Performing Security Testing

This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.

Invalid

This skill can't be scored yet

Validation errors are blocking scoring. Review and fix them to unlock Quality, Impact and Security scores. See what needs fixing →

2 findings — 1 high severity, 1 medium severity. You should review these findings carefully before considering using this skill.

High

W007: Insecure credential handling detected in skill instructions

What this means

The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.

Why it was flagged

Insecure credential handling detected (high risk: 0.80). The skill asks the user to "Provide necessary authentication credentials" for testing protected resources without specifying secure handling (e.g., use of environment variables or tool-managed auth), so the agent may request and embed secrets verbatim, creating an exfiltration risk.

Report incorrect finding

Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 1.00). The SKILL.md "Execute Tests" workflow explicitly activates the security-test-scanner plugin to run scans against user-specified application/API endpoints, so the agent will fetch and interpret arbitrary external HTTP responses from potentially untrusted third-party or user-controlled sites which could contain instructions that influence subsequent tool use and decisions.

Report incorrect finding

Repository: jeremylongshore/claude-code-plugins-plus-skills
Commit: 4778c8f

Audited: 2 months ago
Security analysis

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.