con un clic
security-review
Run a comprehensive security review on code
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Menú
Run a comprehensive security review on code
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Basado en la clasificación ocupacional SOC
Automatically deploy oh-my-gemini to npm and GitHub
Full autonomous execution from idea to working code
Fix build and TypeScript errors with minimal changes
Cancel any active OMC mode (autopilot, ralph, ultrawork, ecomode, ultraqa, swarm, ultrapilot, pipeline)
Run a comprehensive code review
Deep executor mode for complex goal-oriented tasks
| name | security-review |
| description | Run a comprehensive security review on code |
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
This skill activates when:
Delegates to the security-reviewer agent (Opus model) for deep security analysis:
OWASP Top 10 Scan
Secrets Detection
Input Validation
Authentication/Authorization
Dependency Security
npm audit for known vulnerabilitiesTask(
subagent_type="oh-my-gemini:security-reviewer",
model="gemini-pro-latest",
prompt="SECURITY REVIEW TASK
Conduct comprehensive security audit of codebase.
Scope: [specific files or entire codebase]
Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)
Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
SECURITY REVIEW REPORT
======================
Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z
CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
Finding: AWS API key hardcoded in source code
Impact: Credential exposure if code is public or leaked
Remediation: Move to environment variables, rotate key immediately
Reference: OWASP A02:2021 – Cryptographic Failures
2. src/db/query.ts:45 - SQL Injection Vulnerability
Finding: User input concatenated directly into SQL query
Impact: Attacker can execute arbitrary SQL commands
Remediation: Use parameterized queries or ORM
Reference: OWASP A03:2021 – Injection
HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
Finding: Passwords hashed with MD5 (cryptographically broken)
Impact: Passwords can be reversed via rainbow tables
Remediation: Use bcrypt or argon2 with appropriate work factor
Reference: OWASP A02:2021 – Cryptographic Failures
4. src/components/UserInput.tsx:67 - XSS Vulnerability
Finding: User input rendered with dangerouslySetInnerHTML
Impact: Cross-site scripting attack vector
Remediation: Sanitize HTML or use safe rendering
Reference: OWASP A03:2021 – Injection (XSS)
5. src/api/upload.ts:34 - Path Traversal Vulnerability
Finding: User-controlled filename used without validation
Impact: Attacker can read/write arbitrary files
Remediation: Validate and sanitize filenames, use allowlist
Reference: OWASP A01:2021 – Broken Access Control
...
MEDIUM (8)
----------
...
LOW (12)
--------
...
DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:
CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
Installed: axios@0.21.0
Fix: npm install axios@0.21.2
HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
Installed: lodash@4.17.19
Fix: npm install lodash@4.17.21
...
OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies
Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
The security-reviewer agent verifies:
CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
With Pipeline:
/pipeline security "review authentication module"
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.