insecure-design
Installation
SKILL.md
Insecure Design Analysis (OWASP A04:2021)
Analyze application architecture and code for missing or ineffective security controls that result from absent threat modeling, insufficient security requirements, or failure to use secure design patterns. This is the most subjective OWASP category -- automated scanners provide minimal coverage, so Claude's architectural reasoning is the primary value.
Supported Flags
Read ../../shared/schemas/flags.md for the full flag specification. This skill
supports all cross-cutting flags. Key behaviors:
| Flag | Insecure Design-Specific Behavior |
|---|---|
--scope |
Default changed. Broader scopes (branch, full) are strongly recommended since design flaws are architectural. |
--depth quick |
Check for obvious missing controls (rate limiting, CSRF tokens, security headers). Pattern scan only. |
--depth standard |
Full code read of scoped files, analyze request flows and business logic for design gaps. |
--depth deep |
Standard + map full request lifecycle, identify trust boundaries, analyze defense-in-depth layering across the codebase. |
Related skills