playbooks

home / skills / htooayelwinict / claude-config / security-review

security-review skill

/skills/security-review

This skill audits code for OWASP vulnerabilities and provides actionable security reviews for pre-deployment and authentication checks.

npx playbooks add skill htooayelwinict/claude-config --skill security-review

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
3.7 KB
---
name: security-review
description: |
  Audit code for security vulnerabilities using OWASP Top 10 guidelines. Use for security audits, pre-deployment
  checks, authentication reviews, or when checking for XSS, SQL injection, CSRF, or authorization issues. EXCLUSIVE to security-expert agent.
allowed-tools: Read, Grep, Glob, Bash, mcp_gemini-bridge, mcp_open-bridge, mcp_codex-bridge, mcp_context7, mcp_web-search-prime
---
# Security Review

**Exclusive to:** `security-expert` agent

## MCP Helpers (Brain + Memory + Web)

### 🧠 Gemini-Bridge — Security Analysis
```
mcp_gemini-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")
```

### 🌉 Open-Bridge — Alternative Security Analysis
```
mcp_open-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")
```

### 💻 Codex-Bridge — Code Security Review
```
mcp_codex-bridge_consult_codex(query="Find security vulnerabilities in: [code]", directory=".")
```

### 📚 Context7 (Memory) — Up-to-Date Docs

Lookup security patterns and vulnerability mitigations:
```
mcp_context7_resolve-library-id(libraryName="laravel", query="csrf protection")
mcp_context7_query-docs(libraryId="/laravel/docs", query="authentication security")
```

### 🌐 Web Search — CVE and Vulnerability Lookup
```
mcp_web-search-prime_search(query="[package name] CVE vulnerability 2025")
```

## Validation Loop (MANDATORY)

Every security review MUST run these dependency checks:
```bash
composer audit            # Check PHP vulnerabilities
npm audit                 # Check JS vulnerabilities
php artisan route:list --compact  # Verify route middleware
```

Report any vulnerabilities found as Critical findings.

## Instructions

1. Run `git diff` to identify changed files
2. Scan for security vulnerabilities using checklist below
3. Check authentication and authorization patterns
4. Review input validation and sanitization
5. Report findings by severity (Critical → Warning → Suggestion)

## OWASP Top 10 Checklist

| # | Vulnerability | Laravel Check | React Check |
|---|---------------|---------------|-------------|
| A01 | Broken Access Control | Policies, Gates | Route guards |
| A02 | Cryptographic Failures | `Hash::make`, `encrypt` | No secrets in client |
| A03 | Injection | Eloquent, query builder | No `dangerouslySetInnerHTML` |
| A04 | Insecure Design | Business logic review | Component security |
| A05 | Security Misconfiguration | `.env` settings | Build config |
| A06 | Vulnerable Components | `composer audit` | `npm audit` |
| A07 | Auth Failures | Rate limiting, sessions | Token handling |
| A08 | Data Integrity | CSRF, mass assignment | Form validation |
| A09 | Logging Failures | Security event logs | Error boundaries |
| A10 | SSRF | URL validation | API call validation |

## Laravel Security Checks

```php
// Mass Assignment
$fillable = ['name', 'email'];  // ✅ Whitelist
$guarded = ['id', 'is_admin'];  // ✅ Blacklist

// SQL Injection Prevention
User::where('email', $email)->first();  // ✅ Safe
DB::raw("SELECT * FROM users WHERE email = '$email'");  // ❌ Dangerous

// CSRF
@csrf  // ✅ In forms
```

## React Security Checks

```tsx
// XSS Prevention
<div>{userInput}</div>  // ✅ Auto-escaped
<div dangerouslySetInnerHTML={{__html: userInput}} />  // ❌ XSS risk

// No secrets in client
const API_KEY = process.env.NEXT_PUBLIC_API_KEY;  // ⚠️ Visible to users
```

## Audit Commands

```bash
composer audit          # PHP vulnerabilities
npm audit               # JS vulnerabilities
php artisan route:list  # Check route middleware
```

## Examples
- "Security review this PR"
- "Check for OWASP vulnerabilities"
- "Audit authentication flow"

Overview

This skill performs code security audits focused on OWASP Top 10 risks. It is designed for the security-expert agent to run pre-deployment checks, pull request reviews, and focused authentication or authorization reviews. The goal is to produce actionable findings categorized by severity.

How this skill works

The skill inspects changed files (git diff) and runs mandatory dependency audits (composer audit, npm audit) plus framework checks like php artisan route:list. It scans for OWASP Top 10 patterns across Laravel and React code, reviews authentication/authorization, input validation, sanitization, and component/browser secrets. Findings are reported as Critical → Warning → Suggestion with remediation notes.

When to use it

  • Before merging a pull request that touches authentication, authorization, or input handling
  • Prior to deploying a release to production
  • When auditing third-party dependency changes or new packages
  • When reviewing routes, middleware, or API surface for access control
  • When investigating reported XSS, SQL injection, CSRF, or SSRF concerns

Best practices

  • Always run the mandatory validation loop: git diff, composer audit, npm audit, php artisan route:list
  • Focus on changed files first, then expand to related modules and configuration (.env, build settings)
  • Map findings to OWASP Top 10 and include specific code references and reproduction steps
  • Prioritize fixes: treat dependency and runtime-executable vulnerabilities as Critical
  • Recommend framework-native mitigations (e.g., Laravel fillable/guarded, @csrf, Hash::make) and avoid exposing secrets in client builds

Example use cases

  • Security review of a pull request that adds new API endpoints or middleware
  • Pre-deployment audit to confirm no regression in authentication, rate limiting, or CSRF protections
  • Audit a React component library for XSS risks and accidental client-side secret leaks
  • Check a Laravel application for mass assignment, SQL injection patterns, and route middleware gaps
  • Investigate dependency CVEs reported by web search or security scanner

FAQ

What mandatory checks are required for every review?

Run git diff to scope changes, composer audit and npm audit for dependency issues, and php artisan route:list to verify route middleware. Report any dependency or middleware failures as Critical findings.

How are findings classified?

Findings are reported by severity: Critical (exploitable or dependency CVE), Warning (high-risk patterns like missing CSRF or broken access control), Suggestion (hardening and best-practice improvements).