dancon-cwe25-review
Perform a comprehensive code security review against the 2025 MITRE CWE Top 25 Most Dangerous Software Weaknesses (sourced from https://cwe.mitre.org/top25/). Use this skill every time the user asks for a code security review, security audit, vulnerability scan, CWE review, secure code review, source review, or any variant of "check my code for security issues". This skill runs 25 dedicated analysis passes -- one per CWE in the Top 25 -- each focused on finding ALL instances of its assigned weakness across the entire codebase. Results are risk-ranked from highest to lowest and every finding includes a specific, actionable remediation recommendation grounded in good software security engineering practice and principles.
90
88%
Does it follow best practices?
Impact
92%
2.78xAverage score across 3 eval scenarios
Passed
No known issues
Evaluation results
93%
76%Security Audit: Internal User Management Service
Risk scoring and report structure
Exact announcement
0%
0%
Source URL in header
0%
100%
Executive summary content
50%
100%
Risk-ranked summary table
0%
100%
Risk formula: MITRE + KEV term
0%
100%
Risk formula: severity points
0%
100%
Correct severity point values
0%
100%
Table sorted highest first
0%
100%
Detailed findings with severity tags
77%
100%
Fenced code snippets
100%
100%
Secrets redacted
0%
100%
Clean categories section
0%
100%
Methodology source and mode
0%
100%
85%
85%Security Review: Customer Portal Backend
Workflow steps and source handling
Exact announcement text
0%
0%
Live fetch attempted
0%
70%
List version stated
0%
100%
Live vs local declared
0%
100%
Detection heuristics used
0%
80%
Methodology source URL
0%
100%
Methodology live vs local
0%
100%
One pass per CWE stated
0%
100%
All 25 CWEs addressed
0%
100%
CWEs separated by category
0%
100%
100%
18%Security Audit: Multi-Tenant SaaS User Management Module
Exhaustive multi-instance detection and no scripts
No scripts created
100%
100%
Multiple SQL injection instances
100%
100%
Multiple XSS instances
100%
100%
SQL remediation names specific variable or function
100%
100%
XSS remediation names specific function
100%
100%
Memory-safety CWEs marked not applicable
0%
100%
Per-CWE structure
0%
100%
Command injection finding specifics
100%
100%
File upload finding specifics
100%
100%
No generic-only remediation
100%
100%
- Repository
- danielyan-consulting/skills
- Commit
99b52ce
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.