Skip to main content
Glama

owasp_audit

owasp_audit
Read-onlyIdempotent

Review TypeScript/JavaScript code against OWASP Top 10 (2025) categories, providing evidence-based security issue detection with CWE references and honest strength ratings. Advisory tool requiring acknowledgment.

Instructions

Operator tool for OWASP Top 10 (2025) review: scan indexed TS/JS files for evidence-backed security issues mapped to OWASP categories (A01 broken access control, A02 misconfiguration, A04 crypto failures, A05 injection, A07 auth failures, A10 exceptional conditions) with CWE references and a direct_evidence/weak_signal honesty strength. Always returns a full 10-category coverage section, explicitly naming categories it does not statically check (A03 supply chain, A06 insecure design, A08 integrity, A09 logging). Advisory and heuristic — requires acknowledgeAdvisory:true; not a replacement for dedicated SAST/SCA. Read-only; does not persist findings.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
freshenNo
maxFilesNo
projectIdNo
categoriesNo
projectRefNo
maxPerSectionNo
includeFullResultsNo
acknowledgeAdvisoryYes

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
_hintsYes
resultYes
toolNameYes
projectIdYes
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already declare readOnlyHint and idempotentHint. The description adds important behavioral context: it is read-only, does not persist findings, uses direct_evidence/weak_signal honesty strength, and always returns a full 10-category coverage section. No contradictions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single dense paragraph that front-loads the main purpose and then details. Every sentence adds value, though it could be slightly more concise. Well-structured.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a complex tool with 8 parameters and an output schema, the description adequately covers purpose, scope, and advisory nature. However, missing parameter explanations for 6 of 8 parameters leave gaps in completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters2/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must explain parameters. It only covers categories and acknowledgeAdvisory. It does not explain freshen, maxFiles, projectId, projectRef, maxPerSection, or includeFullResults. This is a significant gap.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it is for OWASP Top 10 (2025) review of TS/JS files, listing specific categories and explicitly naming those it does not check. This distinguishes it from sibling tools like tenant_leak_audit.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit usage guidance: it is advisory/heuristic, requires acknowledgeAdvisory:true, and is not a replacement for dedicated SAST/SCA. It does not mention alternative tools but gives clear when-to-use and when-not-to-use context.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/drhalto/agentmako'

If you have feedback or need assistance with the MCP directory API, please join our Discord server