بنقرة واحدة
security-review
Run a comprehensive security review on code
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Run a comprehensive security review on code
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | security-review |
| description | Run a comprehensive security review on code |
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
This skill activates when:
Delegates to the security-reviewer agent (THOROUGH tier) for deep security analysis:
OWASP Top 10 Scan
Secrets Detection
Input Validation
Authentication/Authorization
Dependency Security
npm audit for known vulnerabilitiesdelegate(
role="security-reviewer",
tier="THOROUGH",
prompt="SECURITY REVIEW TASK
Conduct comprehensive security audit of codebase.
Scope: [specific files or entire codebase]
Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)
Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
The security-reviewer agent SHOULD consult Qwen Code for cross-validation.
Before first MCP tool use, call ToolSearch("mcp") to discover deferred MCP tools.
Use mcp__x__ask_qwen with agent_role: "security-reviewer".
If ToolSearch finds no MCP tools, fall back to the security-reviewer agent.
Note: Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
SECURITY REVIEW REPORT
======================
Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z
CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
Finding: AWS API key hardcoded in source code
Impact: Credential exposure if code is public or leaked
Remediation: Move to environment variables, rotate key immediately
Reference: OWASP A02:2021 – Cryptographic Failures
2. src/db/query.ts:45 - SQL Injection Vulnerability
Finding: User input concatenated directly into SQL query
Impact: Attacker can execute arbitrary SQL commands
Remediation: Use parameterized queries or ORM
Reference: OWASP A03:2021 – Injection
HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
Finding: Passwords hashed with MD5 (cryptographically broken)
Impact: Passwords can be reversed via rainbow tables
Remediation: Use bcrypt or argon2 with appropriate work factor
Reference: OWASP A02:2021 – Cryptographic Failures
4. src/components/UserInput.tsx:67 - XSS Vulnerability
Finding: User input rendered with dangerouslySetInnerHTML
Impact: Cross-site scripting attack vector
Remediation: Sanitize HTML or use safe rendering
Reference: OWASP A03:2021 – Injection (XSS)
5. src/api/upload.ts:34 - Path Traversal Vulnerability
Finding: User-controlled filename used without validation
Impact: Attacker can read/write arbitrary files
Remediation: Validate and sanitize filenames, use allowlist
Reference: OWASP A01:2021 – Broken Access Control
...
MEDIUM (8)
----------
...
LOW (12)
--------
...
DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:
CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
Installed: axios@0.21.0
Fix: npm install axios@0.21.2
HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
Installed: lodash@4.17.19
Fix: npm install lodash@4.17.21
...
OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies
Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
The security-reviewer agent verifies:
CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
Good: The user says continue after the workflow already has a clear next step. Continue the current branch of work instead of restarting or re-asking the same question.
Good: The user changes only the output shape or downstream delivery step (for example make a PR). Preserve earlier non-conflicting workflow constraints and apply the update locally.
Bad: The user says continue, and the workflow restarts discovery or stops before the missing verification/evidence is gathered.
With Team:
/team "run security review on authentication module"
Uses: explore → security-reviewer → executor → security-reviewer (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.
Diagnose and fix oh-my-qwencode installation issues
Guide on using oh-my-qwencode plugin
Run deep investigation of architecture, bugs, performance issues, or dependencies and return structured findings with file:line evidence. Use when a user says 'analyze', 'investigate', 'why does', 'what's causing', or needs root cause analysis before making changes. Routes to architect agent or Qwen Code MCP for thorough cross-file reasoning.
Ask Claude via local CLI and capture a reusable artifact
Ask Gemini via local CLI and capture a reusable artifact
Full autonomous execution from idea to working code