ワンクリックで
security-review
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | security-review |
| description | OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data. |
| allowed-tools | Read, Grep, Bash |
BAD:
API_KEY = "sk-abc123def456"
db_url = "postgres://admin:password@prod-db:5432/app"
GOOD:
API_KEY = env("API_KEY")
db_url = env("DATABASE_URL")
Verify:
.env files listed in .gitignoreBAD:
def get_user(request):
id = request.query("id") # No validation
db.query("SELECT * FROM users WHERE id = " + id) # SQL injection!
GOOD:
def get_user(request):
id = parse_int(request.query("id"))
if id is None or id <= 0:
return error_response(400, "Invalid ID")
db.query("SELECT * FROM users WHERE id = $1", [id]) # Parameterized
Verify:
Verify:
Verify:
BAD:
# Rendering raw user HTML without sanitization
render_html(user_comment)
GOOD:
# Sanitize before rendering, or render as plain text
render_html(sanitize(user_comment))
# Or better: render as plain text (no HTML interpretation)
render_text(user_comment)
Verify:
Verify:
SameSite cookie attribute set to Strict or LaxOrigin header validated on API endpointsVerify:
Verify:
Verify:
TODO: fix security or HACK comments left*)## Security Review: [Component/Feature]
### Critical — Fix Immediately
[Vulnerabilities that could lead to data breach or system compromise]
- **Location:** `file:line`
- **Issue:** [Description]
- **Risk:** [Impact if exploited]
- **Fix:** [Specific remediation]
### High — Fix Before Deploy
[Issues that weaken security posture]
### Medium — Fix Soon
[Best practice violations]
### Recommendations
[Hardening suggestions]
**Overall Risk Level:** [Critical / High / Medium / Low]
Rewrite engineer-to-engineer content for leadership audiences — VPs, directors, PMs, release managers. Shapes for the channel: JIRA comment, Slack post, standup note, email, or meeting talking-points. Use after post-mortem or any technical update that needs to flow up the org.
Write the canonical engineering record of a fixed bug — root cause, mechanism, fix, validation, and how it slipped through. Use after a debug session lands a validated fix, before closing the bug.
Outsider-perspective deep review of a plan, PR, design doc, or code change — questions intent first (should this exist?), then traces the actual code path end-to-end to verify the change does what it claims. Use for serious PR reviews, design audits, or second opinions. Lighter pre-commit checks use `review` instead.
Review feature spec files with 3 focused agents — spec quality (business+correctness+ambiguity), completeness (missing scenarios+safety+testability), and buildability (compatibility+blockers+traceability). Sequential by default.
Systematic debugging framework — opens every session by reciting the 4-mantra block (reproduce, trace the fail path, falsify the hypothesis, cross-reference breadcrumbs), then applies multi-layer investigation. Use when diagnosing bugs, flaky tests, unknown failures, or cross-component issues.
Use when starting any conversation - establishes how to find and use skills, requiring Skill tool invocation before ANY response including clarifying questions