| name | security-review |
| display_name | Security Review |
| description | Reviews application code for security vulnerabilities, unsafe data handling, secret exposure, and risky defaults before merge or release. |
| category | code-quality |
| version | 1.0.0 |
| tags | ["security","review","vulnerabilities","secrets","compliance"] |
| providers | ["claude-code","codex","copilot","openclaw","hermes-agent"] |
| author | agent-skills contributors |
Security Review
Use this skill when reviewing code, diffs, pull requests, configuration, or deployment changes for security risk.
Inputs
- Target diff, files, pull request, or codebase area
- Runtime context such as framework, language, cloud provider, auth model, or data sensitivity
- Any known threat model, compliance requirement, or recent incident context
Steps
- Identify trust boundaries: user input, network calls, database access, file access, credentials, external services, and privileged operations.
- Review authentication and authorization paths for missing checks, confused deputy risks, privilege escalation, insecure session handling, and tenant isolation bugs.
- Inspect input handling for injection, path traversal, deserialization, unsafe redirects, SSRF, XSS, command execution, and parser edge cases.
- Check secret handling: hardcoded keys, logs that expose tokens, unsafe environment variable use, weak rotation assumptions, and accidental credential persistence.
- Review data protection: encryption, PII handling, access logging, retention, masking, backup exposure, and cross-environment data leakage.
- Inspect dependency and configuration risk: insecure defaults, broad CORS, debug flags, weak TLS, overbroad IAM, unpinned tools, and supply-chain exposure.
- Validate error handling and observability: avoid leaking sensitive details while preserving useful audit trails.
- Prioritize findings by exploitability and impact.
Output
Return:
- Security posture summary
- Findings ordered by severity: Critical, High, Medium, Low
- File and line references where possible
- Exploit scenario in one or two sentences for each significant finding
- Concrete remediation steps
- Residual risk or assumptions
Guidelines
- Do not invent vulnerabilities. If a risk depends on an assumption, say so.
- Prefer specific fixes over generic advice.
- Treat missing tests for security-sensitive behavior as a finding.
- Call out strong security decisions when they reduce risk.