Owasp Security

Name: Owasp Security
Author: hoodini

hoodini/ai-agents-skills

Implement and review web app code against OWASP Top 10 patterns while building APIs and before release.

Overview

owasp-security is an agent skill most often used in Ship (also Build backend, Ship review) that implements OWASP Top 10 secure coding and review patterns for web applications.

Install

npx skills add https://github.com/hoodini/ai-agents-skills --skill owasp-security

What is this skill?

OWASP Top 10 (2021) table with vulnerability name and prevention focus per row
Broken access control patterns with authenticate-then-authorize API examples
Injection prevention via input validation and parameterized queries
Coverage spans cryptographic failures, SSRF allowlists, logging, and dependency hygiene (A06)
Triggers on XSS, SQL injection, CSRF, authentication security, and secure coding keywords
OWASP Top 10 (2021) with 10 numbered vulnerability categories (A01–A10)

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 2.1k installs on skills.sh; 222 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are shipping APIs or SaaS features fast and need a repeatable guardrail against OWASP-class bugs without hiring a full-time AppSec team.

Who is it for?

Indie full-stack developers securing Node/TypeScript or similar stacks during feature work and pre-launch security passes.

Skip if: Compliance-only checkbox audits (SOC2 paperwork) with no application code changes, or non-web domains like firmware-only products.

When should I use this skill?

Preventing security vulnerabilities, implementing authentication, securing APIs, conducting security reviews; triggers on OWASP, security, XSS, SQL injection, CSRF, authentication security, secure coding, vulnerability.

What do I get? / Deliverables

Code and reviews align with OWASP Top 10 prevention patterns for access control, injection, crypto, config, and logging before merge or deploy.

Hardened code patterns aligned to OWASP categories
Security review notes mapped to A01–A10

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Security hardening and vulnerability prevention are canonical Ship work, even when coding happens earlier. The skill maps OWASP Top 10 prevention patterns—authorization, injection, misconfiguration—directly to ship → security reviews and fixes.

Also useful

BuildBackend, data & payments

Also useful

ShipCode review

Where it fits

Example use

BuildBackend, data & payments

Add route handlers that verify resource ownership instead of exposing any user ID from the URL.

Example use

ShipSecurity

Run an OWASP Top 10 pass on new API endpoints before opening them to production traffic.

Example use

ShipCode review

Have the agent flag missing authorization checks and injection risks in a pull request diff.

How it compares

Structured OWASP Top 10 playbook for agents, not a dependency scanner CLI or generic lint rule set alone.

Common Questions / FAQ

Who is owasp-security for?

Solo builders and small teams implementing or reviewing web backends and APIs who want OWASP-aligned secure coding in agent sessions.

When should I use owasp-security?

In Ship → security before release, and in Build → backend while adding auth, queries, or external URL fetchers; also when triggers mention OWASP, XSS, or SQL injection.

Is owasp-security safe to install?

It supplies educational secure-coding patterns; review the Security Audits panel on this page and never paste live secrets into examples.

SKILL.md

READMESKILL.md - Owasp Security

# OWASP Top 10 Security

Prevent common security vulnerabilities in web applications.

## OWASP Top 10 (2021)

| # | Vulnerability | Prevention |
|---|---------------|------------|
| A01 | Broken Access Control | Proper authorization checks |
| A02 | Cryptographic Failures | Strong encryption, secure storage |
| A03 | Injection | Input validation, parameterized queries |
| A04 | Insecure Design | Threat modeling, secure patterns |
| A05 | Security Misconfiguration | Hardened configs, no defaults |
| A06 | Vulnerable Components | Dependency scanning, updates |
| A07 | Auth Failures | MFA, secure session management |
| A08 | Data Integrity Failures | Input validation, signed updates |
| A09 | Logging Failures | Comprehensive audit logs |
| A10 | SSRF | URL validation, allowlists |

## A01: Broken Access Control

### Prevention Patterns
```typescript
// ❌ BAD: No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);
  res.json(user);
});

// ✅ GOOD: Verify ownership
app.get('/api/users/:id', authenticate, async (req, res) => {
  const userId = req.params.id;
  
  // Users can only access their own data
  if (req.user.id !== userId && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Forbidden' });
  }
  
  const user = await db.users.findById(userId);
  res.json(user);
});

// ✅ GOOD: Role-based access control (RBAC)
const requireRole = (...roles: string[]) => {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!roles.includes(req.user?.role)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
};

app.delete('/api/posts/:id', authenticate, requireRole('admin', 'moderator'), deletePost);
```

### Insecure Direct Object Reference (IDOR)
```typescript
// ❌ BAD: Predictable IDs exposed
GET /api/invoices/1001
GET /api/invoices/1002  // Can enumerate others' invoices

// ✅ GOOD: Use UUIDs + ownership check
app.get('/api/invoices/:id', authenticate, async (req, res) => {
  const invoice = await db.invoices.findOne({
    id: req.params.id,
    userId: req.user.id,  // Enforce ownership
  });
  
  if (!invoice) {
    return res.status(404).json({ error: 'Not found' });
  }
  
  res.json(invoice);
});
```

## A02: Cryptographic Failures

### Password Hashing
```typescript
import bcrypt from 'bcrypt';
import crypto from 'crypto';

// ✅ Hash passwords with bcrypt
const SALT_ROUNDS = 12;

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function verifyPassword(password: string, hash: string): Promise<boolean> {
  return bcrypt.compare(password, hash);
}

// ✅ Secure token generation
function generateSecureToken(length = 32): string {
  return crypto.randomBytes(length).toString('hex');
}

// ✅ Encrypt sensitive data
const ALGORITHM = 'aes-256-gcm';
const KEY = crypto.scryptSync(process.env.ENCRYPTION_KEY!, 'salt', 32);

function encrypt(text: string): { encrypted: string; iv: string; tag: string } {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
  
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  
  return {
    encrypted,
    iv: iv.toString('hex'),
    tag: cipher.getAuthTag().toString('hex'),
  };
}

function decrypt(encrypted: string, iv: string, tag: string): string {
  const decipher = crypto.createDecipheriv(ALGORITHM, KEY, Buffer.from(iv, 'hex'));
  decipher.setAuthTag(Buffer.from(tag, 'hex'));
  
  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf

What is this skill?

OWASP Top 10 (2021) table with vulnerability name and prevention focus per row

Broken access control patterns with authenticate-then-authorize API examples

Injection prevention via input validation and parameterized queries

Coverage spans cryptographic failures, SSRF allowlists, logging, and dependency hygiene (A06)

Triggers on XSS, SQL injection, CSRF, authentication security, and secure coding keywords

OWASP Top 10 (2021) with 10 numbered vulnerability categories (A01–A10)

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 2.1k installs on skills.sh; 222 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildBackend, data & payments

Also useful

ShipCode review

Where it fits

Example use

BuildBackend, data & payments

Add route handlers that verify resource ownership instead of exposing any user ID from the URL.

Example use

ShipSecurity

Run an OWASP Top 10 pass on new API endpoints before opening them to production traffic.

Example use

ShipCode review

Have the agent flag missing authorization checks and injection risks in a pull request diff.

SKILL.md

READMESKILL.md - Owasp Security

# OWASP Top 10 Security

Prevent common security vulnerabilities in web applications.

## OWASP Top 10 (2021)

| # | Vulnerability | Prevention |
|---|---------------|------------|
| A01 | Broken Access Control | Proper authorization checks |
| A02 | Cryptographic Failures | Strong encryption, secure storage |
| A03 | Injection | Input validation, parameterized queries |
| A04 | Insecure Design | Threat modeling, secure patterns |
| A05 | Security Misconfiguration | Hardened configs, no defaults |
| A06 | Vulnerable Components | Dependency scanning, updates |
| A07 | Auth Failures | MFA, secure session management |
| A08 | Data Integrity Failures | Input validation, signed updates |
| A09 | Logging Failures | Comprehensive audit logs |
| A10 | SSRF | URL validation, allowlists |

## A01: Broken Access Control

### Prevention Patterns
```typescript
// ❌ BAD: No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);
  res.json(user);
});

// ✅ GOOD: Verify ownership
app.get('/api/users/:id', authenticate, async (req, res) => {
  const userId = req.params.id;
  
  // Users can only access their own data
  if (req.user.id !== userId && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Forbidden' });
  }
  
  const user = await db.users.findById(userId);
  res.json(user);
});

// ✅ GOOD: Role-based access control (RBAC)
const requireRole = (...roles: string[]) => {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!roles.includes(req.user?.role)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
};

app.delete('/api/posts/:id', authenticate, requireRole('admin', 'moderator'), deletePost);
```

### Insecure Direct Object Reference (IDOR)
```typescript
// ❌ BAD: Predictable IDs exposed
GET /api/invoices/1001
GET /api/invoices/1002  // Can enumerate others' invoices

// ✅ GOOD: Use UUIDs + ownership check
app.get('/api/invoices/:id', authenticate, async (req, res) => {
  const invoice = await db.invoices.findOne({
    id: req.params.id,
    userId: req.user.id,  // Enforce ownership
  });
  
  if (!invoice) {
    return res.status(404).json({ error: 'Not found' });
  }
  
  res.json(invoice);
});
```

## A02: Cryptographic Failures

### Password Hashing
```typescript
import bcrypt from 'bcrypt';
import crypto from 'crypto';

// ✅ Hash passwords with bcrypt
const SALT_ROUNDS = 12;

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function verifyPassword(password: string, hash: string): Promise<boolean> {
  return bcrypt.compare(password, hash);
}

// ✅ Secure token generation
function generateSecureToken(length = 32): string {
  return crypto.randomBytes(length).toString('hex');
}

// ✅ Encrypt sensitive data
const ALGORITHM = 'aes-256-gcm';
const KEY = crypto.scryptSync(process.env.ENCRYPTION_KEY!, 'salt', 32);

function encrypt(text: string): { encrypted: string; iv: string; tag: string } {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
  
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  
  return {
    encrypted,
    iv: iv.toString('hex'),
    tag: cipher.getAuthTag().toString('hex'),
  };
}

function decrypt(encrypted: string, iv: string, tag: string): string {
  const decipher = crypto.createDecipheriv(ALGORITHM, KEY, Buffer.from(iv, 'hex'));
  decipher.setAuthTag(Buffer.from(tag, 'hex'));
  
  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is owasp-security for?

When should I use owasp-security?

Is owasp-security safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is owasp-security for?

When should I use owasp-security?

Is owasp-security safe to install?

SKILL.md