What kind of design flaws can it detect?

It detects missing rate limiting, lack of CSRF protection, trust-the-client patterns, missing account lockout, business logic race conditions, and inadequate tenant isolation.

Does it provide code fixes for design flaws?

Yes, by using the --fix flag, Claude will generate implementation suggestions and code sketches to help you integrate the missing security controls into your existing codebase.

Can this skill help with OWASP compliance?

Yes, it specifically maps findings to the OWASP Top 10 2021 A04:2021 category, providing the architectural reasoning required to satisfy security design reviews.

How does this skill differ from standard security scanners?

While traditional scanners find implementation bugs like SQL injection, this skill uses Claude's reasoning to identify 'Insecure Design'—the absence of necessary security controls that should have been designed into the architecture from the start.

Insecure Design Security Analyst

Name: Insecure Design Security Analyst
Author: florianbuetow

byflorianbuetow

•

セキュリティとテスト

Analyzes application architecture and business logic to identify missing security controls and architectural flaws based on OWASP A04:2021.

The Insecure Design skill empowers developers to uncover deep-seated architectural weaknesses that traditional automated scanners often overlook. By leveraging Claude's advanced reasoning, it evaluates your codebase against the OWASP Top 10 A04:2021 category, focusing on missing threat modeling, insufficient security requirements, and trust boundary violations. Whether you are reviewing a new API or auditing legacy business logic, this skill identifies gaps in defense-in-depth, such as missing rate limiting, CSRF protections, or account lockout mechanisms, and provides actionable remediation steps to harden your application's fundamental design.

主な機能

016 GitHub stars

02Evaluation of trust boundaries and client-server validation gaps

03Automated implementation suggestions to fix architectural design flaws

04Multi-depth analysis from quick pattern matching to expert threat modeling

05OWASP A04:2021 mapping and STRIDE threat model analysis

06Identification of missing security controls like rate limiting and CSRF protection

ユースケース

01Identifying exploitable business logic in sensitive workflows like payments or authentication

02Auditing application architecture during the design phase or after major refactors

03Ensuring consistent application of defense-in-depth layers across a distributed system

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code insecure-design

For use in Claude.ai and ChatGPT

Download Skill