Bots found an unprotected endpoint on one of my apps and used it to rack up Gemini API calls until Google suspended the project. The key was never exposed. They just needed the URL. I built this partly as a fix and partly because the same gap shows up in enterprise teams I work with. The agent writes clean, deployable code. It doesn’t ask who else can hit the endpoint. 10 Claude Code skills, one per OWASP A01-A10. Each runs before the agent writes, not after. Run it after and you’re proving what you built. Run it before and the constraint exists before the code does. Usage: /broken-access-control Add a user profile endpoint that fetches records by ID. The agent checks IDOR risk and ownership patterns before writing. Blocks and explains if something looks wrong. You can override. Free, Apache 2.0, 30-second install: https://github.com/swapniltamse/claude-security-engineer submitted by /u/swapniltamse
Originally posted by u/swapniltamse on r/ClaudeCode