// Audit a pull request diff for common security concerns (input validation, sanitization, authentication and authorization, secrets management, unsafe dependencies, and related risks) and fold findings into the same review.json produced by the base PR review. Use as a supplement to `review-pr` whenever a code PR is being reviewed.
| name | security-review-pr |
| description | Audit a pull request diff for common security concerns (input validation, sanitization, authentication and authorization, secrets management, unsafe dependencies, and related risks) and fold findings into the same review.json produced by the base PR review. Use as a supplement to `review-pr` whenever a code PR is being reviewed. |
Audit the current pull request for security concerns and fold any findings into the same review.json produced by the base review-pr skill.
Provide a focused security pass on top of the general PR review. This is a supplement to review-pr, not a separate output. Findings must be merged into the single combined review.json so reviewers receive one cohesive review.
pr_diff.txt.pr_description.md.review-pr is applied.review-spec.review-pr pass will already raise. If the base review would naturally catch an issue, leave it there rather than re-reporting it from the security pass.Evaluate each changed hunk against the following concerns. Treat the list as a checklist, not a ceiling — flag other clearly security-relevant issues when they appear.
pickle, yaml.load, eval, Function, JSON.parse feeding into a command).shell=True, string concatenation into exec/spawn, or raw SQL strings..env, fixtures, or test data that are real rather than clearly synthetic placeholders.random.random, Math.random) used for tokens, IDs, or security decisions.* or very broad ranges on a sensitive package).pr_description.md and pr_diff.txt to understand the scope and intent of the change.review-pr pass.review.json produced by review-pr.[SECURITY] tag after the severity label so reviewers can tell the source of the concern. For example:
🚨 [CRITICAL] [SECURITY] SQL injection: ...⚠️ [IMPORTANT] [SECURITY] Secret written to logs: ...💡 [SUGGESTION] [SECURITY] Prefer parameterized query: ...## Security subsection when there are security findings. List the most important security concerns there in addition to any inline comments. If there are no security findings, do not add the subsection.Found: X critical, Y important, Z suggestions tally in the summary. Do not add a separate security counter.Request changes.🚨 [CRITICAL] for issues that are likely exploitable in production (e.g. shell injection with attacker-controlled input, committed live secret, missing auth on a destructive endpoint).⚠️ [IMPORTANT] for plausible security weaknesses that should be fixed before merge (e.g. missing input validation on an internal-only endpoint, weak hashing for non-password data, overly broad CORS).💡 [SUGGESTION] for defense-in-depth improvements that are clearly worthwhile but not immediate risks.🧹 [NIT] is rarely appropriate for security findings; use only when the comment includes a concrete suggestion block and the issue is genuinely cosmetic.review-pr: inline comments must target lines that exist in this PR's diff.suggestion block format as review-pr.💡 [SUGGESTION] when the risk is low or the fix is optional.review.json from the base review pass.Compare a pull request's implementation against spec context in spec_context.md and feed any material mismatches into review.json. Use during PR review when approved or repository spec context is available.
Create a product spec from a GitHub issue in this repository by applying the local shared `write-product-spec` workflow with Oz-specific issue context and output paths. Use when an issue should be turned into a product spec artifact stored under `specs/GH<issue-number>/product.md` and the agent should prepare file changes only, without creating commits or pull requests itself unless the prompt explicitly asks for it.
Create a technical spec from a GitHub issue in this repository by applying the local shared `write-tech-spec` workflow with Oz-specific issue context and output paths. Use when an issue should be turned into a tech spec artifact stored under `specs/GH<issue-number>/tech.md` and the agent should prepare file changes only, without creating commits or pull requests itself unless the prompt explicitly asks for it.
Detect duplicate GitHub issues by comparing the incoming issue's title and description against the repository issue list. Use during triage to identify 2+ existing issues that are similar and surface them as potential duplicates.
Implement a GitHub issue in this repository by applying the local shared `implement-specs` workflow with Oz-specific issue, spec-context, and summary-file handling. Use when issue details are provided in the prompt and the agent should produce the repository diff and a concise implementation summary, without creating commits or pull requests itself unless the prompt explicitly asks for it.
Review a pull request diff and write structured feedback to review.json for the workflow to publish. Use when reviewing a checked-out PR from local artifacts like pr_diff.txt and pr_description.md and producing machine-readable review output instead of posting directly to GitHub.