A plugin marketplace featuring a powerful security review agent for development-time vulnerability assessment and code hardening.
A world-class security researcher and penetration tester with:
- 15+ years of experience in breaking systems and finding vulnerabilities
- 200+ CVEs discovered across major platforms
- Bug bounty winner at Google, Microsoft, Apple, and Facebook
- Conference presenter at DEF CON, Black Hat, and OWASP
The agent applies:
- OWASP Top 10 analysis
- CWE Top 25 vulnerability detection
- Authentication bypass testing
- Injection attack analysis (SQL, XSS, command injection)
- Supply chain security review
- Secret Detection: Automatically scans code for hardcoded secrets, API keys, and credentials on every file write/edit
- Session Summary: Generates security-relevant activity summary at session end
/security-reviewer:security-audit- Comprehensive security audit/security-reviewer:security-scan- Quick scan on recent changes
check-headers.sh- HTTP security header analysisscan-secrets.sh- Hardcoded secret detectioncheck-deps.sh- Dependency vulnerability checker (npm, pip, Go, Rust)check-ssrf.sh- SSRF pattern scannercheck-sqli.sh- SQL Injection vulnerability scannercheck-cmd-injection.sh- Command Injection/RCE vulnerability scannercheck-crypto-config.sh- Weak crypto and insecure configurations scannercheck-docker.sh- Docker and Docker Compose security scannercheck-xss.sh- Cross-Site Scripting (XSS) scannercheck-path-traversal.sh- Path/Directory Traversal scannercheck-auth-bypass.sh- Authentication Bypass & JWT flaws scannercheck-deserialization.sh- Unsafe Deserialization & XXE scanner
/plugin marketplace add dinudsi/claude-security-marketplace/plugin install security-reviewer@claude-security-marketplaceAdd to .claude/settings.json:
{
"extraKnownMarketplaces": {
"claude-security-marketplace": {
"source": {
"source": "github",
"repo": "dinudsi/claude-security-marketplace"
}
}
},
"enabledPlugins": {
"security-reviewer@claude-security-marketplace": true
}
}Run a full security audit of your codebase:
/security-reviewer:security-auditThe agent will:
- Identify the technology stack
- Analyze code for vulnerabilities
- Check for hardcoded secrets
- Analyze dependencies for known CVEs
- Report findings with severity ratings
Scan recently changed files for security issues:
/security-reviewer:security-scan/agents
# Select security-reviewerRun tools directly via bash:
# Check HTTP security headers
bash security-reviewer-plugin/tools/check-headers.sh https://example.com
# Scan for hardcoded secrets
bash security-reviewer-plugin/tools/scan-secrets.sh
# Check dependencies for vulnerabilities
bash security-reviewer-plugin/tools/check-deps.sh
# Scan for SSRF patterns
bash security-reviewer-plugin/tools/check-ssrf.sh
# Scan for SQL Injection vulnerabilities
bash security-reviewer-plugin/tools/check-sqli.sh
# Scan for Command Injection/RCE vulnerabilities
bash security-reviewer-plugin/tools/check-cmd-injection.sh
# Scan for weak crypto, CORS, and info disclosures
bash security-reviewer-plugin/tools/check-crypto-config.sh
# Scan Dockerfiles and Docker Compose configurations
bash security-reviewer-plugin/tools/check-docker.sh
# Scan for Cross-Site Scripting (XSS) vulnerabilities
bash security-reviewer-plugin/tools/check-xss.sh
# Scan for Path Traversal vulnerabilities
bash security-reviewer-plugin/tools/check-path-traversal.sh
# Scan for Authentication Bypass & JWT vulnerabilities
bash security-reviewer-plugin/tools/check-auth-bypass.sh
# Scan for Unsafe Deserialization & XXE vulnerabilities
bash security-reviewer-plugin/tools/check-deserialization.shclaude-security-marketplace/
├── .claude-plugin/
│ └── marketplace.json # Marketplace catalog
├── security-reviewer-plugin/
│ ├── .claude-plugin/
│ │ └── plugin.json # Plugin manifest (hooks, MCP servers)
│ ├── agents/
│ │ └── security-reviewer.md # Security reviewer agent
│ ├── skills/
│ │ └── security-audit/
│ │ └── SKILL.md # Comprehensive audit skill
│ ├── commands/
│ │ └── security-scan.md # Quick scan command
│ ├── scripts/
│ │ ├── detect-secrets.sh # Secret detection (PostToolUse hook)
│ │ └── generate-security-summary.sh # Session summary (Stop hook)
│ └── tools/
│ ├── check-headers.sh # HTTP security header checker
│ ├── scan-secrets.sh # Hardcoded secret scanner
│ ├── check-deps.sh # Dependency vulnerability checker
│ ├── check-ssrf.sh # SSRF pattern scanner
│ ├── check-sqli.sh # SQL Injection scanner
│ ├── check-cmd-injection.sh # Command Injection scanner
│ ├── check-crypto-config.sh # Weak crypto/config checker
│ ├── check-docker.sh # Docker container security scanner
│ ├── check-xss.sh # Cross-Site Scripting (XSS) scanner
│ ├── check-path-traversal.sh # Path Traversal scanner
│ ├── check-auth-bypass.sh # Auth Bypass & JWT flaws scanner
│ └── check-deserialization.sh # Unsafe Deserialization/XXE scanner
└── examples/
└── vulnerable-code.js # Example vulnerable code for testing
| Event | Trigger |
|---|---|
PostToolUse |
Scans Write/Edit operations for hardcoded secrets |
Stop |
Generates security summary of session activity |
### [CRITICAL] Finding Title
**Location:** file:line
**Issue:** Clear description of vulnerability
**Impact:** Real-world attack scenario
**Remediation:** Specific fix with code examples
| Level | Description |
|---|---|
| CRITICAL | RCE, auth bypass, data breach potential |
| HIGH | SQL injection, IDOR, privilege escalation |
| MEDIUM | XSS, CSRF, weak crypto |
| LOW | Information disclosure, missing headers |
| INFO | Best practice improvements |
- Fork the repository
- Create a feature branch
- Make changes
- Test with
claude plugin validate - Submit PR
MIT License - See LICENSE file
