| name | security-review |
| description | Use when reviewing or fixing security issues, auth bypass, authorization, input validation, injection, XSS, CSRF, secrets, sensitive data leaks, rate limits, tenant isolation, or unsafe dependencies. |
Security Review
Use this skill to find and fix security risks without changing unrelated behavior.
Rules
- Follow the project’s existing security, auth, validation, logging, and error-handling patterns.
- Do not add a new security library, auth system, scanner, or policy framework unless already used or explicitly requested.
- Prioritize exploitable risks over theoretical cleanup.
- Never expose secrets, tokens, passwords, private keys, stack traces, or sensitive data.
- Do not weaken authentication, authorization, validation, encryption, or tenant isolation.
- Preserve existing behavior unless it is unsafe.
- Avoid unrelated refactors.
Inspect First
Before changing security-sensitive code, check existing patterns for:
- authentication
- authorization
- roles/permissions
- tenant/user scoping
- input validation
- output escaping
- CSRF/CORS
- rate limiting
- secret handling
- logging/redaction
- file upload rules
- dependency/security tooling
- tests
Review Checklist
Check for:
- missing authentication
- missing authorization
- IDOR / broken object-level access control
- cross-tenant data access
- SQL/NoSQL/command injection
- XSS or unsafe HTML rendering
- CSRF on state-changing requests
- unsafe CORS
- mass assignment
- insecure file upload
- weak token/session handling
- secrets committed or logged
- sensitive data in errors/logs/responses
- missing rate limits on abuse-prone endpoints
- unsafe redirects
- dependency or config risks
Fix Rules
- Validate input at boundaries.
- Enforce authorization server-side.
- Use allowlists for sort/filter/action fields.
- Use parameterized queries or safe query builders.
- Escape or sanitize output according to project pattern.
- Keep errors generic and safe.
- Redact sensitive logs.
- Add rate limits where the project already has rate-limit infrastructure.
- Add tests for the security behavior fixed.
High-Risk Areas
Review carefully when touching:
- auth/login/password reset
- billing/payment/webhooks
- file upload/download
- admin actions
- tenant/org/user access
- exports/imports
- public APIs
- background jobs
- search/filter endpoints
- rich text/HTML rendering
Tests
Cover relevant paths:
- unauthenticated rejected
- forbidden access rejected
- user cannot access another user’s data
- tenant cannot access another tenant’s data
- invalid input rejected
- injection-like input safe
- sensitive fields not returned
- secrets not logged
- CSRF/CORS/rate-limit behavior when relevant