Search everything...

Stats

Actions

Available In

patchman

Name: patchman
Author: muhammedzohaib

By MuhammedZohaib

Defensive security audit mode for authorized code review and architecture assessment.

npx claudepluginhub muhammedzohaib/patchman --plugin patchman

Popularity

Stars

Above avg

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands9

/api-review

Focused review of REST, GraphQL, RPC, and webhook surfaces.

/audit-report

Converts raw findings into an engineering-ready report.

/auth-review

Focused review of authentication, authorization, session, token, and reset flows.

/bizlogic-review

Focused review of business invariants, approval flows, sequencing assumptions, and abuse cases.

/pr-diff-review

Reviews a pull request diff for security regressions.

Skills7

api-review

/api-review

Review an authorized API surface for access control, mass assignment, schema validation, rate limiting, SSRF, error leakage, webhook verification, and unsafe defaults. Use for REST, GraphQL, RPC, and webhook handlers.

auth-review

/auth-review

Perform a defensive review of authentication and authorization flows in an authorized codebase. Use for login, session, MFA, OAuth, password reset, cookie security, JWT validation, impersonation, privilege checks, and object-level access control.

business-logic-review

/business-logic-review

Review an authorized application for business-logic vulnerabilities, workflow abuse, approval bypasses, replay conditions, quota circumvention, plan enforcement bugs, and state-transition errors. Use for billing, invites, approvals, refunds, admin actions, and multi-step workflows.

pr-diff-review

/pr-diff-review

Review an authorized pull request diff for security regressions. Use when changes modify trust boundaries, auth logic, data-access scope, file handling, logging, headers, or secrets.

query-review

/query-review

Review an authorized codebase for ORM misuse, N+1 query patterns, authorization-after-fetch bugs, raw SQL risks, cache key collisions, and missing tenant scopes. Use for data-access layers and security-adjacent performance pitfalls.

Hooks1

Event Hooks

3 hooks across 2 events

Stats

Version1.0.0

LanguageJavaScript

Stars2

MaintenanceExcellent

LicenseMIT

Last CommitApr 16, 2026

AddedApr 16, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

patchman-marketplace1

README

patchman

Defensive security audit skill pack for agentic code review and web application assessment.

Overview

Patchman is a skill and plugin bundle for authorized security reviews. It operates in read-first, review-first mode — inspecting code and architecture against OWASP and common appsec failure patterns, then producing structured findings with actionable remediation guidance.

Supported agents: Claude Code · Codex · Cursor · Windsurf · Copilot · Gemini-style skill installers

Installation

Claude Code (Recommended)

claude plugin marketplace add https://github.com/MuhammedZohaib/patchman.git
claude plugin install patchman@patchman-marketplace

Restart Claude Code. The session hooks activate automatically.

Verify installation

claude plugin list

Uninstall

claude plugin uninstall patchman@patchman-marketplace

Claude Code — Local Install

git clone https://github.com/MuhammedZohaib/patchman.git
claude plugin marketplace add ./patchman
claude plugin install patchman@patchman-marketplace

Codex — Local Install

git clone https://github.com/MuhammedZohaib/patchman.git
mkdir -p ~/.codex/plugins
cp -R patchman/plugins/patchman ~/.codex/plugins/patchman
codex marketplace add ./patchman

Use ~/.codex/plugins/patchman if you want to point Codex directly at the plugin path.

Use codex marketplace add ./patchman if you want Patchman to appear in Codex marketplace or picker discovery.

Review Modes

Mode	Command
Full security audit	`/security-audit focus=full severity>=medium output=report`
Auth review	`/auth-review area=login,session,reset`
Business logic review	`/bizlogic-review feature=billing-upgrade workflow=invite-approval`
API review	`/api-review surface=public-api include=authz,rate-limit,headers`
ORM / data-access review	`/query-review path=app/models include=n-plus-one,tenant-scope`
PR diff review	`/pr-diff-review base=main head=feature/auth-refactor`
Quick triage	`/quick-triage path=admin/ reason=pre-release`
Threat modeling	`/threat-model feature=file-import`
Audit report	`/audit-report format=engineering-summary`

What Patchman Detects

OWASP Top 10 classes with code-level evidence
Broken authentication, authorization, and session management
IDOR and tenant isolation failures
Business logic gaps and approval bypasses
SSRF, XSS, CSRF, injection, and insecure deserialization
Secret leakage and sensitive data in logs
Unsafe file upload handling
Weak headers, insecure defaults, and risky cryptography
Missing rate limiting and anti-abuse controls
ORM misuse, N+1 query issues, and cross-tenant data access
Admin path, webhook, queue, and background job vulnerabilities

Example Prompts

Full audit

Run a full security audit on this repo. Prioritize broken access control, unsafe defaults,
tenant isolation, secret handling, and exploitable auth issues. Use the Patchman findings format.

Targeted review

Review only the password reset flow. Focus on token lifetime, replay attacks, host header
trust, user enumeration, and session invalidation after reset.

PR review

Audit this pull request as a defensive security reviewer. Flag regressions, rank by severity
and confidence, and suggest minimal safe patches.

Findings Format

Every finding includes:

Evidence — specific code or configuration reference
Severity — based on blast radius and realistic abuse conditions
Confidence — drops when context is incomplete
Remediation — specific enough to implement directly

Scope and Limitations

Patchman is for authorized defensive auditing only.

In scope: secure code review, architecture review, configuration review, exploitability analysis in plain language, remediation planning

Out of scope: unauthorized intrusion, exploit weaponization, credential harvesting, malware or persistence guidance, destructive payloads, live attack chains

Patchman infers risk from static code and configuration. It does not replace runtime validation and will request missing deployment, proxy, or identity-boundary context when evidence is insufficient.

Repository Structure

patchman/
├── .claude-plugin/
├── .agents/plugins/
├── commands/
├── docs/
├── evals/
├── hooks/
├── plugins/patchman/
├── rules/
├── skills/
└── patchman.skill

Contributing

View full README on GitHub

patchman

Popularity

What's Inside

Confidence

README

patchman

Overview

Installation

Claude Code (Recommended)

Claude Code — Local Install

Codex — Local Install

Review Modes

What Patchman Detects

Example Prompts

Findings Format

Scope and Limitations

Repository Structure

Contributing

Similar Plugins

soundcheck

audit

agentic-security

security-reviewer

security-agent

cybersecurity

patchman

Overview

Installation

Claude Code (Recommended)

Claude Code — Local Install

Codex — Local Install

Review Modes

What Patchman Detects

Example Prompts

Findings Format

Scope and Limitations

Repository Structure

Contributing

Popularity

Health & Quality

Similar Plugins

soundcheck

audit

agentic-security

security-reviewer

security-agent

cybersecurity