harshith-vaddiparthy/outskill-owasp-security-review

10 stars · Last commit 2026-06-27

A Claude Code skill: launch-gate security review against the OWASP Top 10 (2025) for Next.js + Supabase + OpenAI apps, explained in plain language. Built from a verified 25-subagent audit.

README preview

# OWASP Security Review — a Claude Code Skill

A plug-in **[Claude Code](https://claude.com/claude-code) skill** that runs a launch-gate **security review against the [OWASP Top 10 (2025)](https://owasp.org/Top10/)** on a Next.js + Supabase + OpenAI codebase — and explains every finding in plain language, so a non-coder can act on it.

It was purpose-built for the **[Vibe CRM Security Lab](https://github.com/harshith-vaddiparthy/vibe-crm-security-lab)** (a deliberately-vulnerable teaching CRM), but the methodology and the per-category checklist work as a general OWASP-2025 review for any modern Next.js App Router + Supabase app.

> **TL;DR** — Type `/owasp-security-review` in Claude Code. It maps all 10 OWASP 2025 risks to the exact files in your repo, rates severity, and points at the concrete fix — no security jargon required.

---

## Why this exists

Most "AI security review" is generic: it lists the OWASP Top 10 and hand-waves. This skill is the opposite — it is **grounded in one real codebase**. Every finding names a real file, a real line of reasoning, and (where the lab provides one) the **correct version already sitting next to the broken one**.

It's written for an owner who **prompts but doesn't read code**. So instead of "IDOR on the contact endpoint," it says: *"Anyone can read another company's customer by changing a number in the web address — here's the file, here's why it's a breach with real data, here's the one-line fix."*

---

## How it was built (multi-agent, verified)

View full repository on GitHub →