원클릭으로
security-review
Dedicated security lens over a feature's changed code — read-only. Invoked by review-and-simplify, also usable standalone.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Dedicated security lens over a feature's changed code — read-only. Invoked by review-and-simplify, also usable standalone.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Ingest a raw source into the project's OKF knowledge bundle — distill it into concept pages, refresh the index, and log the change. keel's compounding "LLM wiki" loop.
Use when implementation is complete, gates pass, and you need to decide how to integrate the work — presents structured options (merge, PR, keep, discard) and handles the chosen workflow, including worktree cleanup. Closes the SDD cycle after review-and-simplify.
Use when executing implementation plans with independent tasks in the current session
Orchestrates the implement-feature, evaluator, fix-runner loop for the active feature until all Criterios de Aceitacao are met and quality gates are green.
Use after the plan is approved to break the active feature's plan into a concrete task checklist, written into specs/<feature>/tasks.md from the tasks template.
Use while implementing a feature that has retries, queues, background jobs, external calls, or any critical path an on-call engineer will need to reason about in production. Invoke when adding a new endpoint, dependency, or async flow, and before considering such a feature done — instrumentation is developed alongside the code, like tests, not bolted on after.
| name | security-review |
| description | Dedicated security lens over a feature's changed code — read-only. Invoked by review-and-simplify, also usable standalone. |
When: invoked by review-and-simplify as one of its parallel lenses, on the feature's diff. Also usable standalone any time a focused security pass is needed.
Scope: the changed code only — the feature's tree-snapshot diff (git diff BASE_TREE HEAD_TREE, per subagent-driven-development's no-commit-rule snapshotting) or, if no snapshots exist, the working tree diff. Never the whole repo.
Output: findings by severity (Critical/Important/Minor) with file:line, reported inline. Makes NO edits.
Same bands as the task-reviewer rubric in subagent-driven-development:
Walk every item against the diff:
CLAUDE.md, ## Security): any check on a field like source, role, type, origin, createdVia, or userGroup that compares against a forbidden value (if (x === 'admin') throw) is a blacklist — new/unexpected values pass through silently. Flag every instance; the fix is if (x !== 'expected-value') throw or !allowedSet.has(x), with an enum preferred over a string literal.Math.random() or similar for tokens/IDs/secrets, weak or homegrown hashing, predictable session/reset tokens.subagent-driven-development's no-commit rule for how snapshots are taken).file:line — severity — description — why it matters.fix-runner or implement-and-evaluate — this skill reviews, it does not patch.Next: findings return to the orchestrator (review-and-simplify), which routes Critical/Important findings to fix-runner/implement-and-evaluate for remediation, then re-invokes this lens.