Stats
Actions
Tags
From craft-workspace-webconsulting-skills
Conducts security assessments covering OWASP Top 10, CWE Top 25, CVSS scoring, cloud/IaC, API, frontend, AI agent configs, and dependency scanning with 80+ PHP/TYPO3 checkpoints.
How this skill is triggered — by the user, by Claude, or both
Slash command
/craft-workspace-webconsulting-skills:security-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security audit patterns (OWASP Top 10, LLM Top 10 2025, CWE Top 25 2025, CVSS v4.0), cloud/IaC, GitHub security. 80+ PHP/TYPO3 checkpoints (v14.3 LTS in `typo3-security.md`).
checkpoints.yamlevals/evals.jsonreferences/android-sdk-security.mdreferences/angular-security.mdreferences/api-key-encryption.mdreferences/api-security.mdreferences/authentication-patterns.mdreferences/automated-scanning.mdreferences/aws-security.mdreferences/azure-security.mdreferences/blazor-security.mdreferences/ci-security-pipeline.mdreferences/cryptography-guide.mdreferences/csharp-security-features.mdreferences/cve-database.mdreferences/cve-patterns.mdreferences/cvss-scoring.mdreferences/cwe-top25.mdreferences/deserialization-prevention.mdreferences/django-security.mdSecurity audit patterns (OWASP Top 10, LLM Top 10 2025, CWE Top 25 2025, CVSS v4.0), cloud/IaC, GitHub security. 80+ PHP/TYPO3 checkpoints (v14.3 LTS in typo3-security.md).
references/, .md implied)*-security-features): php, python, javascript-typescript, nodejs, java, csharp, go, rust, ruby*-security): typo3, typo3-fluid, typo3-typoscript, symfony, laravel, django, flask, fastapi, spring, dotnet, blazor, rails, gin, react, vue, angular, nextjs, nuxt, express, nestjsXML parsing (prevent XXE):
$doc->loadXML($input, LIBXML_NONET);
SQL (prevent injection):
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
Output (prevent XSS):
echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
API keys, passwords, randomness:
$n = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$enc = 'enc:' . base64_encode($n . sodium_crypto_secretbox($apiKey, $n, $key));
password_hash($pw, PASSWORD_ARGON2ID);
bin2hex(random_bytes(32)); // never mt_rand/rand
Automated scanners: references/automated-scanning.md.
semgrep/opengrep, trivy fs --severity HIGH,CRITICAL, gitleaks clean${{ inputs.* }} / ${{ github.event.* }} in run: — use env:references/gha-security.md../scripts/security-audit-dispatcher.sh /path/to/project # auto-detect stack
./scripts/security-audit.sh /path/to/project # PHP-only
./scripts/github-security-audit.sh owner/repo # GH repo
Dispatcher detects the stack from indicator files and runs matching scripts/scanners/*.sh (17 ecosystems; see references/ index).
Contributing: https://github.com/netresearch/security-audit-skill
This skill is based on the excellent work by Netresearch DTT GmbH.
Original repository: https://github.com/netresearch/security-audit-skill
Copyright (c) Netresearch DTT GmbH — Methodology and best practices (MIT / CC-BY-SA-4.0)
Special thanks to Netresearch DTT GmbH for their generous open-source contributions to the TYPO3 community, which helped shape this skill collection. Adapted by webconsulting.at for this skill collection
npx claudepluginhub dirnbauer/webconsulting-skillsConducts security assessments for OWASP Top 10, CWE Top 25, CVSS, PHP/TYPO3, APIs, frontend, IaC, cloud (AWS/Azure/GCP), AI agent configs, and dependency scanning.
Audits codebases for vulnerabilities, OWASP Top 10 issues, and security anti-patterns. Checks Claude Code file denial settings first and invokes security subagent.
Orchestrates parallel security audits (dependency scanning, SAST, auth/config review) and consolidates findings into OWASP-mapped severity reports.