meow:vulnerability-scanner

OWASP 2025 vulnerability analysis with supply chain security, attack surface mapping, and risk prioritization.

What This Skill Does

meow:vulnerability-scanner applies OWASP 2025 security principles at the code level. It maps attack surfaces, scans for high-risk code patterns (SQL injection, XSS, command injection, unsafe deserialization), checks for hardcoded secrets, and prioritizes findings by exploitability and business impact. Lighter than meow:cso (which covers infrastructure), this focuses on code patterns.

Core Capabilities

• OWASP Top 10:2025 — Full coverage from Broken Access Control through Exceptional Conditions
• Code pattern analysis — String concat in queries, eval(), unsafe deserialization, path traversal
• Secret detection — API keys, tokens, credentials, cloud prefixes
• Risk prioritization — CVSS + EPSS + asset value + exposure
• Supply chain — Dependency audit, lock file integrity, registry typosquatting

Usage

/meow:vulnerability-scanner           # Full scan
/meow:vulnerability-scanner src/api/  # Scan specific directory

Skill Details

Phase: 4
Used by: reviewer, security agents

Gotchas

• False positives in test fixtures: Security scan flags intentionally insecure test data → Exclude test/fixtures/ and mocks/ from vulnerability scans
• Dependency confusion attacks missed: Scanner checks known CVEs but not package name typosquatting → Cross-reference package names against known typosquat databases

Related

• meow:cso — Infrastructure-first security audit (broader scope)
• meow:review — Security is one of 5 review dimensions