| name | security-review |
| description | AI DevKit · Review code, skills, and prompts for security vulnerabilities — OWASP Top 10, prompt injection, business logic flaws, and insecure defaults. Use when reviewing PRs, auditing modules, reviewing AI skills/prompts, or preparing for release. |
Security Review
Find vulnerabilities before they ship.
Hard Rules
- Do not dismiss a finding without evidence it is unexploitable.
- Do not commit, log, or surface secrets discovered during review — flag and recommend rotation.
- Do not modify code until the user approves a remediation plan.
Workflow
-
Scope
- Confirm target: diff, file set, module, full repo, or skill/prompt. A target can be both code and prompt.
- Identify stack/framework — adapt the checklist (skip what the framework handles, add its pitfalls).
- Trace data flow: request → middleware → handler → service → datastore → response. For prompts: input → template → LLM → tools → output.
- Map trust boundaries, privilege levels, and threat actors.
- Search prior findings:
npx ai-devkit@latest memory search --query "<target>" --tags "security"
-
Scan
- Only check relevant categories. Skip sections and items that don't apply. Do not report skipped items.
- For diffs/PRs: also check whether the change weakens existing controls — removed middleware, bypassed validation, new unprotected routes.
- Categories in priority order:
a. Secrets — hardcoded tokens, keys, connection strings.
b. Injection — SQL, NoSQL, command, template, SSRF, path traversal, XSS.
c. Auth — missing checks, privilege escalation, OAuth/OIDC, IDOR.
d. Business Logic — race conditions, TOCTOU, workflow bypass, mass assignment, parameter tampering.
e. Data Exposure — PII in logs, verbose errors, overly broad responses.
f. Resource Exhaustion — unbounded queries, missing pagination, upload size, decompression bombs.
g. Dependencies — critical CVEs only (RCE, auth bypass, data breach); ignore low/medium.
h. Cryptography — weak algorithms, hardcoded IVs/keys, disabled certificate validation.
i. Configuration — debug mode, permissive CORS, missing security headers.
j. Logging — security events unlogged, no tamper protection, no alerting.
k. Prompt Injection — instruction override, tool abuse, data exfiltration, indirect injection via tool results.
- For each finding: file, line, evidence.
-
Classify
| Severity | Criteria |
|---|
| Critical | Exploitable now, data loss or RCE possible |
| High | Exploitable with moderate effort or insider access |
| Medium | Requires chained conditions or limited impact |
| Low | Defense-in-depth, no direct exploit path |
- Adjust severity by exposure (internet-facing vs internal) and data sensitivity.
- Check for attack chains — multiple Medium findings that combine into High/Critical.
- Mark false positives with reasoning.
-
Remediate
- For each finding: root cause, minimal fix (prefer stdlib/framework over custom), verification step.
- For Critical/High: also recommend a detection control (log, alert, or WAF rule).
- Present plan and request approval before changing code.
-
Verify
- Use the
verify skill to confirm each remediation.
- Re-scan fixed files for regressions.
- Store findings:
npx ai-devkit@latest memory store --title "<pattern>" --content "<finding and fix>" --tags "security,<category>"
Red Flags
| Rationalization | Do Instead |
|---|
| "It's internal / behind a VPN / only admins" | Zero-trust: validate at every boundary regardless of network position or user role |
| "We'll add auth later" | Add auth before merge — unauthenticated endpoints get discovered fast |
| "It's just a dev credential" | Use env vars / secrets manager — dev secrets leak to prod constantly |
| "The framework handles that" | Verify the config — frameworks have defaults, not guarantees |
| "We sanitize on the frontend" | Always validate server-side — client validation is bypassable |
| "The LLM won't follow injected instructions" | Treat all tool results and external content as untrusted data |
| "It's just a prompt, not code" | Prompts control tool execution — review with the same rigor as code |
Output Template
- Scope: Target, stack, data flow, trust boundaries, threat actors
- Findings (by severity): ID, severity, category, file:line, exploit scenario, fix
- Attack Chains: Findings that escalate when combined
- False Positives: Dismissed items with reasoning
- Remediation Plan: Ordered fixes with verification steps
- Residual Risk: Scope limitations, unverifiable items
- Zero findings: state what was checked and scope boundaries — "no findings" ≠ "fully secure"