owasp-top10-reviewer
by Julian
A rigorous security auditor that scans code for OWASP Top 10 vulnerabilities with severity ratings and concrete fixes.
- Audit API endpoints for IDOR and broken access control vulnerabilities.
- Detect SQL injection risks and suggest parameterized query fixes.
- Identify sensitive data exposure through cryptographic failures or hardcoded keys.
Secure checkout via Stripe
Included in download
- Audit API endpoints for IDOR and broken access control vulnerabilities.
- Detect SQL injection risks and suggest parameterized query fixes.
- file_read, file_write automation included
- Ready for Works with VS Code
Sample Output
A real example of what this skill produces.
OWASP Top 10 Security Audit Report
Scope: get_profile endpoint — app.py Language/Framework: Python + Flask Risk Summary: 0 Critical 2 High 1 Medium 0 Low
A01: Broken Access Control — FAIL Finding: No authentication check. Any user can access any other user's profile by changing the user_id parameter (IDOR). Severity: High Fix: Add session/JWT check. Verify current_user.id == user_id before executing query.
A02: Cryptographic Failures — PASS Finding: No issues found in this snippet.
A03: Injection — FAIL Finding: f-string interpolation directly in SQL query. Passing user_id=1 OR 1=1 dumps the entire users table. Severity: High Fix: db.execute("SELECT * FROM users WHERE id = ?", (user_id,))
A04: Insecure Design — PASS A05: Security Misconfiguration — FAIL Finding: jsonify(result) returns all columns including password hashes. Severity: Medium Fix: SELECT id, name, email FROM users WHERE id = ?
A06–A10: PASS or N/A (not applicable to this endpoint snippet)
Overall Assessment: Two High-severity vulnerabilities allow any unauthenticated user to read or dump the entire users table. Fix A03 first — it is trivial to exploit with one request.
Immediate Actions:
- Replace f-string SQL with parameterized query (A03 — High)
- Add authentication + IDOR check (A01 — High)
- Restrict SELECT to needed columns (A05 — Medium)
owasp-top10-reviewer
by Julian
A rigorous security auditor that scans code for OWASP Top 10 vulnerabilities with severity ratings and concrete fixes.
Secure checkout via Stripe
Included in download
- Audit API endpoints for IDOR and broken access control vulnerabilities.
- Detect SQL injection risks and suggest parameterized query fixes.
- file_read, file_write automation included
- Ready for Works with VS Code
- Instant install
Sample Output
A real example of what this skill produces.
OWASP Top 10 Security Audit Report
Scope: get_profile endpoint — app.py Language/Framework: Python + Flask Risk Summary: 0 Critical 2 High 1 Medium 0 Low
A01: Broken Access Control — FAIL Finding: No authentication check. Any user can access any other user's profile by changing the user_id parameter (IDOR). Severity: High Fix: Add session/JWT check. Verify current_user.id == user_id before executing query.
A02: Cryptographic Failures — PASS Finding: No issues found in this snippet.
A03: Injection — FAIL Finding: f-string interpolation directly in SQL query. Passing user_id=1 OR 1=1 dumps the entire users table. Severity: High Fix: db.execute("SELECT * FROM users WHERE id = ?", (user_id,))
A04: Insecure Design — PASS A05: Security Misconfiguration — FAIL Finding: jsonify(result) returns all columns including password hashes. Severity: Medium Fix: SELECT id, name, email FROM users WHERE id = ?
A06–A10: PASS or N/A (not applicable to this endpoint snippet)
Overall Assessment: Two High-severity vulnerabilities allow any unauthenticated user to read or dump the entire users table. Fix A03 first — it is trivial to exploit with one request.
Immediate Actions:
- Replace f-string SQL with parameterized query (A03 — High)
- Add authentication + IDOR check (A01 — High)
- Restrict SELECT to needed columns (A05 — Medium)
About This Skill
Automated OWASP Top 10 Security Auditing
Ensure your applications are secure before they ever hit production. This skill performs a rigorous, deep-dive security audit of your source code, API endpoints, and system designs, specifically checking against the 2021 OWASP Top 10 vulnerabilities.
What it does
It acts as an automated security architect that reviews your pull requests or snippets for risks like SQL injection, broken access control, and cryptographic failures. Unlike general-purpose LLM prompting, this skill follows a strict 10-point inspection protocol, ensuring no category is overlooked and every finding is backed by a concrete fix.
- Comprehensive Coverage: Systematic checks from A01 (Access Control) to A10 (SSRF).
- Development Framework Support: Expert analysis for Node.js, Python, Java, Go, and more.
- Context-Aware Ratings: Issues are categorized by severity (Critical to Low) based on real-world exploitability.
- Actionable Remediation: Every vulnerability includes the specific code change required to fix it.
Why use this skill
While standard AI might catch obvious bugs, this skill is programmed with a security-first mindset. It identifies structural design flaws, insecure configurations, and dependency risks that simple code reviews miss. The output is a professional, structured audit report ready for developers and stakeholders alike.
📖 Learn more: Best Code Review Skills for Claude Code →
Use Cases
- Audit API endpoints for IDOR and broken access control vulnerabilities.
- Detect SQL injection risks and suggest parameterized query fixes.
- Identify sensitive data exposure through cryptographic failures or hardcoded keys.
- Scan configuration files for security misconfigurations and exposed secrets.
- Security audit before deploying a new API endpoint
- Check database queries and user inputs for injection risks
- Review authentication or session management code for vulnerabilities
Known Limitations
Reviews the provided code only — cannot assess backend infrastructure, dependencies, or services not shown. Scope is always stated explicitly at the top of every report. Does not replace a professional security audit for compliance-critical systems.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/owasp-top10-reviewer | tar xz -C ~/.claude/skills/Free skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
File Scopes
Tags
Works with VS Code/GitHub Copilot, Cursor, OpenAI Codex, Google Antigravity, Claude Code, and any agent supporting the AgentSkills open standard. Install at .agents/skills/owasp-top10-reviewer/SKILL.md.
Creator
Building AI skills that encode proven frameworks. Each skill distills industry standards into triggerable workflows for developers and founders. I package battle-tested mental models into AI skills. Hope you like my skills. Much love from Germany Julian <3
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
consumer-motivation-analyzer
Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.
diagnosing-rag-failure-modes
RAG fails quietly. It retrieves documents, returns confident-looking answers, and misses the question entirely — because the question required connecting facts across documents, reasoning about sequence, or tracing causation. This skill gives you a five-question diagnostic checklist that classifies any failing query as either RAG-safe or structurally RAG-incompatible, then maps it to the specific failure pattern and the architectural fix that resolves it.
keyword-research
Transform URLs or product lists into SEO keyword research packs with Google Ads data and intent-based clustering.