Name: Owasp Security Check
Author: Sergiodxa
Install
Terminal · npx
$npx skills add https://github.com/microsoft/github-copilot-for-azure --skill azure-rbac
Works with Paperclip
How Owasp Security Check fits into a Paperclip company.

Owasp Security Check drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md451 linesmarkdown
Expand
1---2name: owasp-security-check3description: Security audit guidelines for web applications and REST APIs based on OWASP Top 10 and web security best practices. Use when checking code for vulnerabilities, reviewing auth/authz, auditing APIs, or before production deployment.4---5 6# OWASP Security Check7 8Comprehensive security audit patterns for web applications and REST APIs. Contains 20 rules across 5 categories covering OWASP Top 10 and common web vulnerabilities.9 10## When to Apply11 12Use this skill when:13 14- Auditing a codebase for security vulnerabilities15- Reviewing user-provided file or folder for security issues16- Checking authentication/authorization implementations17- Evaluating REST API security18- Assessing data protection measures19- Reviewing configuration and deployment settings20- Before production deployment21- After adding new features that handle sensitive data22 23## How to Use This Skill24 251. **Identify application type** - Web app, REST API, SPA, SSR, or mixed262. **Scan by priority** - Start with CRITICAL rules, then HIGH, then MEDIUM273. **Review relevant rule files** - Load specific rules from @rules/ directory284. **Report findings** - Note severity, file location, and impact295. **Provide remediation** - Give concrete code examples for fixes30 31## Audit Workflow32 33### Step 1: Systematic Review by Priority34 35Work through categories by priority:36 371. **CRITICAL**: Authentication & Authorization, Data Protection, Input/Output Security382. **HIGH**: Configuration & Headers393. **MEDIUM**: API & Monitoring40 41### Step 2: Generate Report42 43Format findings as:44 45- **Severity**: CRITICAL | HIGH | MEDIUM | LOW46- **Category**: Rule name47- **File**: Path and line number48- **Issue**: What's wrong49- **Impact**: Security consequence50- **Fix**: Code example of remediation51 52## Rules Summary53 54### Authentication & Authorization (CRITICAL)55 56#### broken-access-control - @rules/broken-access-control.md57 58Check for missing authorization, IDOR, privilege escalation.59 60```typescript61// Bad: No authorization check62async function getUser(req: Request): Promise<Response> {63  let url = new URL(req.url);64  let userId = url.searchParams.get("id");65  let user = await db.user.findUnique({ where: { id: userId } });66  return new Response(JSON.stringify(user));67}68 69// Good: Verify ownership70async function getUser(req: Request): Promise<Response> {71  let session = await getSession(req);72  let url = new URL(req.url);73  let userId = url.searchParams.get("id");74 75  if (session.userId !== userId && !session.isAdmin) {76    return new Response("Forbidden", { status: 403 });77  }78 79  let user = await db.user.findUnique({ where: { id: userId } });80  return new Response(JSON.stringify(user));81}82```83 84#### authentication-failures - @rules/authentication-failures.md85 86Check for weak authentication, missing MFA, session issues.87 88```typescript89// Bad: Weak password check90if (password.length >= 6) {91  /* allow */92}93 94// Good: Strong password requirements95function validatePassword(password: string) {96  if (password.length < 12) return false;97  if (!/[A-Z]/.test(password)) return false;98  if (!/[a-z]/.test(password)) return false;99  if (!/[0-9]/.test(password)) return false;100  if (!/[^A-Za-z0-9]/.test(password)) return false;101  return true;102}103```104 105### Data Protection (CRITICAL)106 107#### cryptographic-failures - @rules/cryptographic-failures.md108 109Check for weak encryption, plaintext storage, bad hashing.110 111```typescript112// Bad: MD5 for passwords113let hash = crypto.createHash("md5").update(password).digest("hex");114 115// Good: bcrypt with salt116let hash = await bcrypt(password, 12);117```118 119#### sensitive-data-exposure - @rules/sensitive-data-exposure.md120 121Check for PII in logs/responses, error messages leaking info.122 123```typescript124// Bad: Exposing sensitive data125return new Response(JSON.stringify(user)); // Contains password hash, email, etc.126 127// Good: Return only needed fields128return new Response(129  JSON.stringify({130    id: user.id,131    username: user.username,132    displayName: user.displayName,133  }),134);135```136 137#### data-integrity-failures - @rules/data-integrity-failures.md138 139Check for unsigned data, insecure deserialization.140 141```typescript142// Bad: Trusting unsigned JWT143let decoded = JSON.parse(atob(token.split(".")[1]));144if (decoded.isAdmin) {145  /* grant access */146}147 148// Good: Verify signature149let payload = await verifyJWT(token, secret);150```151 152#### secrets-management - @rules/secrets-management.md153 154Check for hardcoded secrets, exposed env vars.155 156```typescript157// Bad: Hardcoded secret158const API_KEY = "sk_live_a1b2c3d4e5f6";159 160// Good: Environment variables161let API_KEY = process.env.API_KEY;162if (!API_KEY) throw new Error("API_KEY not configured");163```164 165### Input/Output Security (CRITICAL)166 167#### injection-attacks - @rules/injection-attacks.md168 169Check for SQL, XSS, NoSQL, Command, Path Traversal injection.170 171```typescript172// Bad: SQL injection173let query = `SELECT * FROM users WHERE email = '${email}'`;174 175// Good: Parameterized query176let user = await db.user.findUnique({ where: { email } });177```178 179#### ssrf-attacks - @rules/ssrf-attacks.md180 181Check for unvalidated URLs, internal network access.182 183```typescript184// Bad: Fetching user-provided URL185let url = await req.json().then((d) => d.url);186let response = await fetch(url);187 188// Good: Validate against allowlist189const ALLOWED_DOMAINS = ["api.example.com", "cdn.example.com"];190let url = new URL(await req.json().then((d) => d.url));191if (!ALLOWED_DOMAINS.includes(url.hostname)) {192  return new Response("Invalid URL", { status: 400 });193}194```195 196#### file-upload-security - @rules/file-upload-security.md197 198Check for unrestricted uploads, MIME validation.199 200```typescript201// Bad: No file type validation202let file = await req.formData().then((fd) => fd.get("file"));203await writeFile(`./uploads/${file.name}`, file);204 205// Good: Validate type and extension206const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp"];207const ALLOWED_EXTS = [".jpg", ".jpeg", ".png", ".webp"];208let file = await req.formData().then((fd) => fd.get("file") as File);209 210if (!ALLOWED_TYPES.includes(file.type)) {211  return new Response("Invalid file type", { status: 400 });212}213```214 215#### redirect-validation - @rules/redirect-validation.md216 217Check for open redirects, unvalidated redirect URLs.218 219```typescript220// Bad: Unvalidated redirect221let returnUrl = new URL(req.url).searchParams.get("return");222return Response.redirect(returnUrl);223 224// Good: Validate redirect URL225let returnUrl = new URL(req.url).searchParams.get("return");226let allowed = ["/dashboard", "/profile", "/settings"];227if (!allowed.includes(returnUrl)) {228  return Response.redirect("/");229}230```231 232### Configuration & Headers (HIGH)233 234#### insecure-design - @rules/insecure-design.md235 236Check for security anti-patterns in architecture.237 238```typescript239// Bad: Security by obscurity240let isAdmin = req.headers.get("x-admin-secret") === "admin123";241 242// Good: Proper role-based access control243let session = await getSession(req);244let isAdmin = await db.user245  .findUnique({246    where: { id: session.userId },247  })248  .then((u) => u.role === "ADMIN");249```250 251#### security-misconfiguration - @rules/security-misconfiguration.md252 253Check for default configs, debug mode, error handling.254 255```typescript256// Bad: Exposing stack traces257catch (error) {258  return new Response(error.stack, { status: 500 });259}260 261// Good: Generic error message262catch (error) {263  console.error(error); // Log server-side only264  return new Response("Internal server error", { status: 500 });265}266```267 268#### security-headers - @rules/security-headers.md269 270Check for CSP, HSTS, X-Frame-Options, etc.271 272```typescript273// Bad: No security headers274return new Response(html);275 276// Good: Security headers set277return new Response(html, {278  headers: {279    "Content-Security-Policy": "default-src 'self'",280    "X-Frame-Options": "DENY",281    "X-Content-Type-Options": "nosniff",282    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",283  },284});285```286 287#### cors-configuration - @rules/cors-configuration.md288 289Check for overly permissive CORS.290 291```typescript292// Bad: Wildcard with credentials293headers.set("Access-Control-Allow-Origin", "*");294headers.set("Access-Control-Allow-Credentials", "true");295 296// Good: Specific origin297let allowedOrigins = ["https://app.example.com"];298let origin = req.headers.get("origin");299if (origin && allowedOrigins.includes(origin)) {300  headers.set("Access-Control-Allow-Origin", origin);301}302```303 304#### csrf-protection - @rules/csrf-protection.md305 306Check for CSRF tokens, SameSite cookies.307 308```typescript309// Bad: No CSRF protection310let cookies = parseCookies(req.headers.get("cookie"));311let session = await getSession(cookies.sessionId);312 313// Good: SameSite cookie + token validation314return new Response("OK", {315  headers: {316    "Set-Cookie": "session=abc; SameSite=Strict; Secure; HttpOnly",317  },318});319```320 321#### session-security - @rules/session-security.md322 323Check for cookie flags, JWT issues, token storage.324 325```typescript326// Bad: Insecure cookie327return new Response("OK", {328  headers: { "Set-Cookie": "session=abc123" },329});330 331// Good: Secure cookie with all flags332return new Response("OK", {333  headers: {334    "Set-Cookie":335      "session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600",336  },337});338```339 340### API & Monitoring (MEDIUM-HIGH)341 342#### api-security - @rules/api-security.md343 344Check for REST API vulnerabilities, mass assignment.345 346```typescript347// Bad: Mass assignment vulnerability348let userData = await req.json();349await db.user.update({ where: { id }, data: userData });350 351// Good: Explicitly allow fields352let { displayName, bio } = await req.json();353await db.user.update({354  where: { id },355  data: { displayName, bio }, // Only allowed fields356});357```358 359#### rate-limiting - @rules/rate-limiting.md360 361Check for missing rate limits, brute force prevention.362 363```typescript364// Bad: No rate limiting365async function login(req: Request): Promise<Response> {366  let { email, password } = await req.json();367  // Allows unlimited login attempts368}369 370// Good: Rate limiting371let ip = req.headers.get("x-forwarded-for");372let { success } = await ratelimit.limit(ip);373if (!success) {374  return new Response("Too many requests", { status: 429 });375}376```377 378#### logging-monitoring - @rules/logging-monitoring.md379 380Check for insufficient logging, sensitive data in logs.381 382```typescript383// Bad: Logging sensitive data384console.log("User login:", { email, password, ssn });385 386// Good: Log events without sensitive data387console.log("User login attempt", {388  email,389  ip: req.headers.get("x-forwarded-for"),390  timestamp: new Date().toISOString(),391});392```393 394#### vulnerable-dependencies - @rules/vulnerable-dependencies.md395 396Check for outdated packages, known CVEs.397 398```bash399# Bad: No dependency checking400npm install401 402# Good: Regular audits403npm audit404npm audit fix405```406 407## Common Vulnerability Patterns408 409Quick reference of patterns to look for:410 411- **User input without validation**: `req.json()` → immediate use412- **Missing auth checks**: Routes without authorization middleware413- **Hardcoded secrets**: Strings containing "password", "secret", "key"414- **SQL injection**: String concatenation in queries415- **XSS**: `dangerouslySetInnerHTML`, `.innerHTML`416- **Weak crypto**: `md5`, `sha1` for passwords417- **Missing headers**: No CSP, HSTS, or security headers418- **CORS wildcards**: `Access-Control-Allow-Origin: *` with credentials419- **Insecure cookies**: Missing Secure, HttpOnly, SameSite flags420- **Path traversal**: User input in file paths without validation421 422## Severity Quick Reference423 424**Fix Immediately (CRITICAL):**425 426- SQL/XSS/Command Injection427- Missing authentication on sensitive endpoints428- Hardcoded secrets in code429- Plaintext password storage430- IDOR vulnerabilities431 432**Fix Soon (HIGH):**433 434- Missing CSRF protection435- Weak password requirements436- Missing security headers437- Overly permissive CORS438- Insecure session management439 440**Fix When Possible (MEDIUM):**441 442- Missing rate limiting443- Incomplete logging444- Outdated dependencies (no known exploits)445- Missing input validation on non-critical fields446 447**Improve (LOW):**448 449- Missing optional security headers450- Verbose error messages (non-production)451- Suboptimal crypto parameters
Related skills
Frontend React Best Practices

Install Frontend React Best Practices skill for Claude Code from sergiodxa/agent-skills.
Frontend Testing Best Practices

Install Frontend Testing Best Practices skill for Claude Code from sergiodxa/agent-skills.
1password

Install 1password skill for Claude Code from steipete/clawdis.