How do I install owasp-top-10?

Run `npx skills add https://github.com/nickcrew/claude-ctx-plugin --skill owasp-top-10` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does owasp-top-10 support?

owasp-top-10 works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is owasp-top-10 free to use?

Yes. owasp-top-10 is free to install and use. It is available from the open explainx.ai skill registry published by nickcrew.

Where can I read ratings and reviews for owasp-top-10?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

owasp-top-10▌

nickcrew/claude-ctx-plugin · updated Apr 22, 2026

$npx skills add https://github.com/nickcrew/claude-ctx-plugin --skill owasp-top-10

0 commentsdiscussion

summary

Expert guidance for identifying, preventing, and remediating OWASP Top 10 web application security risks.

›Covers all 10 critical vulnerabilities ranked by severity, including broken access control, cryptographic failures, injection, insecure design, and security misconfiguration
›Provides detailed reference files for each vulnerability category with vulnerable and secure code patterns, detection methods, and remediation strategies
›Includes a structured security audit workflow covering

skill.md

OWASP Top 10 Security Vulnerabilities

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

When to Use This Skill

Conducting security audits and code reviews
Implementing secure coding practices in new features
Reviewing authentication and authorization systems
Assessing input validation and sanitization
Evaluating third-party dependencies for vulnerabilities
Designing security controls and defense-in-depth strategies
Preparing for security certifications or compliance audits
Investigating security incidents or suspicious behavior

OWASP Top 10 2021 Overview

Ranked by Risk Severity:

A01 - Broken Access Control (↑ from #5)
A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
A03 - Injection (↓ from #1)
A04 - Insecure Design (NEW)
A05 - Security Misconfiguration
A06 - Vulnerable and Outdated Components
A07 - Identification and Authentication Failures
A08 - Software and Data Integrity Failures (NEW)
A09 - Security Logging and Monitoring Failures
A10 - Server-Side Request Forgery (SSRF) (NEW)

Quick Reference

Load detailed guidance for each vulnerability:

Vulnerability	Reference File
Broken Access Control	`skills/owasp-top-10/references/broken-access-control.md`
Cryptographic Failures	`skills/owasp-top-10/references/cryptographic-failures.md`
Injection	`skills/owasp-top-10/references/injection.md`
Insecure Design	`skills/owasp-top-10/references/insecure-design.md`
Security Misconfiguration	`skills/owasp-top-10/references/security-misconfiguration.md`
Vulnerable Components	`skills/owasp-top-10/references/vulnerable-components.md`
Authentication Failures	`skills/owasp-top-10/references/authentication-failures.md`
Integrity Failures	`skills/owasp-top-10/references/integrity-failures.md`
Logging & Monitoring	`skills/owasp-top-10/references/logging-monitoring.md`
SSRF	`skills/owasp-top-10/references/ssrf.md`
Prevention Strategies	`skills/owasp-top-10/references/prevention-strategies.md`
Assessment Workflow	`skills/owasp-top-10/references/assessment-workflow.md`

Security Audit Workflow

Identify Scope: Determine application components and attack surface
Select Vulnerabilities: Choose relevant OWASP categories based on features
Load Reference: Read appropriate reference file(s) for detailed patterns
Analyze Code: Review code against vulnerable and secure patterns
Document Findings: Record vulnerabilities with severity and remediation
Verify Fixes: Test that remediations properly address issues
Test Security: Run automated security testing (SAST, DAST, SCA)

Core Security Principles

Defense in Depth

Layer security controls at network, application, data, and monitoring levels
Ensure failure of one control doesn't compromise entire system

Secure by Default

Deny all access by default, explicitly grant permissions
Fail securely (errors don't expose sensitive information)
Minimize attack surface (disable unused features)
Apply least privilege to all accounts and services

Input Validation

Validate type, length, format, and allowed values
Use allow-lists over deny-lists
Sanitize for specific context (SQL, HTML, shell, etc.)
Never trust client input

Common Mistakes

Trusting User Input: Always validate and sanitize all user-supplied data
Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
Exposing Errors: Log detailed errors internally, show generic messages to users
Missing Authorization: Check permissions on every request, not just UI
Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
Ignoring Dependencies: Regularly audit and update third-party libraries
No Logging: Log security events for detection and incident response
Default Configurations: Harden all systems, disable defaults

Security Testing Tools

SAST (Static): SonarQube, Semgrep, ESLint security plugins DAST (Dynamic): OWASP ZAP, Burp Suite SCA (Dependencies): npm audit, Snyk, Dependabot Secrets Scanning: GitGuardian, TruffleHog Penetration Testing: Metasploit, Kali Linux tools

Resources

OWASP Top 10 2021: https://owasp.org/Top10/
OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
OWASP ASVS: Application Security Verification Standard
CWE Top 25: Common Weakness Enumeration
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
CVE Database: https://cve.mitre.org/
Snyk Vulnerability DB: https://snyk.io/vuln/

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★35 reviews

★★★★★Harper Sharma· Dec 28, 2024
owasp-top-10 reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Neel Mensah· Dec 24, 2024
I recommend owasp-top-10 for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Dhruvi Jain· Dec 12, 2024
owasp-top-10 has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Amina Gill· Dec 4, 2024
Keeps context tight: owasp-top-10 is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Harper Li· Nov 27, 2024
owasp-top-10 is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Harper Jain· Nov 23, 2024
We added owasp-top-10 from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Amina Ghosh· Nov 19, 2024
Registry listing for owasp-top-10 matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★James Bansal· Nov 15, 2024
owasp-top-10 fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Oshnikdeep· Nov 3, 2024
Solid pick for teams standardizing on skills: owasp-top-10 is focused, and the summary matches what you get after install.
★★★★★Ganesh Mohane· Oct 22, 2024
We added owasp-top-10 from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

showing 1-10 of 35

1 / 4