CCM
/Skills
SkillsMCPMarketplacesDigestToolsAdvertise

This week in Claude

Every Monday: Claude Code, Agent SDK, MCP, and the Anthropic platform moves worth your time.

Skills by Category
Frontend DevelopmentBackend & APIsTesting & QASecurityDevOps & CI/CDGit & Pull RequestsDocumentationCode Review & QualityAI & Agent BuildingSkill Development
MCP Servers by Category
Sales & MarketingWeb & Browser AutomationDatabasesAI & LLM ToolsCloud & InfrastructureCommunication & MessagingDeveloper ToolsDesign & CreativeDocuments & KnowledgeSearch & Web Crawling
Marketplaces by Category
AI Agents & OrchestrationLLM IntegrationDevelopment ToolsFrontend & UIBackend & APIsDatabasesTesting & Code QualityDevOps & CloudSecurity & ComplianceGit & Version Control

Claude Code Marketplaces

Discover Claude Code plugins, extensions, and tools. Automatically updated directory of Anthropic Claude AI marketplaces with development tools, productivity plugins, and integrations.

Resources

  • Browse Skills
  • Browse MCP Servers
  • Browse Marketplaces
  • Plugins Reference

Community

  • About
  • Tools
  • Feedback
  • Privacy Policy
  • Advertise

Built for the Claude Code community with Claude Code by @mertduzgun

Independent project, not affiliated with Anthropic

Owasp Mobile Security Checker

harishwarrior/flutter-claude-skills
155 installs48 stars
Summary

Four Python scanners that automate the grunt work of mobile security audits: hardcoded secrets, vulnerable dependencies, network config issues, and insecure storage. Each spits out JSON with severity ratings so you can triage before release. The other six OWASP Mobile Top 10 risks need manual review, but you get a reference doc with Flutter-specific vulnerability patterns and code examples. Honest take: this won't replace a real pentest, but it's solid for catching the obvious stuff in CI or before you ship. Works best if you're already familiar with OWASP mobile risks and just need tooling to move faster.

Install to Claude Code

npx -y skills add harishwarrior/flutter-claude-skills --skill owasp-mobile-security-checker --agent claude-code

Installs into .claude/skills of the current project.

CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
Files
SKILL.mdView on GitHub

OWASP Mobile Security Checker

Requirements

  • Python 3.7+
  • Flutter/Dart project with pubspec.yaml
  • Android and/or iOS targets
  • Run scripts from the project root directory

Comprehensive security analysis for Flutter and mobile applications based on OWASP Mobile Top 10 (2024).

Automated Scanners

Four Python scanners cover the most automatable risk categories. Replace <skill-dir> with the skill's install path (e.g. ~/.claude/skills/owasp-mobile-security-checker):

M1 — Hardcoded Secrets

python3 <skill-dir>/scripts/scan_hardcoded_secrets.py /path/to/project

Detects API keys, tokens, passwords, AWS credentials, and Firebase keys in Dart code and config files.

M2 — Dependency Vulnerabilities

python3 <skill-dir>/scripts/check_dependencies.py /path/to/project

Analyzes pubspec.yaml for outdated packages, any version constraints, and known CVEs.

M5 — Network Security

python3 <skill-dir>/scripts/check_network_security.py /path/to/project

Checks HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS ATS settings.

M9 — Insecure Storage

python3 <skill-dir>/scripts/analyze_storage_security.py /path/to/project

Identifies unencrypted SharedPreferences, plaintext file storage, unencrypted databases, and insecure backup configurations.

Manual Analysis

M3, M4, M6, M7, M8, and M10 require code review. See references/owasp_mobile_top_10_2024.md for Flutter-specific vulnerability patterns, attack flows, and remediation for each category.

Workflow

Is this a comprehensive audit?
├─ YES → Run all 4 scanners → Review JSON outputs → Manual analysis (M3/M4/M6/M7/M8/M10) → Generate report
└─ NO → Continue...

Specific risk category?
├─ M1 → scan_hardcoded_secrets.py
├─ M2 → check_dependencies.py
├─ M5 → check_network_security.py
├─ M9 → analyze_storage_security.py
└─ M3/M4/M6/M7/M8/M10 → references/owasp_mobile_top_10_2024.md → manual analysis

Quick pre-release check?
└─ YES → Run all 4 scanners → Fix CRITICAL and HIGH findings only

Quick Start: Full Audit

# Run all automated scanners from the project root
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py .
python3 <skill-dir>/scripts/check_dependencies.py .
python3 <skill-dir>/scripts/check_network_security.py .
python3 <skill-dir>/scripts/analyze_storage_security.py .

# Outputs produced:
#   owasp_m1_secrets_scan.json
#   owasp_m2_dependencies_scan.json
#   owasp_m5_network_scan.json
#   owasp_m9_storage_scan.json
  1. Prioritise by severity — fix CRITICAL and HIGH before release
  2. For M3, M4, M6, M7, M8, M10 — see references/owasp_mobile_top_10_2024.md
  3. Generate remediation plan with code examples and timeline

OWASP Mobile Top 10 (2024) — Quick Reference

RiskIssueAutomated?Key Check
M1Hardcoded credentials✅ scannerAPI keys, tokens in source/config
M2Vulnerable dependencies✅ scannerOutdated or unconstrained packages
M3Weak authenticationManualToken storage, MFA, session expiry
M4Input validationManualSQL injection, XSS in WebViews, IDOR
M5Insecure communication✅ scannerHTTP usage, missing cert pinning
M6Privacy violationsManualPII in logs/analytics, excess permissions
M7No binary protectionsManualMissing --obfuscate, no root detection
M8MisconfigurationManualDebug flags in production, verbose logging
M9Insecure storage✅ scannerSensitive data in SharedPreferences
M10Weak cryptographyManualMD5/SHA1/ECB usage, hardcoded keys

Understanding Scan Results

SeverityMeaningAction
CRITICALExploitable immediatelyFix now — do not release
HIGHSignificant vulnerabilityFix before release
MEDIUMShould be addressedPlan for next sprint
LOWBest practice improvementAddress as time permits

Common False Positives

  • M1: Test/example keys, placeholders like YOUR_API_KEY
  • M2: Dev-only dependencies (linters, test tools)
  • M5: HTTP for localhost/127.0.0.1 in development
  • M9: Non-sensitive data in SharedPreferences (theme preference, language)

Always verify findings in context before flagging as vulnerabilities.

When NOT to Use

  • Web application security audits — this skill is mobile/Flutter-specific
  • Backend API or server security reviews
  • As a substitute for professional penetration testing or a formal security audit
  • Projects that do not use Flutter/Dart or pubspec.yaml

Reference Documentation

references/owasp_mobile_top_10_2024.md provides per-risk detail:

  • Real-world attack scenarios and examples
  • Flutter-specific vulnerability patterns (Dart code)
  • Insecure vs secure code examples
  • Platform-specific guidance (Android Keystore/NSC, iOS Keychain/ATS)
  • Full mitigation strategies

Integration Points

StageAction
Pre-commitRun scan_hardcoded_secrets.py as a lightweight secrets gate
Pull requestsRun all 4 scanners, post findings as PR comment
Release buildsFull audit including manual analysis for all 10 categories
Incident responseRun targeted scanner for the reported vulnerability category
Featured
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
Categories
SecurityMobile Development
First SeenJun 3, 2026
View on GitHub

Recommended

More Security →
security-and-hardening

addyosmani/agent-skills

security and hardening
11.7k
78.1k
owasp-security

hoodini/ai-agents-skills

owasp security
2.5k
247
unit-test-security-authorization

giuseppe-trisciuoglio/developer-kit

unit test security authorization
1.5k
304
owasp-security

agamm/claude-code-owasp

owasp security
1.3k
289
owasp-security-check

sergiodxa/agent-skills

owasp security check
1.2k
91
openclaw-security-hardening

aradotso/security-skills

openclaw security hardening
971
6