Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

project-security-review

Independent security review of pending changes via an isolated Agent context — fresh subagent reads the diff and a security checklist with no implementation bias. Use after a module is implemented and before merge, especially for changes that touch auth, data persistence, PII, audit logging, or anything UK GDPR-sensitive. Triggers on '/project-security-review', 'security review', 'audit this branch'.

Ejecutar en Manus

Estrellas1

Forks0

Actualizado8 de mayo de 2026, 10:04

Fuente

korallis

korallis/workflow

Abrir repositorio de GitHub Ver repositorios del creador

Comando de instalación

Descarga

Ejecutar en Manus

Útil paraSOC

Analistas de seguridad de la informaciónOcupaciones informáticas y matemáticas15-1212L4

Explorador de archivos

2 archivos

SKILL.md

readonly

name	project-security-review
description	Independent security review of pending changes via an isolated Agent context — fresh subagent reads the diff and a security checklist with no implementation bias. Use after a module is implemented and before merge, especially for changes that touch auth, data persistence, PII, audit logging, or anything UK GDPR-sensitive. Triggers on '/project-security-review', 'security review', 'audit this branch'.
effort	high

project-security-review

Runs a security review of pending changes in fresh Agent context so the reviewer has no exposure to the implementation reasoning that produced the code. This isolation is the entire point — a reviewer who watched the code being written tends to share its blind spots.

Process

Capture the diff (use mktemp + cleanup trap so the temp file doesn't leak):

diff_file="$(mktemp -t security-review-diff.XXXXXX)"
trap 'rm -f "$diff_file"' EXIT
if git rev-parse --verify origin/main >/dev/null 2>&1; then
  base="$(git merge-base origin/main HEAD)"
elif git rev-parse --verify main >/dev/null 2>&1; then
  base="$(git merge-base main HEAD)"
else
  base="HEAD~1"
fi
git diff "$base"..HEAD > "$diff_file"

Identify the security checklist: read .claude/skills/project-security-review/security-review-prompt.md. This is the canonical instruction set the Agent will follow.
Launch the Agent with a read-only subagent type so the reviewer can't accidentally modify the working tree:
```
Agent(
  subagent_type="Explore",
  description="Security review (isolated read-only context)",
  prompt=<contents of security-review-prompt.md, with $diff_file content and any relevant CLAUDE.md security section interpolated into the prompt body>
)
```
The Explore agent runs with a fresh context window AND no edit/write tools — it has not seen planning or implementation discussion, and it cannot modify code. Its findings reflect the diff alone plus the security checklist.
Receive the Agent's report and surface it to the user without modification. Add a one-paragraph framing explaining what was reviewed and any user-actionable next steps.
Optional follow-ups:
- If the Agent found CRITICAL or HIGH issues, suggest the user address them before merge.
- Note that this skill does NOT modify code — it produces a report only.

When to use

Before merging any PR that touches auth, session management, or token handling.
After implementing data persistence for PII or healthcare-sensitive data (UK GDPR considerations).
When the change touches audit logging, access control, or rate limiting.
When you want a "second set of eyes" with no contextual bias.

Why isolation matters

A reviewer who participated in implementation tends to validate the assumptions that drove the implementation. An Agent in fresh context only sees the diff — its blind spots are different from the implementer's, which is exactly what a security review needs.

Más de este repositorio

mismo repositorio

project-tracks

korallis/workflow

Plan and start isolated parallel module implementation tracks from specs/MODULES.md and per-module parallel.yaml declarations.

2026-05-081

project-execute

korallis/workflow

Implement a fully-specced module via dual-harness execution — Claude orchestrates, Codex CLI executes inside a live tmux pane in your attached session. Use when ready to write code for a module that has approved SPEC.md and CLAUDE.md files. Triggers on phrases like 'execute the X module via codex', 'dual-harness build', or '/project-execute X'.

2026-05-081

project-init

korallis/workflow

Initialise a new software project with full spec-first workflow — research, architecture, module specs, and roadmap. Use this whenever someone says 'build me a...', 'I want to create...', 'new project', 'start a project', or describes a product idea. Also use for major new feature areas within an existing project.

2026-05-081

project-blueprint

korallis/workflow

Generate or regenerate the master architecture document (specs/MASTER_BLUEPRINT.md) — the single source of truth for tech stack, data model, API patterns, auth, UI conventions, and module relationships. Use when starting architecture, changing stack decisions, or after significant research that affects the technical approach.

2026-05-081

project-review

korallis/workflow

End-of-session review — captures what was done, learnings, mistakes, and patterns, then updates LEARNINGS.md and CLAUDE.md. Run this after completing any task, at the end of a working session, or when switching to a different area of the project. This is what makes the system compound and get smarter over time.

2026-05-081

project-spec

korallis/workflow

Create or update a detailed module specification — data model, API endpoints, UI screens, business logic, and acceptance criteria. Use when planning a new module, refining requirements before implementation, or updating specs after implementation revealed changes. Trigger on any mention of 'spec', 'specification', 'plan this module', or 'define the requirements for'.

2026-05-081

name	project-security-review
description	Independent security review of pending changes via an isolated Agent context — fresh subagent reads the diff and a security checklist with no implementation bias. Use after a module is implemented and before merge, especially for changes that touch auth, data persistence, PII, audit logging, or anything UK GDPR-sensitive. Triggers on '/project-security-review', 'security review', 'audit this branch'.
effort	high

project-security-review

Process

Capture the diff (use mktemp + cleanup trap so the temp file doesn't leak):

diff_file="$(mktemp -t security-review-diff.XXXXXX)"
trap 'rm -f "$diff_file"' EXIT
if git rev-parse --verify origin/main >/dev/null 2>&1; then
  base="$(git merge-base origin/main HEAD)"
elif git rev-parse --verify main >/dev/null 2>&1; then
  base="$(git merge-base main HEAD)"
else
  base="HEAD~1"
fi
git diff "$base"..HEAD > "$diff_file"

Identify the security checklist: read .claude/skills/project-security-review/security-review-prompt.md. This is the canonical instruction set the Agent will follow.
Launch the Agent with a read-only subagent type so the reviewer can't accidentally modify the working tree:
```
Agent(
  subagent_type="Explore",
  description="Security review (isolated read-only context)",
  prompt=<contents of security-review-prompt.md, with $diff_file content and any relevant CLAUDE.md security section interpolated into the prompt body>
)
```
The Explore agent runs with a fresh context window AND no edit/write tools — it has not seen planning or implementation discussion, and it cannot modify code. Its findings reflect the diff alone plus the security checklist.
Receive the Agent's report and surface it to the user without modification. Add a one-paragraph framing explaining what was reviewed and any user-actionable next steps.
Optional follow-ups:
- If the Agent found CRITICAL or HIGH issues, suggest the user address them before merge.
- Note that this skill does NOT modify code — it produces a report only.

When to use

Before merging any PR that touches auth, session management, or token handling.
After implementing data persistence for PII or healthcare-sensitive data (UK GDPR considerations).
When the change touches audit logging, access control, or rate limiting.
When you want a "second set of eyes" with no contextual bias.