How does it identify potential vulnerabilities?

The skill uses a source-to-sink data flow analysis, tracing untrusted input from entry points like HTTP requests through to dangerous operations like SQL queries or system commands.

Can it distinguish between theoretical and practical risks?

Yes, the skill is designed to prioritize practical exploitability in the context of the specific system while still documenting theoretical risks for comprehensive reporting.

Does this skill support the latest OWASP frameworks?

Yes, it includes specialized checklists for OWASP Web Top 10, API Top 10, and Mobile Top 10 (2024) to ensure modern security standards are met.

Will findings be mapped to specific industry identifiers?

Every security finding includes a specific CWE identifier, the exact code location, and an explanation of the data flow that makes it exploitable.

Security Code Analysis

Name: Security Code Analysis
Author: bitwarden

bybitwarden

•

安全与测试

Performs rigorous manual security code reviews by tracing untrusted data flows and validating against OWASP and CWE frameworks.

This skill empowers Claude to act as a security engineer, conducting deep-dive audits to uncover vulnerabilities before they reach production. It utilizes a systematic workflow to map attack surfaces, trace data from untrusted sources to dangerous sinks, and verify trust boundaries across the entire application stack. By applying an adversarial mindset and consulting industry-standard checklists like the OWASP Top 10 and CWE Top 25, it identifies critical flaws in authentication, authorization, and data handling while providing actionable, CWE-mapped findings prioritized by practical exploitability.

主要功能

01Adversarial hypothesis-driven testing to identify complex logic bypasses

02Mandatory CWE ID mapping for all identified security vulnerabilities

03Verification of trust boundaries and authorization at every service layer

043 GitHub stars

05Comprehensive data flow tracing from untrusted sources to dangerous sinks

06Systematic validation against OWASP Web, API, and Mobile Top 10 frameworks

使用场景

01Conducting a pre-merge security audit for new API endpoints and controllers

02Reviewing legacy codebases for injection vulnerabilities and cryptographic failures

03Validating authentication and authorization logic against privilege escalation risks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add bitwarden/ai-plugins analyzing-code-security

For use in Claude.ai and ChatGPT

主要功能

01Adversarial hypothesis-driven testing to identify complex logic bypasses

02Mandatory CWE ID mapping for all identified security vulnerabilities

03Verification of trust boundaries and authorization at every service layer

043 GitHub stars

05Comprehensive data flow tracing from untrusted sources to dangerous sinks

06Systematic validation against OWASP Web, API, and Mobile Top 10 frameworks

使用场景

01Conducting a pre-merge security audit for new API endpoints and controllers

02Reviewing legacy codebases for injection vulnerabilities and cryptographic failures

03Validating authentication and authorization logic against privilege escalation risks

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add bitwarden/ai-plugins analyzing-code-security

For use in Claude.ai and ChatGPT