Skill Being Reviewed
Skill name: owasp-top-10-web
Skill path: skills/appsec/owasp-top-10-web/SKILL.md
False Positive Analysis
Benign code/configuration that can be over-flagged:
Set-Cookie: __Host-session=opaque; Secure; HttpOnly; SameSite=Lax; Path=/
// SPA keeps only a short-lived CSRF nonce in sessionStorage
Why this is a false positive:
Set-Cookie: __Host-session=opaque; Secure; HttpOnly; SameSite=Lax; Path=/ can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
localStorage.setItem("access_token", jwt);
fetch("/api/export", { headers: { Authorization: `Bearer ${localStorage.access_token}` } })
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Set-Cookie: session=signed; SameSite=None
// missing Secure on cross-site cookie used by embedded admin widget
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
HttpOnly cookies can be safe, but only if CSRF, rotation, path/domain scoping, and session fixation controls are evidenced. Browser storage can be acceptable for non-secret nonce state, but not bearer tokens.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Semgrep |
Partial |
Can detect localStorage token writes but not cookie rotation or CSRF evidence. |
| CodeQL |
Partial |
Can find unsafe cookie construction in some frameworks but not deployment attributes. |
| Browser security headers scanners |
Partial |
See cookie flags, not application token lifetime or fixation tests. |
Overall Assessment
Strengths:
The skill covers broad OWASP web risks and maps findings clearly to Top 10 categories.
Needs improvement:
Session storage guidance needs a sharper evidence gate so reviewers separate exploitable bearer-token exposure from benign browser state.
Priority recommendations:
- Add a session-token handling checklist with cookie flags, token lifetime, rotation, and fixation evidence.
- Require separate severity for bearer tokens in local/session storage versus non-secret UI state.
- Ask for CSRF proof when SameSite is weak or cross-site embedding is intentional.
Bounty Info
Skill Being Reviewed
Skill name: owasp-top-10-web
Skill path:
skills/appsec/owasp-top-10-web/SKILL.mdFalse Positive Analysis
Benign code/configuration that can be over-flagged:
Why this is a false positive:
Set-Cookie: __Host-session=opaque; Secure; HttpOnly; SameSite=Lax; Path=/ can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
HttpOnly cookies can be safe, but only if CSRF, rotation, path/domain scoping, and session fixation controls are evidenced. Browser storage can be acceptable for non-secret nonce state, but not bearer tokens.
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
The skill covers broad OWASP web risks and maps findings clearly to Top 10 categories.
Needs improvement:
Session storage guidance needs a sharper evidence gate so reviewers separate exploitable bearer-token exposure from benign browser state.
Priority recommendations:
Bounty Info