benefit greatly from splitting detailed reference material (SSRF bypass catalog, XSS payloads, header tables, report templates) into separate files. Some sections also contain verbose explanations that could be tightened.
Suggestions
Split the SSRF allow-list bypass catalog (A10), XSS payload test set, security header baseline table, and report format template into separate referenced files (e.g., SSRF_BYPASSES.md, XSS_PAYLOADS.md, HEADERS.md, REPORT_TEMPLATE.md) to reduce the main file to an overview with clear navigation.
Tighten verbose explanatory passages — e.g., the A02 TLS/VERIFY_PEER section and A04 TOCTOU billing section contain multi-paragraph explanations that could be condensed to bullet points with a code example, since Claude understands these concepts.
Remove or consolidate duplicated grep patterns that appear in multiple sections (e.g., redirect-related greps in A01, cookie/credential greps in A07) into a single 'comprehensive grep sweep' section or reference file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill contains genuinely novel, non-obvious security patterns (IDOR via foreign keys, JSON.stringify breakout, IPv4 octal encoding, TOCTOU races) that earn their tokens. However, it is extremely long (~600+ lines) with some redundancy (e.g., the same grep patterns repeated, verbose explanations of concepts like SSRF allow-list bypasses that Claude likely knows). Several sections could be tightened or moved to reference files. | 2 / 3 |
Actionability | Exceptionally actionable throughout — provides concrete grep commands, executable bash snippets, specific regex patterns for secret detection, exact code fixes (e.g., Rails ERB JSON-LD idiom, conditional UPDATE SQL patterns), canonical XSS payload test sets, and framework-specific file paths to check. Nearly every checklist item includes a concrete 'grep for' or code example. | 3 / 3 |
Workflow Clarity | The workflow is clearly sequenced: scope → systematic checklist (A01-A10) → verify fixes at runtime → second-opinion pass → report format. It includes explicit validation checkpoints (runtime verification after fixes, XSS payload testing, second-pass adversarial review) and feedback loops (fix → re-validate → re-audit). The report format section provides clear templates with required fields. | 3 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files despite being extremely long (~600+ lines). The detailed SSRF bypass catalog, the XSS sanitizer guidance, the framework-specific header tables, and the report template could all be split into separate reference files. Everything is inline, making it difficult to navigate and consuming excessive context window. | 1 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
c9ade03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.