security-appsec-validator_skill

This skill validates web and API security against OWASP Top 10 guidelines, delivering actionable findings to reduce exposure before production.
  • Python

5

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill security-appsec-validator

  • CHANGELOG.md936 B
  • SKILL.md8.4 KB

Overview

This skill validates application security against OWASP Top 10 (2021) and OWASP API Security Top 10 (2023) guidance, emphasizing injection prevention and access control checks. It produces structured findings with CVSS v3.1 scoring, mapped OWASP categories, and concrete remediation steps suitable for pre-production reviews, post-incident assessments, or compliance validation.

How this skill works

Provide an application identifier, assessment scope (web-app, api, or mobile-backend), and check level (critical-only, standard, comprehensive). The skill runs a checklist-driven inspection of relevant OWASP categories, flags control failures (e.g., access control gaps, injection vectors, authentication weaknesses), and generates a JSON findings report with CWE mappings, CVSS scores, remediation steps, and references. Ambiguities trigger requests for architecture or authentication documentation and abort if the identifier is missing.

When to use it

  • Pre-production security review before deployment
  • API security validation during development or release
  • Post-incident assessment to identify control gaps
  • Responding to third-party security questionnaires
  • Meeting application-level compliance requirements aligned to OWASP

Best practices

  • Supply application architecture and authentication docs when available to reduce ambiguity
  • Choose check_level to match risk tolerance: critical-only for fast triage, comprehensive for full coverage
  • Keep credentials and sensitive data out of reports; the skill avoids exploiting systems
  • Use findings to prioritize remediation by CVSS and business impact
  • Cite OWASP references and include access dates for auditability

Example use cases

  • Run critical-only checks on a web-app before launch to catch broken access control and injection
  • Validate an API for BOLA and rate-limiting weaknesses during an API security review
  • Perform a comprehensive assessment of a mobile backend to verify authentication, session management, and injection protections
  • Produce a findings JSON to feed into a ticketing system with CVSS scores and remediation steps

FAQ

No. The skill provides control verification methodology and findings generation, not automated tool execution or penetration testing.

What happens if application architecture is missing?

The skill will flag architecture as unknown and run surface-level checks only, requesting documentation for deeper assessment.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security-appsec-validator skill by williamzujkowski/cognitive-toolworks | VeilStrat