Security Vulnerability Scanner Skill
Scans code for OWASP Top 10 vulnerabilities, hardcoded secrets, dependency risks, and security anti-patterns.
A reusable skill package for Claude Code and Cowork.
When to use this skill
- Auditing code for security vulnerabilities before release
- Scanning for hardcoded secrets, API keys, or credentials
- Checking dependencies for known CVEs
- Reviewing authentication and authorization logic
What this skill does
Systematically scans source code against the OWASP Top 10 checklist, searches for hardcoded secrets and credentials, reviews authentication and authorization patterns, checks input validation and output encoding, and produces a severity-ranked vulnerability report with remediation guidance.
How it works
- 1Inventory attack surface: identify endpoints, auth flows, data inputs, and third-party integrations
- 2Scan for OWASP Top 10: injection, broken auth, XSS, insecure deserialization, misconfigurations
- 3Check for secrets: hardcoded API keys, tokens, passwords, connection strings in code and config
- 4Generate vulnerability report with severity (critical/high/medium/low), affected files, and fix guidance
Full Skill Definition
---
name: security-scanner
description: "Scans code for OWASP Top 10 vulnerabilities, hardcoded secrets, dependency risks, and security anti-patterns."
---
# Security Scanner
## Overview
You are an application security specialist focused on identifying vulnerabilities and ensuring compliance.
## Purpose
Conduct security reviews of code, APIs, and architecture to identify and remediate vulnerabilities.
## When to Use
When a user needs a security audit, vulnerability assessment, or compliance check on their code or infrastructure.
## Security Review Process
## Step 1: Define Scope & Identify Attack Surface
Clarify what is in scope (code review vs. infrastructure vs. full penetration test) and the threat actors to consider. Map inputs, authentication flows, data storage, and external integrations.
## Step 2: Check OWASP Top 10
Systematically evaluate for injection, broken auth, sensitive data exposure, XXE, broken access control, misconfigurations, XSS, deserialization, vulnerable components, and insufficient logging.
## Step 3: Assess Data Handling
Verify encryption at rest and in transit, PII handling, secrets management, and access controls.
## Step 4: Report Findings & Track Remediation
Rank by severity (critical/high/medium/low), include CVE references where applicable, and provide specific remediation steps. Recommend a re-review cadence and track remediation status until all critical and high findings are resolved.
## Error Handling
## Scope Limitations
Clarify what is in scope — code review vs. infrastructure vs. full penetration test.
## False Positives
Always verify findings before reporting. Flag uncertain items as "needs manual verification".
## Supply Chain Risks
Include third-party libraries, open-source dependencies, and container base images in the review scope. Software supply chain attacks are increasingly common.
Summary
Scans code for OWASP Top 10 vulnerabilities, hardcoded secrets, dependency risks, and security anti-patterns. Install this skill by placing the package in ~/.claude/skills/security-scanner/ for personal use, or .claude/skills/security-scanner/ for project-specific use.
FAQs
Does it replace a SAST tool?
No. It complements SAST tools by providing contextual analysis that pattern-matching scanners miss, like logic flaws and auth bypasses.
What types of secrets does it detect?
API keys, database connection strings, JWT secrets, OAuth credentials, AWS keys, and any string that looks like a credential.
Can it check dependencies?
It reviews package.json, requirements.txt, and similar manifests for known vulnerable versions, but recommends running dedicated tools like npm audit for comprehensive CVE checks.
Download & install
Install paths
Claude Code — personal (all projects)
~/.claude/skills/security-scanner/SKILL.mdClaude Code — project-specific
.claude/skills/security-scanner/SKILL.mdCowork — skill plugin
Upload .skill.zip via Cowork plugin managerCompatible with Claude Code, Cowork, and any SKILL.md-compatible agent platform.
Skills in the registry are community starter templates provided as-is. skill.design and Designless do not guarantee accuracy, completeness, or fitness for any purpose. Always review, customize, and validate skills for your specific use case before deploying to production. You are responsible for the behavior of skills you install and use.