원클릭으로
security-review-checklist
Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Use when decomposing an implementation plan into executable tasks with dependencies and sizing.
Use before marking any task complete. Runs the project's validation suite (lint, typecheck, tests) and confirms the implementation is in a working state. Use this whenever you have finished implementing a task and need to verify it before calling task_complete.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, artifacts, posters, or applications (examples include websites, landing pages, dashboards, React components, HTML/CSS layouts, or when styling/beautifying any web UI). Generates creative, polished code and UI design that avoids generic AI aesthetics.
Use when reviewing architecture decisions, implementation plans, or PRs against layering, boundaries, and system design expectations.
Use when implementing code changes to ensure quality, consistency, and maintainability.
Use when bootstrapping a repository for Spec-Driven Development. Scan the codebase, ask 2 targeted questions, then write specs/constitution.md and the first epic's product-requirements.md.
| name | security-review-checklist |
| description | Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes. |
Provides a systematic security review framework covering threat modeling, OWASP-aligned analysis, and vulnerability assessment for code changes.
Use this skill during security review to ensure systematic coverage of security concerns.
For each change, identify:
| Category | Check | Applies? |
|---|---|---|
| A01: Broken Access Control | Are authorization checks present and correct? | |
| A02: Cryptographic Failures | Is sensitive data encrypted properly? | |
| A03: Injection | Are queries parameterized? Is user input sanitized? | |
| A04: Insecure Design | Does the design have security controls built in? | |
| A05: Security Misconfiguration | Are defaults secure? Are unnecessary features disabled? | |
| A06: Vulnerable Components | Are dependencies up to date and free of known CVEs? | |
| A07: Authentication Failures | Are auth mechanisms robust (rate limiting, MFA)? | |
| A08: Data Integrity Failures | Is deserialization controlled? Are updates verified? | |
| A09: Logging Failures | Are security events logged without exposing secrets? | |
| A10: SSRF | Are outbound requests validated against allowlists? |
For each finding:
### [Severity]: [Title]
**OWASP**: [Category, e.g., A03: Injection]
**Location**: [file:line]
**Description**: [What the vulnerability is]
**Impact**: [What could happen if exploited]
**Fix**: [Suggested remediation approach]
Severity levels:
Follow the structured report format defined in the Security agent: