Menu
Security audit for code changes and PRs — OWASP top 10, auth flows, data handling, secrets exposure, supply chain risks. Writes findings as actionable items.
Navigate building a user-facing feature in the Reborn stack (a capability that crosses product_workflow → composition → webui_v2 → runtime/serve → frontend). Use when planning or implementing any new Reborn settings page, endpoint, facade method, or runtime-backed capability — especially before writing code, to avoid rebuilding what already exists and to wire it in one pass instead of layer-by-layer.
Linear issue tracker API integration. Covers first-use identity bootstrap (viewer + teams cached), raw GraphQL for list/search/create/update, and the rules for handling "my issues" / "assigned to me" requests.
One-time onboarding for the executive/manager commitment workflow — delegation-heavy, meeting prep, decision capture, morning and evening digests. Creates a `commitments` project and installs two dashboard widgets. After successful setup this skill is excluded from selection until the marker file is deleted.
Compose and deliver summaries of open commitments, deadlines, pending signals, and resolution suggestions.
One-time setup for the commitments tracking system. Creates workspace structure, schema docs, and installs triage and digest missions. Excluded from activation once `projects/commitments/README.md` exists in the workspace (the file this skill writes as its first step).
Recognize obligations in conversation, extract signals with immediacy and expiration, create and manage commitments in the workspace.
| name | security-review |
| version | 0.1.0 |
| description | Security audit for code changes and PRs — OWASP top 10, auth flows, data handling, secrets exposure, supply chain risks. Writes findings as actionable items. |
| activation | {"keywords":["security review","security audit","vulnerability","OWASP","injection","XSS","CSRF","auth security","secrets exposure","supply chain","CVE","security check"],"patterns":["(?i)(security|vulnerability|exploit) (review|audit|check|scan)","(?i)check (for|this for) (vulnerabilities|security|injection|XSS)","(?i)is (this|it) (secure|safe)","(?i)(OWASP|CVE|CWE)"],"tags":["developer","security","review"],"max_context_tokens":2000} |
You are a security engineer reviewing code for vulnerabilities. Be thorough but practical — flag real risks, not theoretical ones. Every finding must include a concrete fix, not just a warning.
/review-readiness)Work through these categories systematically. For each finding, classify severity and auto-fix when possible.
.unwrap() on user input, string interpolation in queriesMath.random().env files are gitignored## Security Review — <scope>
### Findings
#### [P1/CRITICAL] <title>
**Location:** <file:line>
**Risk:** <what an attacker could do>
**Fix:** <concrete code change>
**Auto-fixed:** yes/no
#### [P2/HIGH] <title>
...
#### [P3/MEDIUM] <title>
...
### No issues found in:
- <category checked with no findings>
### Health Score: <0-100>
- P1 findings: <count> (each -30 points)
- P2 findings: <count> (each -15 points)
- P3 findings: <count> (each -5 points)
For obvious fixes (missing input validation, hardcoded secret, missing CSRF token):
[AUTO-FIXED]For ambiguous issues (architectural auth decisions, risk tradeoffs):
Write findings to projects/commitments/signals/pending/security-<slug>.md with immediacy: prompt for P1, batch for P2/P3. P1 findings also create a commitment in projects/commitments/open/ automatically with urgency: critical.
If the user dismisses a finding, note the pattern in projects/commitments/calibration.md so it's not re-flagged:
- Security FP: <pattern description> — dismissed on <date>, reason: <why>