| name | security-review |
| description | Security review checklist for authentication, authorization, and sensitive data handling. Use when changing auth, MFA, secrets, input validation, or security-critical features. Not for general code review. |
| version | 2.0.0 |
| author | SublinkPro Team |
| user-invocable | true |
Security Review Skill
This skill provides a comprehensive security review checklist for code changes that involve authentication, authorization, sensitive data handling, or security-critical features.
When to use: When making changes to:
- Authentication/authorization logic
- MFA (Multi-Factor Authentication) functionality
- Sensitive data handling (passwords, tokens, API keys, secrets)
- API endpoints with permission requirements
- Input validation and sanitization
- Database queries
- Cryptographic operations
- CORS/CSP configurations
- Session management
- File upload/download functionality
Security Review Checklist
🔐 1. Authentication & Authorization
Check for:
Detailed guide: references/authentication-guide.md (includes code examples)
Relevant files:
api/auth.go
api/auth_mfa.go
middlewares/auth.go
middlewares/mfa.go
🔑 2. MFA (Multi-Factor Authentication)
Check for:
Detailed guide: references/mfa-guide.md
Relevant files:
api/auth_mfa.go
models/mfa.go
middlewares/mfa.go
🛡️ 3. Sensitive Data Handling
Check for:
Detailed guide: references/sensitive-data-guide.md (includes code examples)
🔍 4. Input Validation & Sanitization
Check for:
Detailed guide: references/input-validation-guide.md (includes code examples)
🗄️ 5. Database Security
Check for:
Detailed guide: references/database-security-guide.md (includes code examples)
🌐 6. API Security
Check for:
Detailed guide: references/api-security-guide.md (includes code examples)
🔐 7. Cryptography
Check for:
Detailed guide: references/cryptography-guide.md (includes code examples)
📤 8. File Upload/Download Security
Check for:
Detailed guide: references/file-security-guide.md (includes code examples)
🔒 9. Session Management
Check for:
Detailed guide: references/session-management-guide.md (includes code examples)
🛡️ 10. Dependency Security
Check for:
Detailed guide: references/dependency-security-guide.md
Scan commands:
govulncheck ./...
cd webs && yarn audit
Security Review Process
Step 1: Identify Security-Sensitive Changes
Review the diff and identify if the change involves authentication, sensitive data, user input, database queries, API endpoints, file operations, or cryptographic operations.
Step 2: Apply Relevant Checklists
Go through the relevant sections above and verify each item. Consult detailed guides in references/ for in-depth coverage.
Step 3: Test Security Controls
Run security linters:
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
cd webs
yarn lint
Step 4: Document Security Implications
If the change has security implications:
Common Security Anti-Patterns
- Trusting user input: Never trust user input directly; always validate and sanitize
- Security by obscurity: Obscure endpoints still need proper authentication
- Client-side validation only: Always validate on backend; frontend validation can be bypassed
- Logging sensitive data: Never log passwords, tokens, or API keys
Exit Criteria
Before completing the security review:
References