원클릭으로
security-review
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Rewrite engineer-to-engineer content for leadership audiences — VPs, directors, PMs, release managers. Shapes for the channel: JIRA comment, Slack post, standup note, email, or meeting talking-points. Use after post-mortem or any technical update that needs to flow up the org.
Write the canonical engineering record of a fixed bug — root cause, mechanism, fix, validation, and how it slipped through. Use after a debug session lands a validated fix, before closing the bug.
Outsider-perspective deep review of a plan, PR, design doc, or code change — questions intent first (should this exist?), then traces the actual code path end-to-end to verify the change does what it claims. Use for serious PR reviews, design audits, or second opinions. Lighter pre-commit checks use `review` instead.
Review feature spec files with 3 focused agents — spec quality (business+correctness+ambiguity), completeness (missing scenarios+safety+testability), and buildability (compatibility+blockers+traceability). Sequential by default.
Systematic debugging framework — opens every session by reciting the 4-mantra block (reproduce, trace the fail path, falsify the hypothesis, cross-reference breadcrumbs), then applies multi-layer investigation. Use when diagnosing bugs, flaky tests, unknown failures, or cross-component issues.
Use when starting any conversation - establishes how to find and use skills, requiring Skill tool invocation before ANY response including clarifying questions
| name | security-review |
| description | OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data. |
| allowed-tools | Read, Grep, Bash |
BAD:
API_KEY = "sk-abc123def456"
db_url = "postgres://admin:password@prod-db:5432/app"
GOOD:
API_KEY = env("API_KEY")
db_url = env("DATABASE_URL")
Verify:
.env files listed in .gitignoreBAD:
def get_user(request):
id = request.query("id") # No validation
db.query("SELECT * FROM users WHERE id = " + id) # SQL injection!
GOOD:
def get_user(request):
id = parse_int(request.query("id"))
if id is None or id <= 0:
return error_response(400, "Invalid ID")
db.query("SELECT * FROM users WHERE id = $1", [id]) # Parameterized
Verify:
Verify:
Verify:
BAD:
# Rendering raw user HTML without sanitization
render_html(user_comment)
GOOD:
# Sanitize before rendering, or render as plain text
render_html(sanitize(user_comment))
# Or better: render as plain text (no HTML interpretation)
render_text(user_comment)
Verify:
Verify:
SameSite cookie attribute set to Strict or LaxOrigin header validated on API endpointsVerify:
Verify:
Verify:
TODO: fix security or HACK comments left*)## Security Review: [Component/Feature]
### Critical — Fix Immediately
[Vulnerabilities that could lead to data breach or system compromise]
- **Location:** `file:line`
- **Issue:** [Description]
- **Risk:** [Impact if exploited]
- **Fix:** [Specific remediation]
### High — Fix Before Deploy
[Issues that weaken security posture]
### Medium — Fix Soon
[Best practice violations]
### Recommendations
[Hardening suggestions]
**Overall Risk Level:** [Critical / High / Medium / Low]