// owasp_hub / claude_agent_skills

Agent Skills

11 Claude Agent Skills built on OWASP Top 10:2025 + WSTG v4.2. Use them in Claude Code or Claude Desktop to scan your application code for security vulnerabilities — one skill per risk category, plus a full-scan orchestrator.

// how_to_use

Clone the repo

The skills live in the /skills directory of this project's GitHub repository.

Add to Claude

In Claude Desktop → Settings → Agent Skills, point to the /skills directory to register all 11 skills.

Invoke a skill

Say "scan my project for A05 injection risks" or "run scanning-web-vulnerabilities on /src" in Claude Code.

· 11 skills· OWASP Top 10:2025· WSTG v4.2 references· by Djodji KOMLAN

// full_scan_orchestrator

Full Scannerorchestrator

description: "Runs a full OWASP Top 10:2025 security scan against web application source code. Checks all 10 risk categories sequentially and produces a prioritized findings report with severity ratings, CWE references, WSTG test IDs, and remediation links. Use when asked to audit, scan, or security-review a web application codebase, or when a user says "check for OWASP vulnerabilities", "security audit", or "find security issues"."

by Djodji KOMLAN

// individual_risk_skills · A01–A10:2025

A01:2025

#01

description: "Audits source code for A01:2025 broken access control per OWASP Top 10:2025 and WSTG-ATHZ. Detects IDOR, missing role checks on privileged routes, path traversal, CORS misconfiguration, and mass assignment. Use when reviewing authorization logic, route protection, or when asked whether users can access resources they should not be able to."

by Djodji KOMLAN

A07:2025

#07

description: "Audits authentication and session management code for A07:2025 authentication failures per OWASP Top 10:2025 and WSTG-ATHN. Detects missing brute-force protection, weak or missing session cookie flags, session fixation, credential exposure in logs or URLs, missing MFA, and insecure password reset flows. Use when reviewing login endpoints, session handling, token issuance, password management, or any identity-related code."

by Djodji KOMLAN

A04:2025

#04

description: "Audits code for A04:2025 cryptographic failures per OWASP Top 10:2025 and WSTG-CRYP. Detects weak hashing algorithms, hardcoded secrets, ECB mode, static IVs, missing TLS enforcement, insecure random number generation, and JWT vulnerabilities. Use when reviewing password hashing, encryption logic, secret storage, TLS configuration, or any code handling passwords, tokens, PII, or payment data."

by Djodji KOMLAN

A08:2025

#08

description: "Audits code for A08:2025 software or data integrity failures per OWASP Top 10:2025 and WSTG-INPV-11. Detects insecure deserialization of untrusted data, missing SRI on CDN assets, CI/CD expression injection that executes untrusted code, prototype pollution, and auto-update without cryptographic verification. Use when reviewing deserialization logic, build pipeline definitions, CDN asset loading, or any flow where external code or data is executed without integrity verification."

by Djodji KOMLAN

A10:2025

#10

description: "Audits code for A10:2025 mishandling of exceptional conditions per OWASP Top 10:2025 and WSTG-ERRH. Detects stack traces returned in API responses, security controls bypassable through error paths, unhandled async rejections, ReDoS via user-controlled regex, and type confusion from unexpected input shapes. Use when reviewing error handlers, try/catch blocks, async route handlers, regex patterns, or any code that processes unexpected or malformed user input."

by Djodji KOMLAN

A05:2025

#05

description: "Audits source code for A05:2025 injection vulnerabilities per OWASP Top 10:2025 and WSTG-INPV. Detects SQL, NoSQL, OS command, LDAP, XSS, server-side template injection, XXE, and HTTP header injection across multiple languages and frameworks. Use when reviewing route handlers, database queries, template rendering, or any code that passes user-controlled input to an interpreter, shell, or database."

by Djodji KOMLAN

A06:2025

#06

description: "Reviews application architecture and business logic for A06:2025 insecure design per OWASP Top 10:2025 and WSTG-BUSL. Identifies missing rate limiting, client-only validation, multi-step workflow bypass, business logic abuse, and account enumeration by design. Use when reviewing login flows, checkout processes, multi-step workflows, pricing logic, or any feature where the design itself creates a security gap rather than a coding bug."

by Djodji KOMLAN

A09:2025

#09

description: "Audits code for A09:2025 security logging and alerting failures per OWASP Top 10:2025 and WSTG-ERRH. Detects missing logs for authentication and authorization events, sensitive data logged in plaintext, empty catch blocks that swallow security events, and log injection via string interpolation. Use when reviewing logging configuration, error handlers, authentication flows, or any code where missing logs could allow an attacker to operate undetected."

by Djodji KOMLAN

A02:2025

#02

description: "Audits configuration and deployment files for A02:2025 security misconfiguration per OWASP Top 10:2025 and WSTG-CONF. Detects debug mode in production, missing HTTP security headers, exposed stack traces, default credentials, and cloud or container misconfigurations. Use when reviewing .env files, server config, middleware setup, Dockerfiles, Kubernetes manifests, or any infrastructure-as-code files."

by Djodji KOMLAN

A03:2025

#03

description: "Audits package manifests and CI/CD pipeline files for A03:2025 software supply chain failures per OWASP Top 10:2025 and WSTG-CONF-14. Detects unpinned dependencies, missing lockfiles, dependency confusion risk, absent SRI on CDN assets, and CI/CD expression injection. Use when reviewing package.json, requirements.txt, pom.xml, Gemfile, go.mod, Dockerfiles, or GitHub Actions workflows."

by Djodji KOMLAN