Stats
Actions
Tags
From sd0x-dev-flow
Runs OWASP Top 10 security audits and dependency vulnerability checks on code changes. Use for security-sensitive code, not general code review.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sd0x-dev-flow:security-reviewExploreThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
- Keywords: security review, OWASP, vulnerability, dep-audit, npm audit, dependency security
codex-code-review)test-review)| Command | Purpose | When |
|---|---|---|
/codex-security | OWASP Top 10 audit | Security-sensitive code |
/dep-audit | Dependency security audit | Periodic / PR |
/codex-securityDetermine scope → Collect changes → Codex OWASP review → Findings + Gate → Loop if Must fix
Parse --scope from arguments, default to src/.
Priority order:
git diff HEAD -- <scope> | head -1500git diff HEAD~5..HEAD -- <scope> | head -1500Glob("**/*{auth,login,password,token,secret,key,credential}*")First review: mcp__codex__codex with OWASP prompt. See references/codex-prompt-security.md.
Config: sandbox: 'read-only', approval-policy: 'never'
Save the returned threadId.
Loop review: mcp__codex__codex-reply with re-review template. See references/codex-prompt-security.md.
Organize results into findings summary table + detailed findings + gate.
| Code | Category | Check Focus |
|---|---|---|
| A01 | Broken Access Ctrl | IDOR, permission bypass, CORS |
| A02 | Crypto Failures | Sensitive data encryption, weak crypto |
| A03 | Injection | SQL/NoSQL/Cmd Injection |
| A04 | Insecure Design | Rate Limiting, business logic |
| A05 | Misconfiguration | Debug mode, default passwords |
| A06 | Vulnerable Comp | Known vulnerable dependencies |
| A07 | Auth Failures | Brute force, session, weak passwords |
| A08 | Integrity Failures | Deserialization, CI/CD |
| A09 | Logging Failures | Sensitive data in logs, auditing |
| A10 | SSRF | URL validation, internal network access |
⚠️ @CLAUDE.md auto-loop: fix → re-review → ... → ✅ PASS ⚠️
⛔ Must fix → fix P0 issues → /codex-security --continue <threadId> → repeat until ✅ Mergeable.
Max 3 rounds. Still failing → report blocker.
references/codex-prompt-security.mdreferences/examples.mdInput: /codex-security --scope src/controller/
Action: OWASP Top 10 check → output issues + Gate
Input: /dep-audit --level high
Action: npm audit → filter high/critical → output report
npx claudepluginhub sd0xdev/sd0x-dev-flow --plugin sd0x-dev-flowPerforms OWASP Top 10 security review using Codex MCP with context preservation. Delegates to security-review skill for full workflow.
Orchestrates parallel agents for security code audits (OWASP/CWE), secrets scanning, and dependency CVE checks on codebases, staged changes, or PRs.
Guides OWASP standards-based security reviews and vulnerability assessments. Use for security audits, threat modeling, secure code review, and dependency checks.