Security reviews are one of the most time-consuming parts of the development cycle. Checking against OWASP Top 10, hunting for hardcoded secrets, and cross-referencing dependency CVEs — these are all critical, but they eat hours of developer time that could go toward shipping features.
The Claude Code Security Pack automates all three with three purpose-built skills: /security-audit, /secret-scanner, and /deps-check.
Why OWASP Top 10 Still Catches Teams Off Guard
The OWASP Top 10 has been the industry standard for web application security risks since 2003. Yet injection flaws, broken authentication, and security misconfigurations still appear regularly in production codebases — not because developers don't know about them, but because manual auditing is slow and easy to skip under deadline pressure.
Automated tooling changes this dynamic. When the check runs in seconds, it gets done every time.
How /security-audit Works
Point it at your source directory:
/security-audit src/
The skill analyzes your code against OWASP Top 10 categories and outputs prioritized findings:
[CRITICAL] A03: Injection
src/api/orders.py:87 — Raw SQL query with unsanitized user input
Fix: Use parameterized queries or an ORM
# Flagged code:
query = f"SELECT * FROM orders WHERE user_id = {user_id}"
# Suggested fix:
cursor.execute("SELECT * FROM orders WHERE user_id = %s", (user_id,))
[HIGH] A02: Cryptographic Failures
src/auth/tokens.py:23 — JWT signed with HS256 using a hardcoded secret
Fix: Load signing key from environment; consider RS256 for distributed systems
[MEDIUM] A05: Security Misconfiguration
config/app.py:11 — CORS origin set to "*" with credentials allowed
Fix: Specify allowed origins explicitly
Each finding includes the file path, line number, OWASP category, and a concrete remediation suggestion. No need to cross-reference documentation — the guidance is inline.
/secret-scanner: Catch Leaked Credentials Before They Hit Git
Hardcoded secrets in source code are a leading cause of breaches. This skill scans your entire project tree for patterns matching API keys, tokens, and passwords:
/secret-scanner .
Example detections:
# These patterns get flagged:
STRIPE_SECRET_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
POSTGRES_URI = "postgresql://admin:hunter2@prod.db.internal/app"
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
[FOUND] src/config/settings.py:14
Type: Stripe Live Secret Key
Match: sk_live_4eC39... (truncated)
Action: Rotate immediately. Move to environment variable or secrets manager.
[FOUND] docker-compose.yml:31
Type: Database URI with credentials
Note: docker-compose files are often committed to version control — verify .gitignore
Running this as a pre-commit hook or CI step eliminates an entire class of credential exposure incidents.
/deps-check: Vulnerability Scanning for Your Dependencies
Supply chain attacks and unpatched dependencies are a growing attack vector. /deps-check scans your dependency manifest against known CVEs:
/deps-check requirements.txt
# or
/deps-check package.json
Sample output:
Scanning 63 packages...
[HIGH] CVE-2024-3094 — cryptography==41.0.0
CVSS: 9.1 — Allows remote code execution via malformed certificate
Fix: pip install "cryptography>=42.0.4"
[HIGH] CVE-2023-32681 — requests==2.28.1
CVSS: 7.5 — Authentication headers leaked on cross-origin redirects
Fix: pip install "requests>=2.31.0"
[MEDIUM] CVE-2023-45853 — Pillow==9.5.0
CVSS: 5.3 — Buffer overflow in TIFF parsing
Fix: pip install "Pillow>=10.0.1"
Summary: 2 HIGH, 1 MEDIUM, 0 LOW
Upgrade command: pip install --upgrade cryptography requests Pillow
The upgrade command is generated automatically, so remediation is a single copy-paste.
Getting Started in 3 Steps
Step 1: Install the Security Pack skills
Download from PromptWorks and place the skill files in your Claude Code skills directory (~/.claude/skills/ or the project-local .claude/skills/).
Step 2: Run your first audit
# In your project root
/secret-scanner .
/deps-check requirements.txt # or package.json / Gemfile.lock
/security-audit src/
Step 3: Integrate into CI
# .github/workflows/security-pack.yml
name: Security Pack Audit
on:
pull_request:
branches: [main, develop]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Secret Scanner
run: claude /secret-scanner .
- name: Dependency Check
run: claude /deps-check requirements.txt
- name: OWASP Audit
run: claude /security-audit src/
Now every pull request gets an automated security review before merge.
What the Security Pack Covers
| Skill | Purpose | Detects |
|---|---|---|
/security-audit |
OWASP Top 10 analysis | Injection, broken auth, misconfigs, XSS, SSRF, and more |
/secret-scanner |
Credential detection | API keys, tokens, passwords, connection strings |
/deps-check |
Dependency CVE scan | Known vulnerabilities with CVSS scores and fix versions |
Get the Security Pack
Security Pack — ¥1,480 on PromptWorks (0% platform fee during beta).
Includes /security-audit, /secret-scanner, and /deps-check.
→ Get Security Pack on PromptWorks
Also looking for code review and test generation tools? Check out the Code Review Pack (¥980) — /code-review, /refactor-suggest, /test-gen.
More Claude Code guides and templates:
→ Gumroad Store
Built by みょうが (@myougatheaxo) — Axolotl VTuber Engineer
Top comments (0)