Install
Quick install
npx skills add https://github.com/semgrep/skills/tree/HEAD/skills/llm-securitynpx skills add semgrep/skills --skill llm-security --agent claude-codenpx skills add semgrep/skills --skill llm-security --agent cursornpx skills add semgrep/skills --skill llm-security --agent codexnpx skills add semgrep/skills --skill llm-security --agent opencodenpx skills add semgrep/skills --skill llm-security --agent github-copilotnpx skills add semgrep/skills --skill llm-security --agent windsurfMore install options
Shorthand — useful for multi-skill repos:
npx skills add semgrep/skills --skill llm-securityManual — clone the repo and drop the folder into your agent's skills directory:
git clone https://github.com/semgrep/skills.gitcp -r skills/skills/llm-security ~/.claude/skills/llm-security
Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or…
llm-securityby semgrep
Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or…npx skills add https://github.com/semgrep/skills --skill llm-securityDownload ZIPGitHub
LLM Security Guidelines (OWASP Top 10 for LLM 2025)
Security rules for building secure LLM applications, based on the OWASP Top 10 for LLM Applications 2025.
How to Use This Skill
Proactive mode — When building or reviewing LLM applications, automatically check for relevant security risks based on the application pattern. You don't need to wait for the user to ask about LLM security.
Reactive mode — When the user asks about LLM security, use the mapping below to find relevant rule files with detailed vulnerable/secure code examples.
Workflow
- Identify what the user is building (see "What Are You Building?" below)
- Check the priority rules for that pattern
- Read the specific rule files from
rules/for code examples
- Apply the secure patterns or flag vulnerable ones
What Are You Building?
Use this to quickly identify which rules matter most for the user's task:
Building...Priority RulesChatbot / conversational AIPrompt Injection (LLM01), System Prompt Leakage (LLM07), Output Handling (LLM05), Unbounded Consumption (LLM10)RAG systemVector/Embedding Weaknesses (LLM08), Prompt Injection (LLM01), Sensitive Disclosure (LLM02), Misinformation (LLM09)AI agent with toolsExcessive Agency (LLM06), Prompt Injection (LLM01), Output Handling (LLM05), Sensitive Disclosure (LLM02)Fine-tuning / trainingData Poisoning (LLM04), Supply Chain (LLM03), Sensitive Disclosure (LLM02)LLM-powered APIUnbounded Consumption (LLM10), Prompt Injection (LLM01), Output Handling (LLM05), Sensitive Disclosure (LLM02)Content generationMisinformation (LLM09), Output Handling (LLM05), Prompt Injection (LLM01)
Categories
Critical Impact
- LLM01: Prompt Injection (
rules/prompt-injection.md) - Prevent direct and indirect prompt manipulation
- LLM02: Sensitive Information Disclosure (
rules/sensitive-disclosure.md) - Protect PII, credentials, and proprietary data
- LLM03: Supply Chain (
rules/supply-chain.md) - Secure model sources, training data, and dependencies
- LLM04: Data and Model Poisoning (
rules/data-poisoning.md) - Prevent training data manipulation and backdoors
- LLM05: Improper Output Handling (
rules/output-handling.md) - Sanitize LLM outputs before downstream use
High Impact
- LLM06: Excessive Agency (
rules/excessive-agency.md) - Limit LLM permissions, functionality, and autonomy
- LLM07: System Prompt Leakage (
rules/system-prompt-leakage.md) - Protect system prompts from disclosure
- LLM08: Vector and Embedding Weaknesses (
rules/vector-embedding.md) - Secure RAG systems and embeddings
- LLM09: Misinformation (
rules/misinformation.md) - Mitigate hallucinations and false outputs
- LLM10: Unbounded Consumption (
rules/unbounded-consumption.md) - Prevent DoS, cost attacks, and model theft
See rules/_sections.md for the full index with OWASP/MITRE references.
Quick Reference
VulnerabilityKey PreventionPrompt InjectionInput validation, output filtering, privilege separationSensitive DisclosureData sanitization, access controls, encryptionSupply ChainVerify models, SBOM, trusted sources onlyData PoisoningData validation, anomaly detection, sandboxingOutput HandlingTreat LLM as untrusted, encode outputs, parameterize queriesExcessive AgencyLeast privilege, human-in-the-loop, minimize extensionsSystem Prompt LeakageNo secrets in prompts, external guardrailsVector/EmbeddingAccess controls, data validation, monitoringMisinformationRAG, fine-tuning, human oversight, cross-verificationUnbounded ConsumptionRate limiting, input validation, resource monitoring
Key Principles
- Never trust LLM output - Validate and sanitize all outputs before use
- Least privilege - Grant minimum necessary permissions to LLM systems
- Defense in depth - Layer multiple security controls
- Human oversight - Require approval for high-impact actions
- Monitor and log - Track all LLM interactions for anomaly detection
References
- OWASP Top 10 for LLM Applications 2025
- MITRE ATLAS - Adversarial Threat Landscape for AI Systems
- NIST AI Risk Management Framework
More skills from semgrep
setup-semgrep-pluginby semgrepSet up the Semgrep plugin by installing Semgrep, authenticating, and verifying compatibilitycode-securityby semgrepSecurity guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…semgrepby semgrepRun Semgrep static analysis scans and create custom detection rules. Use when asked to scan code with Semgrep, find security vulnerabilities, write custom YAML…---
Source: https://github.com/semgrep/skills/tree/HEAD/skills/llm-security
Author: semgrep
Discovered via: mcpservers.org
SKILL.md source
--- name: llm-security description: Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or… --- # llm-security Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or… # llm-securityby semgrep Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or… `npx skills add https://github.com/semgrep/skills --skill llm-security`Download ZIPGitHub ## LLM Security Guidelines (OWASP Top 10 for LLM 2025) Security rules for building secure LLM applications, based on the OWASP Top 10 for LLM Applications 2025. ## How to Use This Skill Proactive mode — When building or reviewing LLM applications, automatically check for relevant security risks based on the application pattern. You don't need to wait for the user to ask about LLM security. Reactive mode — When the user asks about LLM security, use the mapping below to find relevant rule files with detailed vulnerable/secure code examples. ### Workflow * Identify what the user is building (see "What Are You Building?" below) * Check the priority rules for that pattern * Read the specific rule files from `rules/` for code examples * Apply the secure patterns or flag vulnerable ones ## What Are You Building? Use this to quickly identify which rules matter most for the user's task: Building...Priority RulesChatbot / conversational AIPrompt Injection (LLM01), System Prompt Leakage (LLM07), Output Handling (LLM05), Unbounded Consumption (LLM10)RAG systemVector/Embedding Weaknesses (LLM08), Prompt Injection (LLM01), Sensitive Disclosure (LLM02), Misinformation (LLM09)AI agent with toolsExcessive Agency (LLM06), Prompt Injection (LLM01), Output Handling (LLM05), Sensitive Disclosure (LLM02)Fine-tuning / trainingData Poisoning (LLM04), Supply Chain (LLM03), Sensitive Disclosure (LLM02)LLM-powered APIUnbounded Consumption (LLM10), Prompt Injection (LLM01), Output Handling (LLM05), Sensitive Disclosure (LLM02)Content generationMisinformation (LLM09), Output Handling (LLM05), Prompt Injection (LLM01) ## Categories ### Critical Impact * LLM01: Prompt Injection (`rules/prompt-injection.md`) - Prevent direct and indirect prompt manipulation * LLM02: Sensitive Information Disclosure (`rules/sensitive-disclosure.md`) - Protect PII, credentials, and proprietary data * LLM03: Supply Chain (`rules/supply-chain.md`) - Secure model sources, training data, and dependencies * LLM04: Data and Model Poisoning (`rules/data-poisoning.md`) - Prevent training data manipulation and backdoors * LLM05: Improper Output Handling (`rules/output-handling.md`) - Sanitize LLM outputs before downstream use ### High Impact * LLM06: Excessive Agency (`rules/excessive-agency.md`) - Limit LLM permissions, functionality, and autonomy * LLM07: System Prompt Leakage (`rules/system-prompt-leakage.md`) - Protect system prompts from disclosure * LLM08: Vector and Embedding Weaknesses (`rules/vector-embedding.md`) - Secure RAG systems and embeddings * LLM09: Misinformation (`rules/misinformation.md`) - Mitigate hallucinations and false outputs * LLM10: Unbounded Consumption (`rules/unbounded-consumption.md`) - Prevent DoS, cost attacks, and model theft See `rules/_sections.md` for the full index with OWASP/MITRE references. ## Quick Reference VulnerabilityKey PreventionPrompt InjectionInput validation, output filtering, privilege separationSensitive DisclosureData sanitization, access controls, encryptionSupply ChainVerify models, SBOM, trusted sources onlyData PoisoningData validation, anomaly detection, sandboxingOutput HandlingTreat LLM as untrusted, encode outputs, parameterize queriesExcessive AgencyLeast privilege, human-in-the-loop, minimize extensionsSystem Prompt LeakageNo secrets in prompts, external guardrailsVector/EmbeddingAccess controls, data validation, monitoringMisinformationRAG, fine-tuning, human oversight, cross-verificationUnbounded ConsumptionRate limiting, input validation, resource monitoring ## Key Principles * Never trust LLM output - Validate and sanitize all outputs before use * Least privilege - Grant minimum necessary permissions to LLM systems * Defense in depth - Layer multiple security controls * Human oversight - Require approval for high-impact actions * Monitor and log - Track all LLM interactions for anomaly detection ## References * OWASP Top 10 for LLM Applications 2025 * MITRE ATLAS - Adversarial Threat Landscape for AI Systems * NIST AI Risk Management Framework ## More skills from semgrep setup-semgrep-pluginby semgrepSet up the Semgrep plugin by installing Semgrep, authenticating, and verifying compatibilitycode-securityby semgrepSecurity guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for…semgrepby semgrepRun Semgrep static analysis scans and create custom detection rules. Use when asked to scan code with Semgrep, find security vulnerabilities, write custom YAML… --- **Source**: https://github.com/semgrep/skills/tree/HEAD/skills/llm-security **Author**: semgrep **Discovered via**: mcpservers.org
Related skills 6
azure-validate
Pre-deployment validation for Azure readiness. Run deep checks on configuration, infrastructure (Bicep or Terraform), RBAC role assignments, managed identity permissions, and prerequisites before deploying. WHEN: validate my app, check deployment readiness, run preflight checks, verify configuration, check if ready to deploy, validate azure.yaml, validate Bicep, test before deploying, troubleshoot deployment errors, validate Azure Functions, validate function app, validate serverless deployme...
entra-app-registration
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.
azure-rbac
Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.
azure-compliance
Run Azure compliance and security audits with azqr plus Key Vault expiration checks. Covers best-practice assessment, resource review, policy/compliance validation, and security posture checks. WHEN: compliance scan, security audit, BEFORE running azqr (compliance cli tool), Azure best practices, Key Vault expiration check, expired certificates, expiring secrets, orphaned resources, compliance assessment.
azure-enterprise-infra-planner
Architect and provision enterprise Azure infrastructure from workload descriptions. For cloud architects and platform engineers planning networking, identity, security, compliance, and multi-resource topologies with WAF alignment. Generates Bicep or Terraform directly (no azd). WHEN: 'plan Azure infrastructure', 'architect Azure landing zone', 'design hub-spoke network', 'plan multi-region DR topology', 'set up VNets firewalls and private endpoints', 'subscription-scope Bicep deployment', 'Az...
azure-kubernetes
Plan, create, and configure production-ready Azure Kubernetes Service (AKS) clusters. Covers Day-0 checklist, SKU selection (Automatic vs Standard), networking options (private API server, Azure CNI Overlay, egress configuration), security, and operations (autoscaling, upgrade strategy, cost analysis). WHEN: create AKS environment, provision AKS environment, enable AKS observability, design AKS networking, choose AKS SKU, secure AKS, optimize AKS, rightsize AKS pod, AKS spot nodes, AKS cluste...