Can it provide automated fixes for security flaws?

Yes, when used with the appropriate flags, it can generate concrete remediation steps and code diffs to help you fix identified vulnerabilities.

Does it support the STRIDE threat model?

Yes, this skill is specifically designed to address the 'S' (Spoofing) category of the STRIDE model, focusing on violations of the Authentication security property.

Is it compatible with specific programming languages?

The skill uses broad pattern matching and heuristic analysis, making it effective across most common web languages including JavaScript, TypeScript, Python, and Go.

What does this skill look for in my code?

It scans for security risks such as hardcoded passwords, weak hashing (MD5/SHA-1), missing authentication middleware, insecure session handling, and improper certificate validation.

Identity Spoofing Security Analysis

Name: Identity Spoofing Security Analysis
Author: florianbuetow

byflorianbuetow

•

Security & Testing

Analyzes source code to identify and remediate identity spoofing vulnerabilities and authentication weaknesses based on the STRIDE threat model.

The Identity Spoofing Analysis skill provides a comprehensive security audit of your application's authentication layers. It specifically targets 'Spoofing Identity' risks (STRIDE category S) by scanning for plaintext credentials, weak hashing algorithms, session management flaws, and improper token validation. Whether you are reviewing API controllers, middleware, or OAuth integrations, this tool helps ensure that identity is properly established and protected across your entire codebase, providing high-confidence findings and actionable remediation steps to prevent unauthorized impersonation.

Key Features

01Automated audit of session management, including fixation and cookie security

02STRIDE-aligned threat modeling for authentication vulnerabilities

036 GitHub stars

04Identification of timing-unsafe comparisons and MFA bypass paths

05Validation of JWT, OAuth, and OIDC implementation patterns

06Detection of hardcoded secrets, API keys, and weak cryptographic hashes

Use Cases

01Verifying that session and token validation logic follows modern security best practices

02Auditing new API endpoints and route handlers for missing authentication guards

03Scanning legacy repositories for outdated hashing algorithms or hardcoded credentials

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add florianbuetow/claude-code spoofing

For use in Claude.ai and ChatGPT

Download Skill