- Home
- Skills
- Williamzujkowski
- Cognitive Toolworks
- Security Appsec Validator
security-appsec-validator_skill
- Python
5
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-appsec-validator- CHANGELOG.md936 B
- SKILL.md8.4 KB
Overview
This skill validates application security against OWASP Top 10 (2021) and OWASP API Security Top 10 (2023) guidance, emphasizing injection prevention and access control checks. It produces structured findings with CVSS v3.1 scoring, mapped OWASP categories, and concrete remediation steps suitable for pre-production reviews, post-incident assessments, or compliance validation.
How this skill works
Provide an application identifier, assessment scope (web-app, api, or mobile-backend), and check level (critical-only, standard, comprehensive). The skill runs a checklist-driven inspection of relevant OWASP categories, flags control failures (e.g., access control gaps, injection vectors, authentication weaknesses), and generates a JSON findings report with CWE mappings, CVSS scores, remediation steps, and references. Ambiguities trigger requests for architecture or authentication documentation and abort if the identifier is missing.
When to use it
- Pre-production security review before deployment
- API security validation during development or release
- Post-incident assessment to identify control gaps
- Responding to third-party security questionnaires
- Meeting application-level compliance requirements aligned to OWASP
Best practices
- Supply application architecture and authentication docs when available to reduce ambiguity
- Choose check_level to match risk tolerance: critical-only for fast triage, comprehensive for full coverage
- Keep credentials and sensitive data out of reports; the skill avoids exploiting systems
- Use findings to prioritize remediation by CVSS and business impact
- Cite OWASP references and include access dates for auditability
Example use cases
- Run critical-only checks on a web-app before launch to catch broken access control and injection
- Validate an API for BOLA and rate-limiting weaknesses during an API security review
- Perform a comprehensive assessment of a mobile backend to verify authentication, session management, and injection protections
- Produce a findings JSON to feed into a ticketing system with CVSS scores and remediation steps
FAQ
No. The skill provides control verification methodology and findings generation, not automated tool execution or penetration testing.
What happens if application architecture is missing?
The skill will flag architecture as unknown and run surface-level checks only, requesting documentation for deeper assessment.