Tools

Skills

How sub-skills are loaded, by a phase on demand, and by you directly.

Skills (sub-skills)

🧠 Lagune's sub-skills are focused, language-agnostic security knowledge modules that load only on demand, never by default. They are not commands. The detect and verify phases reach for them while they run, and you can use one directly any time.

Access Control

Makes sure people can only see and do what they are allowed to, so no one can reach another user's data or admin-only actions just by changing a link or an ID.

OWASPLovable
Hover me!
@.lagune/skills/access-control.md

API Endpoint

Checks the doors your app exposes to the outside world, so requests from strangers can't pull private data or trigger actions they shouldn't.

OWASP
Hover me!
@.lagune/skills/api-endpoint.md

Browser

Guards what runs in your visitors' browsers, so an attacker can't inject code that steals logins or hijacks what your users see and click.

JavaScriptLovable
Hover me!
@.lagune/skills/browser.md

C / C++

Catches low-level memory mistakes that let attackers crash the program or run their own code on your server.

C / C++
Hover me!
@.lagune/skills/c-cpp.md

Container

Reviews how your app is packaged and deployed, so a break-in stays contained instead of handing an attacker the whole machine.

OWASPInfrastructure
Hover me!
@.lagune/skills/container.md

Credential Endpoint

Protects the login, signup, and password-reset flows, so attackers can't guess passwords, take over accounts, or reset someone else's.

OWASPLovable
Hover me!
@.lagune/skills/credential-endpoint.md

Crypto

Makes sure sensitive data is scrambled properly, so passwords, tokens, and personal info can't be read even if they leak.

OWASPLovable
Hover me!
@.lagune/skills/crypto.md

CSV

Keeps exported spreadsheets safe, so opening a downloaded file can't quietly run a harmful command on someone's computer.

OWASP
Hover me!
@.lagune/skills/csv.md

.NET

Covers security pitfalls specific to .NET apps that can let an attacker run their own code on your server.

.NET
Hover me!
@.lagune/skills/dotnet.md

Federation

Secures “sign in with Google/Microsoft/etc.” so an attacker can't impersonate a user or slip into an account that isn't theirs.

OWASP
Hover me!
@.lagune/skills/federation.md

Go

Covers security pitfalls specific to Go apps, especially subtle bugs that show up under real traffic.

Go
Hover me!
@.lagune/skills/go.md

HTTP Request

Inspects the data that arrives with each web request, so hidden or malicious input can't bend your app into doing the wrong thing.

OWASP
Hover me!
@.lagune/skills/http-request.md

Interpreter

Stops user input from being run as commands, so a form field or upload can't make your server execute an attacker's instructions.

OWASPLovable
Hover me!
@.lagune/skills/interpreter.md

Java

Covers security pitfalls specific to Java apps that can let an attacker run their own code on your server.

Java
Hover me!
@.lagune/skills/java.md

JavaScript

Covers security pitfalls specific to JavaScript and Node apps, from running untrusted code to reading files it shouldn't.

JavaScript
Hover me!
@.lagune/skills/javascript.md

LLM

Protects features built on AI models, so a cleverly worded message can't trick the AI into leaking data or misusing connected tools.

AI / LLMLovable
Hover me!
@.lagune/skills/llm.md

Network

Checks how your app talks to other services, so it can't be tricked into fetching or trusting something an attacker controls.

OWASP
Hover me!
@.lagune/skills/network.md

Path

Prevents attackers from wandering your server's files, so they can't read private files or overwrite important ones by manipulating a filename.

OWASP
Hover me!
@.lagune/skills/path.md

Payment

Secures checkout and billing, so no one can tamper with prices, dodge payment, or replay a charge.

OWASPLovable
Hover me!
@.lagune/skills/payment.md

PHP

Covers security pitfalls specific to PHP apps that can let an attacker run their own code or bypass a login.

PHP
Hover me!
@.lagune/skills/php.md

Python

Covers security pitfalls specific to Python apps, especially loading untrusted data that can run an attacker's code.

Python
Hover me!
@.lagune/skills/python.md

Regex

Makes sure text checks are safe and efficient, so a malicious input can't freeze your app by overloading it.

OWASP
Hover me!
@.lagune/skills/regex.md

Ruby

Covers security pitfalls specific to Ruby apps, especially loading untrusted data that can run an attacker's code.

Ruby
Hover me!
@.lagune/skills/ruby.md

Rust

Covers security pitfalls specific to Rust apps, especially unsafe code that can corrupt memory or crash the program.

Rust
Hover me!
@.lagune/skills/rust.md

Serverless

Reviews cloud functions and their permissions, so a single function can't be abused to reach far more than it should.

OWASPInfrastructureLovable
Hover me!
@.lagune/skills/serverless.md

Supabase

Locks down your Supabase backend, so your database rules actually hold and secret keys don't end up exposed to the public.

Lovable
Hover me!
@.lagune/skills/supabase.md

Transport

Makes sure data travels over a secure, encrypted connection, so it can't be read or altered on the way between your users and your app.

OWASP
Hover me!
@.lagune/skills/transport.md

Upload

Keeps file uploads safe, so someone can't upload a disguised file that runs code, overwrites data, or fills up your storage.

OWASP
Hover me!
@.lagune/skills/upload.md

XML

Secures how your app reads XML data, so a crafted file can't leak server files or knock your app offline.

OWASP
Hover me!
@.lagune/skills/xml.md

Copyright © 2026-present Weslley Araújo and contributors. SDH: Lagune is under the MIT License. Please check the Security Policy.

All product names, trademarks, and registered trademarks mentioned are the property of their respective owners and are used for identification purposes only.