Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
Add this skill
npx mdskills install sickn33/vulnerability-scannerComprehensive security reference with clear threat modeling and OWASP 2025 coverage
Think like an attacker, defend like an expert. 2025 threat landscape awareness.
Execute for automated validation:
| Script | Purpose | Usage |
|---|---|---|
scripts/security_scan.py | Validate security principles applied | python scripts/security_scan.py |
| File | Purpose |
|---|---|
| checklists.md | OWASP Top 10, Auth, API, Data protection checklists |
| Principle | Application |
|---|---|
| Assume Breach | Design as if attacker already inside |
| Zero Trust | Never trust, always verify |
| Defense in Depth | Multiple layers, no single point |
| Least Privilege | Minimum required access only |
| Fail Secure | On error, deny access |
Before scanning, ask:
| Rank | Category | Think About |
|---|---|---|
| A01 | Broken Access Control | Who can access what? IDOR, SSRF |
| A02 | Security Misconfiguration | Defaults, headers, exposed services |
| A03 | Software Supply Chain ๐ | Dependencies, CI/CD, build integrity |
| A04 | Cryptographic Failures | Weak crypto, exposed secrets |
| A05 | Injection | User input โ system commands |
| A06 | Insecure Design | Flawed architecture |
| A07 | Authentication Failures | Session, credential management |
| A08 | Integrity Failures | Unsigned updates, tampered data |
| A09 | Logging & Alerting | Blind spots, no monitoring |
| A10 | Exceptional Conditions ๐ | Error handling, fail-open states |
2021 โ 2025 Shifts:
โโโ SSRF merged into A01 (Access Control)
โโโ A02 elevated (Cloud/Container configs)
โโโ A03 NEW: Supply Chain (major focus)
โโโ A10 NEW: Exceptional Conditions
โโโ Focus shift: Root causes > Symptoms
| Vector | Risk | Question to Ask |
|---|---|---|
| Dependencies | Malicious packages | Do we audit new deps? |
| Lock files | Integrity attacks | Are they committed? |
| Build pipeline | CI/CD compromise | Who can modify? |
| Registry | Typosquatting | Verified sources? |
| Category | Elements |
|---|---|
| Entry Points | APIs, forms, file uploads |
| Data Flows | Input โ Process โ Output |
| Trust Boundaries | Where auth/authz checked |
| Assets | Secrets, PII, business data |
Risk = Likelihood ร Impact
High Impact + High Likelihood โ CRITICAL
High Impact + Low Likelihood โ HIGH
Low Impact + High Likelihood โ MEDIUM
Low Impact + Low Likelihood โ LOW
| Factor | Weight | Question |
|---|---|---|
| CVSS Score | Base severity | How severe is the vuln? |
| EPSS Score | Exploit likelihood | Is it being exploited? |
| Asset Value | Business context | What's at risk? |
| Exposure | Attack surface | Internet-facing? |
Is it actively exploited (EPSS >0.5)?
โโโ YES โ CRITICAL: Immediate action
โโโ NO โ Check CVSS
โโโ CVSS โฅ9.0 โ HIGH
โโโ CVSS 7.0-8.9 โ Consider asset value
โโโ CVSS **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"
Install via CLI
npx mdskills install sickn33/vulnerability-scannerVulnerability Scanner is a free, open-source AI agent skill. Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
Install Vulnerability Scanner with a single command:
npx mdskills install sickn33/vulnerability-scannerThis downloads the skill files into your project and your AI agent picks them up automatically.
Vulnerability Scanner works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.