원클릭으로
review-code-security
Scan implemented code for concrete security anti-patterns. Companion to /review-plan-security.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Scan implemented code for concrete security anti-patterns. Companion to /review-plan-security.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Conduct a decision-tree interview with the user to lock in requirements, motivation, scope, and non-goals before planning.
Stage 3 of three-stage planning pipeline. Produce a file-level implementation plan via detail-planner/detail-reviewer loop, then get user approval. Inputs are confirmed intent (<session-id>-intent.md) and outline (<session-id>-outline.md) from prior stages.
Edit source code for the current task. Delegates editing and lint/typecheck/self-repair to a subagent.
Plan and write test cases with high reasoning effort. Test iteration runs in a subagent to minimize confirmations.
Explore the codebase to understand existing patterns, constraints, and relevant files before planning.
Investigate git history, docs/history.md, and GitHub issue/PR timeline since the relevant issue opened, to surface changes that may invalidate the issue's premises.
| name | review-code-security |
| description | Scan implemented code for concrete security anti-patterns. Companion to /review-plan-security. |
| model | opus |
| effort | high |
Scan the specified code for security anti-patterns using the same three axes as /review-plan-security. Use after implementation to verify the plan's security goals hold in the actual code.
Use when the implementation touches external input, secrets handling, or third-party integrations. Pass a file path, diff, or describe the code to review.
.env commits), see docs/scan-outbound.md — those are covered automatically.RCS-1. Delegate scan to security-scanner and run quality gates in parallel (same response, two tool calls):
Agent({ subagent_type: "security-scanner", prompt: JSON.stringify({
topic: "security review", context: SCAN_TARGET,
artifact_dir: PLANS_DIR
}) })
On failed status: surface summary + artifact_path to user.
Output: ## Security Review: PERFORMED|FAILED (1 line) + artifact_path pointer. Read report only on failure or explicit user request.
RCS-2. Quality gates (Bash, parallel with RCS-1): bash "$AGENTS_CONFIG_DIR/skills/review-code-security/scripts/run-quality-gates.sh" — resolves merge-base and runs review-code-codex + 6 lint gates. Each gate is advisory; non-zero exit is a warning, not a blocker.
Axis scope: OWASP ASVS V8 (Data Protection), V6 (Stored Cryptography)
Automated coverage: AWS/LLM API keys, PEM private keys, GitHub/Slack tokens, and .env file commits are auto-detected by scan-outbound.sh at pre-commit. Source integrity is also covered: zero-width chars (U+200B/C/D, U+FEFF) and Bidi override chars (U+202D/E, U+2066–2069) are detected as [zero-width] / [bidi-override] (Trojan Source, CVE-2021-42574). This axis focuses on context-dependent leaks automation cannot catch.
| Pattern | What to look for | Risk |
|---|---|---|
| Generic secret hardcoded | (?i)(secret|password|token)\s*=\s*["'][^"']{8,}["'] in source | Leaked credential |
| Logging sensitive data | log.*password, print.*token, stack traces with secrets | Exposure via logs |
.env not gitignored | .env absent from .gitignore | Secret leak on push |
| Temp files with secrets | Scripts writing secrets to /tmp/ or similar | Filesystem exposure |
Axis scope: OWASP MCP Top 10 (MCP03 Excessive Permissions, MCP04 Tool Poisoning), LLM Top 10 (LLM03 Supply Chain)
| Pattern | What to look for | Risk |
|---|---|---|
| Unpinned dependency | "latest" in package.json, bare package name in requirements.txt | Supply chain (LLM03) |
| Unvalidated LLM/MCP output | Agent output used directly in eval, shell call, or DB query | Prompt injection → RCE |
| Excessive MCP permissions | Tool requesting file system / network beyond task scope | MCP03 |
| Tool Poisoning | MCP tool descriptions containing instruction overrides (ignore previous, system commands) | MCP04 |
| Rug Pull | MCP server behavior changes after approval — use trusted, auditable publishers only | MCP09 |
| Return Value Injection | Tool return value fed directly into a prompt or eval without validation | MCP05 / LLM01 |
Axis scope: OWASP WSTG (Input Validation), CWE Top 25 #2 (CWE-79 XSS), #3 (CWE-89 SQL Injection)
| Pattern | Regex hint | CWE |
|---|---|---|
| Shell injection | eval.*\$, unquoted $VAR in command position | CWE-78 |
| Path traversal | ../ combined with user-controlled variable | CWE-22 |
| SQL injection | String concatenation in SQL ("SELECT " + var) | CWE-89 |
| Open redirect | Redirect to URL from user input without allowlist | CWE-601 |
| XSS | Unsanitized user input rendered as HTML | CWE-79 |
| Instruction override in input | Untrusted input containing ignore previous, you are now, system: forwarded to LLM as context | LLM01 |
| Base64 obfuscation | Base64 string from untrusted input decoded and passed to LLM/shell | LLM01 |
After reporting findings:
echo "<<WORKFLOW_MARK_STEP_review_security_complete>>"/review-plan-security — architecture-level checklist (run before implementation begins)scan-outbound.sh — auto-detects hard secrets and private info at pre-commit (see docs/scan-outbound.md)