Security-review a diff against the OWASP Top 10. Use before merging anything that touches auth, input handling, queries, or external calls.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Security-review a diff against the OWASP Top 10. Use before merging anything that touches auth, input handling, queries, or external calls.
when_to_use
new endpoint, auth/session change, user input, raw query, file upload, deserialization
targets
["*"]
OWASP Review
Check the diff for each, with the exact line:
Injection - any string-built SQL/shell/HTML. Demand parameterized queries / escaping.
Broken access control - does it verify the user OWNS the resource, not just that they're logged in?
Auth - secrets in code? tokens without expiry? password compare not constant-time?
SSRF - user-controlled URL fetched server-side without an allowlist.
Sensitive data - PII/secrets logged, returned in errors, or sent unencrypted.
Deserialization - untrusted input into pickle/yaml.load/eval.
Dependency - a new package with known CVEs or no maintenance.
Output: a list of {line, risk, fix}. If clean, say so explicitly. Never assume input is safe because "it comes from our frontend".