acaprino/defect-taxonomy
plugins/senior-review/skills/defect-taxonomy/SKILL.md
Comprehensive defect taxonomy knowledge base -- 16 macro-categories, 140+ subcategories of source code defects with CWE/OWASP mappings, detection strategies, fix patterns, and review frameworks. Used by senior-review agents (code-auditor, security-auditor, ui-race-auditor) to enrich analysis with structured defect knowledge.
development
Updated Apr 20, 2026
$ install --global
skillsauthnpx skillsauth add acaprino/alfio-claude-plugins defect-taxonomyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 4:03 AM8.3s10 files scanned
SKILL.md
- name:
- defect-taxonomy
- description:
- >
Defect Taxonomy Knowledge Base
Unified classification of source code defects synthesizing MITRE CWE, OWASP Top 10, NASA Power of 10, IBM ODC, IEEE 1044, and Beizer's taxonomy into actionable detection references.
Reference Files
Load relevant references based on the code domain under review. Do NOT load all files -- select only what applies.
Taxonomy References (defect patterns)
| Reference | When to load |
|-----------|-------------|
| references/concurrency-state.md | Concurrent/parallel code, shared state, async patterns, closures, variable scoping |
| references/logic-types.md | Comparisons, boolean logic, type conversions, generics, serialization |
| references/memory-resources.md | Memory management (C/C++/Rust), resource lifecycle, error handling, performance bottlenecks |
| references/security.md | Security review -- injection, auth, crypto, secrets, CORS, SSRF, input validation |
| references/distributed-integration.md | Microservices, APIs, distributed state, message queues, service mesh, migrations |
| references/data-design-ops.md | Database/ORM, design patterns, build/deploy, testing, observability |
| references/detection-matrix.md | Cross-cutting: detection channels per category, language-weighted focus, ROI prioritization |
Review Frameworks (analysis methodology)
| Reference | When to load |
|-----------|-------------|
| references/review-frameworks.md | Always load for code-auditor. Contains cognitive models, failure flow methodology, anti-pattern checklist, mental models, severity/scoring system |
Language-Weighted Category Focus
- C/C++: concurrency-state.md + memory-resources.md (categories 1, 5)
- JVM (Java/Kotlin/Scala): concurrency-state.md + logic-types.md + memory-resources.md (categories 2, 7, 8)
- JavaScript/TypeScript: concurrency-state.md + logic-types.md + security.md (categories 2, 4, 6)
- Python: logic-types.md + security.md + memory-resources.md (categories 4, 6, 7)
- Go/Rust: concurrency-state.md + memory-resources.md (categories 1, 5, 7)
- Microservices (any): distributed-integration.md + data-design-ops.md (categories 8-12)
Usage Instructions
- Identify the language(s) and domain of the code under review
- Load the review-frameworks.md reference (for code-auditor agent)
- Load 1-3 taxonomy references matching the language/domain
- Apply detection strategies from the loaded references during analysis
- Map findings to CWE identifiers where applicable
- Use the detection-matrix.md to prioritize detection approach
Related Skills
acaprino/frontend-css
development
VerifiedTrustedCommunity
Unified web frontend knowledge base covering CSS architecture, UX psychology, UI components, distinctive aesthetics, and interface design generation. TRIGGER WHEN: working on web styling, design systems, component decisions, responsive strategy, distinctive frontend aesthetics, or exploring multiple interface designs. DO NOT TRIGGER WHEN: the task is purely backend or unrelated to web frontend.
5SKILL.mdUpdated May 13, 2026
acaprino/multi-reviewer-patterns
development
VerifiedTrustedCommunity
Coordinate parallel code reviews across multiple quality dimensions with finding deduplication, severity calibration, and consolidated reporting. Use this skill when organizing multi-reviewer code reviews, calibrating finding severity, or consolidating review results.
5SKILL.mdUpdated Apr 1, 2026
acaprino/codebase-mapper
tools
VerifiedTrustedCommunity
Knowledge base for the codebase-mapper plugin. Provides writing guidelines, tone rules, and diagram conventions for generating human-readable project guides. Referenced by all codebase-mapper agents during document generation. TRIGGER WHEN: referenced by codebase-mapper pipeline agents (codebase-explorer, overview-writer, tech-writer, flow-writer, onboarding-writer, ops-writer, config-writer, guide-reviewer) during document generation. DO NOT TRIGGER WHEN: outside the /map-codebase pipeline (general documentation work should use docs:readme-craft or codebase-mapper:docs-create).
5SKILL.mdUpdated Mar 26, 2026
acaprino/pwa-development
tools
VerifiedTrustedCommunity
Progressive Web App knowledge base for 2025-2026: Web App Manifest, Service Workers (Workbox 7, Serwist), Web Push (VAPID, RFC 8030/8291/8292, Declarative Push for Safari 18.4+), install flows (beforeinstallprompt, Window Controls Overlay), OPFS storage, Project Fugu, Core Web Vitals (INP < 200ms), security (HTTPS, CSP, COOP/COEP), and distribution (Bubblewrap, PWA Builder MSIX, Capacitor). TRIGGER WHEN: building, auditing, or debugging PWAs, including manifest, service worker, Web Push, install flow, OPFS, Background Sync, Wake Lock, vite-plugin-pwa, Next.js Serwist, @angular/pwa, @vite-pwa/nuxt, Bubblewrap, TWA, PWA Builder, or Capacitor wrapping. DO NOT TRIGGER WHEN: the task is generic frontend styling (use frontend), React performance (use react-development:review-react), cross-platform security unrelated to PWA (use platform-engineering), Tauri or Electron wrappers (use tauri-development), or GA4 / analytics (use digital-marketing).
3SKILL.mdUpdated May 26, 2026