security-scan
Scan code for OWASP Top 10 vulnerabilities. Report severity-rated findings with file:line references and fix recommendations. Flag what matters; skip what doesn't apply.
Scan Categories
Work through each OWASP category. For each, search for the specific code patterns listed.
1. Injection (A03:2021)
| Pattern to find | Risk | What to verify |
|---|---|---|
| String concatenation in SQL queries | SQL injection | Use parameterized queries / prepared statements |
| Template literals in database calls | NoSQL injection | Use query builders or ORM methods with bound parameters |
exec(), spawn(), system() with user input |
Command injection | Validate/whitelist input, avoid shell execution |
| User input in LDAP filters | LDAP injection | Escape special characters, use parameterized filters |
| User input in regex constructors | ReDoS | Validate regex complexity, use re2 or set timeouts |
eval(), Function(), vm.runInContext() |
Code injection | Remove entirely; never evaluate user-controlled strings |
2. Broken Authentication (A07:2021)
More from kazdenc/builder-skills
design-brief
One-time setup that gathers design context for your project and saves it to your config file. Run once to establish persistent design guidelines.
30prd
Write a product requirements document from context. Covers problem statement, goals, scope, user stories, success criteria, and edge cases. Use when user says "write a PRD", "product requirements", "requirements doc", "spec this feature", "document requirements", or needs to define what to build and why.
17critique
Evaluate design effectiveness from a UX perspective. Use when user says "critique this design", "review the UX", "give design feedback", "is this good design", "design review", "evaluate this layout", or wants expert evaluative feedback on visual hierarchy, information architecture, and emotional resonance.
14polish
Final quality pass before shipping. Fixes alignment, spacing, consistency, and detail issues. Use when user says "polish this", "final pass", "ready to ship", "fix the details", "pixel-perfect", "almost done", or when a feature is functionally complete but needs refinement.
13api-design
RESTful API design conventions covering URL structure, HTTP methods, error formats, pagination, versioning, and authentication patterns. Use when designing, reviewing, or implementing APIs. Triggers on API design, endpoint structure, REST conventions, or backend architecture tasks.
12deploy-check
Pre-deployment checklist covering migrations, environment variables, feature flags, rollback plan, and smoke tests. Use when user says "ready to deploy", "deployment checklist", "pre-deploy check", "can I ship this", "deploy review", or needs to verify everything is ready before pushing to production.
11