Stats
Actions
Tags
From odin
Performs adversarial security audits using STRIDE, OWASP Top 10, supply-chain CVE/SBOM, secrets scanning, and auth/authz analysis. Apply before production releases or on changes touching auth, input parsing, deserialization, network I/O, dependencies, or secrets.
How this skill is triggered — by the user, by Claude, or both
Slash command
/odin:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Threat modeling is hypothesis generation for an adversary. Walk the change set as the attacker would: where does untrusted input enter, what trust boundary does it cross, what does it gain on the other side. Every unaudited path is a free move for the attacker.
Threat modeling is hypothesis generation for an adversary. Walk the change set as the attacker would: where does untrusted input enter, what trust boundary does it cross, what does it gain on the other side. Every unaudited path is a free move for the attacker.
Apply: new external surface (HTTP route, RPC method, file upload); AuthN/AuthZ change; deserialization / parsing of untrusted input; new dependency or major-version upgrade; cryptographic change; pre-release of public-facing service; incident postmortem.
NOT apply: internal refactor with no trust-boundary delta; pure performance work; documentation-only changes; internal-only experimental code.
Apply each prompt to every component touched by the change.
| Letter | Threat | Required questions |
|---|---|---|
| S | Spoofing | Who is the principal? How is identity proven? Can the credential be forged, replayed, or stolen? Is MFA / mutual-auth enforced? |
| T | Tampering | What inputs cross the trust boundary? Are they validated against an explicit schema (Zod / Pydantic / serde)? Are messages integrity-protected (HMAC / signature / TLS)? |
| R | Repudiation | Are security-relevant actions logged with actor + timestamp + outcome? Are logs append-only / tamper-evident? |
| I | Information Disclosure | What data is returned in error paths, logs, telemetry? Are PII / secrets ever serialized? Are timing side-channels addressed (constant-time compare)? |
| D | Denial of Service | Are inputs bounded (size, count, depth)? Is parsing resource-limited (zip-bomb, billion-laughs, ReDoS)? Are external calls rate-limited? |
| E | Elevation of Privilege | What privilege does the new code execute under? Is least privilege honored? Can input alter privilege (path traversal, SQL injection, deserialization gadget)? |
For each "yes" / "unclear" answer, file a finding with severity and remediation owner.
git grep -n -C 3 'authorize\|@PreAuthorize\|require_role' then trace policy.git grep -n -E 'MD5|SHA1|DES|Random\(\)' for weak primitives. Use -E (extended regex) for alternation; -F (fixed-string) breaks the pipe-as-OR. Add ecosystem patterns as needed: Math.random, secrets.choice, Mersenne constants.ast-grep patterns for unparameterized queries / shell concat / template eval.| Family | CVE scanner | Secrets / history | SBOM |
|---|---|---|---|
| Rust | cargo audit, cargo deny check advisories | gitleaks, trufflehog | cargo cyclonedx, syft |
| Python | pip-audit, safety check | gitleaks, detect-secrets | cyclonedx-py, syft |
| JavaScript/TypeScript | npm audit, pnpm audit, bun audit | gitleaks, trufflehog | cyclonedx-bom, syft |
| Go | govulncheck, nancy | gitleaks, trufflehog | cyclonedx-gomod, syft |
| Java/Kotlin | OWASP Dependency-Check, gradle dependencyCheckAnalyze | gitleaks, trufflehog | CycloneDX Gradle/Maven, syft |
| OCaml | opam audit, opam-repository advisory feed | gitleaks, detect-secrets | syft (filesystem) |
Use fd -e <ext> (not find). Use git grep -n -F 'literal' (not grep). Use bat -P -p -n (not cat).
gitleaks.npx claudepluginhub outlinedriven/odin-claude-plugin --plugin odinPerforms security audits using STRIDE threats, OWASP Top 10 risks, and 4 red-team personas. Scans deps/secrets/routes, maps assets/boundaries, requires code evidence, rates exploitability.
Audits code for security vulnerabilities including OWASP Top 10, auth flaws, injection, data exposure, and dependency risks using STRIDE threat modeling and phased reviews.
Evaluates threats, vulnerabilities, and missing protections using STRIDE and OWASP Top 10. Designed for use by review orchestrators, not direct invocation.