Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

Secure Agent Playbook

An open-source security playbook for AI agents. Structured, OWASP-grounded procedures that enable agents to perform security engineering tasks — from code review to AI agent security audits.

Table of Contents

Why Use This?

Without a playbook, asking an AI agent to "review my code for security" gives you a surface-level checklist. With these plays, the agent follows a structured OWASP-grounded procedure — systematically testing every vulnerability class, producing findings with CWE mappings, OpenCRE cross-references, evidence snippets, and specific remediation code.

  • Consistent methodology — Every assessment follows a documented procedure, not ad-hoc prompting. Results are reproducible across runs and reviewers.
  • Structured, actionable output — Findings include severity, CWE, evidence, and remediation steps with code examples. No vague warnings.
  • Cross-standard traceability — Findings link to CWE, ASVS, WSTG, and NIST 800-53 via OpenCRE for compliance mapping.
  • 17 security skills — From dependency CVE scanning to prompt injection testing to multi-agent threat modeling. Install as a Claude Code plugin or use standalone.
  • Works beyond Claude Code — Skills are Claude Code plugins; plays are standalone procedures any AI agent can follow.

What This Is

This is not a framework or a library. There is no code to import.

Each play is a step-by-step security procedure with checklists, decision criteria, and output templates. An AI agent follows the procedure to produce consistent, evidence-based findings. Think of it like a SOC analyst's playbook — but written for AI agents to execute.

Quick Start

With Claude Code (recommended):

Step 1 — Register the plugin marketplace:

/plugin marketplace add OWASP/secure-agent-playbook

Step 2 — Install a skill set:

/plugin install code-security-skills@agent-security-playbook
/plugin install ai-security-skills@agent-security-playbook

Step 3 — Use the skills by mentioning the task in conversation:

"Review this code for security issues"
"Scan my dependencies for CVEs"
"Audit this MCP server configuration"
"Test this chatbot for prompt injection"

Claude will automatically activate the relevant skill based on context. See Skills Catalog for all available skills and Example Output for what the results look like.

Organization plugin — For Claude organization admins installing via Organization Plugins:

  1. Go to the latest release
  2. Download secure-agent-playbook.zip from the release assets
  3. Upload the zip at Organization settings > Plugins > Add plugin

Note: Do not use GitHub's "Download ZIP" button — it nests files in a subdirectory that the plugin validator rejects. Always use the release asset zip.

Local development — To test from a local clone instead of GitHub:

/plugin marketplace add /path/to/agent-security-playbook
/plugin install code-security-skills@agent-security-playbook
/plugin install ai-security-skills@agent-security-playbook

Without Claude Code:

Reference plays directly as procedures for any AI agent or manual use:

  • Point your agent at a play: "Follow the procedure in plugins/ai-security-skills/plays/agent-security-audit.md"
  • Or use the plays as checklists for manual security reviews

Skills Catalog

Code & Infrastructure Security (code-security-skills)

SkillWhat It DoesSay ThisOWASP Ref
code-review-securitySecurity code review mapped to Top 10 + ASVS"Review this code for security issues"Top 10, ASVS
sca-auditDependency CVE scanning with reachability analysis"Scan my dependencies for CVEs"A06:2021
secrets-scanDetect hardcoded credentials and API keys"Scan for hardcoded secrets"CWE-798
api-security-reviewAPI review against OWASP API Top 10 (2023)"Review this API for security"API Top 10
web-security-reviewWeb app review against OWASP Top 10 (2021)"Review this web app for OWASP Top 10"Top 10
mobile-code-reviewNative Android/iOS source review against OWASP MASVS v2.1.0"Review this mobile app for security"MASVS v2.1.0
iac-security-reviewIaC security (Terraform, K8s, CloudFormation)"Review this Terraform for security"CIS Benchmarks
securability-engineeringGenerate inherently securable code (FIASSE v1.0.4)"Generate secure code for..."FIASSE v1.0.4
securability-engineering-reviewAssess code securability (0-10 SSEM scoring)"Assess the securability of this code"FIASSE v1.0.4/SSEM
prd-securability-enhancementHarden PRDs/specs with ASVS coverage and FIASSE SSEM requirements before code is written"Harden this PRD" / "Map features to ASVS"ASVS, FIASSE v1.0.4
security-guidanceAuto-triggered ASVS guidance for security-sensitive code(auto-triggered)ASVS 5.0

AI & Agent Security (ai-security-skills)

SkillWhat It DoesSay ThisOWASP Ref
agent-security-auditAudit agent permissions, injection surfaces, data exfil paths"Audit this agent's security"LLM Top 10
llm-risk-assessLLM app assessment against LLM Top 10 2025"Assess LLM risks for this app"LLM Top 10
agentic-ai-risk-assessAgentic app assessment against Top 10 Agentic 2026"Assess agentic AI risks"Agentic Top 10
mcp-server-reviewMCP server security review"Review this MCP server"LLM Top 10
prompt-injection-testPrompt injection testing (Arcanum PI Taxonomy)"Test for prompt injection"LLM01
multi-agentic-threat-modelCSA MAESTRO 7-layer threat modeling"Model threats for this multi-agent system"CSA MAESTRO

Agents

Agents are autonomous security specialists that invoke skills and produce structured reports. Each agent has a focused system prompt, scoped tool access, and preloaded skills. Use them individually or as a coordinated team.

AgentFocusSkills Invoked
code-security-reviewerCode vulnerabilities, secrets, web securitycode-review-security, secrets-scan, web-security-review
dependency-auditorSupply chain and dependency CVE riskssca-audit
api-security-reviewerAPI security against OWASP API Top 10api-security-review
mobile-security-reviewerNative Android/iOS source against OWASP MASVS v2.1.0mobile-code-review
ai-security-assessorAgent configs, MCP servers, LLM app risksagent-security-audit, mcp-server-review, llm-risk-assess, prompt-injection-test
security-team-leadCoordinates specialists, consolidates reportsecurability-engineering-review

Standalone usage — invoke any agent directly:

"Use code-security-reviewer to review src/"
"Use dependency-auditor to scan this project"

Team assessment — with agent teams enabled, the team lead dispatches specialists in parallel and consolidates findings into a single report:

"Run a full security assessment of this project"

The team lead scopes the target, dispatches relevant specialists (skipping those whose focus area isn't present), deduplicates findings, identifies cross-domain risk chains, and produces a unified report using templates/report.md.

Agent teams requires CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1. See Claude Code docs for setup. Individual agents work without this flag.

Example Output

Running "Review src/auth/ for security issues" on a Node.js/Express codebase produces findings like this:

Security Code Review — src/auth/
Scope: Node.js/Express, server-side, processes user credentials
Findings: CRITICAL 1 | HIGH 2 | MEDIUM 1 | LOW 0

[CRITICAL] SQL Injection in User Lookup

  • CWE: CWE-89
  • OpenCRE: CRE-764-507 — Injection Prevention
  • OWASP Ref: A03:2021 Injection
  • Location: src/auth/login.js:42
  • Impact: Attacker can extract the entire users table, bypass authentication, or execute arbitrary SQL via crafted id parameter
  • Evidence:
    // src/auth/login.js:42
    const user = await db.query("SELECT * FROM users WHERE id=" + req.params.id);
  • Remediation: Use parameterized queries:
    const user = await db.query("SELECT * FROM users WHERE id = $1", [req.params.id]);
  • Confidence: HIGH

Every skill produces structured findings with severity, CWE, evidence, and remediation code. See examples/ for complete sample assessment reports.

Plays

AI/Agent Security plays

The differentiator — security procedures purpose-built for the AI agent era. Bundled inside the ai-security-skills plugin.

PlayWhat It Does
agent-security-auditAudit agent permissions, prompt injection surfaces, data exfiltration paths, guardrails
agentic-ai-risk-assessAssess agentic AI applications against OWASP Top 10 for Agentic Applications 2026
ai-security-verificationVerify AI-driven applications against the OWASP AI Security Verification Standard (AISVS)
llm-risk-assessAssess LLM applications against OWASP Top 10 for LLM Applications
mcp-server-reviewReview MCP server implementations for overpermissioning, injection, data exposure
multi-agentic-threat-modelThreat-model multi-agent systems using the CSA MAESTRO 7-layer framework and OWASP Multi-Agentic System Guide v1.0
prompt-injection-testingTest LLM apps against 18 attack techniques, 20 evasions, 13 intents

Code & Dependency Analysis plays

Immediate, practical value for any codebase. Bundled inside the code-security-skills plugin.

PlayWhat It Does
sca-auditScan dependencies for known CVEs with reachability analysis
code-review-securitySystematic security code review mapped to OWASP Top 10 and ASVS
secrets-scanDetect hardcoded credentials, API keys, and tokens
api-security-reviewReview APIs against OWASP API Security Top 10
owasp-top10-web-reviewWeb application review against OWASP Top 10 (2021)
mobile-code-reviewNative Android/iOS source code review against OWASP MASVS v2.1.0
iac-security-reviewReview Terraform, Kubernetes, CloudFormation against CIS benchmarks and cloud security best practices
securability-engineering-reviewAssess code against FIASSE v1.0.4/SSEM securable attributes: Maintainability, Trustworthiness, Reliability, and Transparency

Planned

  • Tier 2: Threat modeling, ASVS verification, infrastructure hardening
  • Tier 3: WSTG testing checklist, DAST orchestration, attack surface mapping
  • Tier 5: SAMM maturity assessment, compliance mapping, aggregate reporting

Architecture

Three-layer design — every layer lives inside the plugin source folder so the marketplace install bundles everything the skills need:

  • plugins/<name>/agents/ — Autonomous security specialists with focused system prompts, co-located inside each plugin. Each agent invokes one or more skills, operates in an isolated context, and produces structured reports. Can work solo or as a coordinated team.
  • plugins/<name>/skills/ — Self-contained SKILL.md files following the Agent Skills spec. Distributed through plugins/code-security-skills/ and plugins/ai-security-skills/, registered in the marketplace via .claude-plugin/marketplace.json. Each skill summarizes a procedure and references its corresponding play inside the same plugin.
  • plugins/<name>/plays/ — Full reference procedures with detailed checklists, tables, decision criteria, and examples. Skills reference these for comprehensive coverage.
  • plugins/<name>/templates/ and plugins/<name>/data/ — Output templates (finding.md, report.md) and OWASP reference datasets (FIASSE v1.0.4, ASVS v5.0, secure-code prompts) that skills load at runtime.

Agents orchestrate, skills execute, plays provide the full procedure. Contributors edit plays. This means the playbook works with any AI agent (just point it at a play), while Claude Code users get plugin-based installation with agents and skills.

OWASP Foundation

All plays reference OWASP standards and datasets:

Related Projects

ProjectRelationship
OWASP Agent Skills ProjectProactive ASVS 5.0 guidance for AI coding agents — helps agents write secure code. We use their ASVS reference data in plugins/code-security-skills/data/asvs/. Complementary: they guide code generation, we find vulnerabilities in existing code.
Securability EngineeringSecurable code generation (OWASP FIASSE) and secure code requirements (ASVS) via spec file analysis and generation constraint (benchmarked and tuned) for various AI code generation tools.
Arcanum PI TaxonomyPrompt injection attack classification by Jason Haddix. Our prompt-injection-testing play is built on this taxonomy. CC BY 4.0.
OpenCRECross-standard requirement mappings (CWE, ASVS, WSTG, NIST 800-53). We use OpenCRE links in findings for multi-framework traceability.

Contributing

See CONTRIBUTING.md for detailed guidelines.

New plays should:

  • Solve one well-defined security task
  • Include clear trigger conditions (when should this play run?)
  • Follow a structured procedure with checkpoints
  • Produce findings using the in-plugin templates/finding.md format
  • Reference OWASP standards where applicable
  • Prefer existing tools (semgrep, trivy, osv-scanner, trufflehog) over reimplementing detection
  • Live inside the appropriate plugin's plays/ folder so they ship with the marketplace install

License

Licensed under Creative Commons Attribution 4.0 International (CC-BY-4.0). See THIRD_PARTY_NOTICES.md for attribution of upstream OWASP project content.

关于 About

OWASP Secure Agent Playbook Project

语言 Languages

Python100.0%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
84
Total Commits
峰值: 38次/周
Less
More

核心贡献者 Contributors