| name | security-review |
| description | OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data. |
| allowed-tools | Read, Grep, Bash |
Security Review Skill
When to Activate
- Code handles user input (forms, query params, request body)
- Authentication or authorization logic added/changed
- API endpoints created or modified
- Payment or financial logic implemented
- Sensitive data (PII, credentials, tokens) processed
- External API integrations added
- File upload or download functionality
- Before deploying to production
Security Checklist
1. Secrets Management
BAD:
API_KEY = "sk-abc123def456"
db_url = "postgres://admin:password@prod-db:5432/app"
GOOD:
API_KEY = env("API_KEY")
db_url = env("DATABASE_URL")
Verify:
2. Input Validation
BAD:
def get_user(request):
id = request.query("id") # No validation
db.query("SELECT * FROM users WHERE id = " + id) # SQL injection!
GOOD:
def get_user(request):
id = parse_int(request.query("id"))
if id is None or id <= 0:
return error_response(400, "Invalid ID")
db.query("SELECT * FROM users WHERE id = $1", [id]) # Parameterized
Verify:
3. SQL Injection Prevention
Verify:
4. Authentication & Authorization
Verify:
5. XSS Prevention
BAD:
# Rendering raw user HTML without sanitization
render_html(user_comment)
GOOD:
# Sanitize before rendering, or render as plain text
render_html(sanitize(user_comment))
# Or better: render as plain text (no HTML interpretation)
render_text(user_comment)
Verify:
6. CSRF Protection
Verify:
7. Rate Limiting
Verify:
8. Sensitive Data Exposure
Verify:
9. Dependency Security
Verify:
Pre-Deployment Checklist
Report Format
## Security Review: [Component/Feature]
### Critical — Fix Immediately
[Vulnerabilities that could lead to data breach or system compromise]
- **Location:** `file:line`
- **Issue:** [Description]
- **Risk:** [Impact if exploited]
- **Fix:** [Specific remediation]
### High — Fix Before Deploy
[Issues that weaken security posture]
### Medium — Fix Soon
[Best practice violations]
### Recommendations
[Hardening suggestions]
**Overall Risk Level:** [Critical / High / Medium / Low]