playbooks

home / skills / mcouthon / agents / security-review

security-review skill

/generated/claude/skills/security-review

This skill performs security-focused code reviews, maps attack surfaces and risk levels, and helps identify vulnerabilities in changes without applying fixes.

npx playbooks add skill mcouthon/agents --skill security-review

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.8 KB
---
name: security-review
description: "Security-focused code review with attack surface mapping and risk classification. Use when reviewing PRs for security, auditing code changes, or analyzing potential vulnerabilities. Triggers on: 'security review', 'use security mode', 'audit this', 'check for vulnerabilities', 'is this secure', 'attack surface', 'threat model', 'security check'. Read-only mode - identifies issues but doesn't fix them."
context: fork
allowed-tools: [Read, Grep, Glob, LSP]
---

# Security Review

Systematic security analysis of code changes.

## Core Approach

> "Assume the user is the attacker. Find where trust is misplaced."

## Risk Classification

| Risk Level | Triggers                                                         |
| ---------- | ---------------------------------------------------------------- |
| **HIGH**   | Auth, crypto, external calls, value transfer, validation removal |
| **MEDIUM** | Business logic, state changes, new public APIs                   |
| **LOW**    | Comments, tests, UI, logging                                     |

## Attack Surface Mapping

For each change, identify:

1. **User inputs** - request params, headers, body, URL components
2. **Database queries** - any SQL/ORM operations
3. **Auth/authz checks** - where permissions are verified
4. **External calls** - APIs, services, file system
5. **Cryptographic operations** - hashing, encryption, tokens

## Security Checklist

### Input Validation

- [ ] All user input validated before use
- [ ] Validation happens at trust boundary (not just client)
- [ ] Type coercion handled safely
- [ ] Size/length limits enforced

### Authentication/Authorization

- [ ] Auth checks present on all protected paths
- [ ] No privilege escalation paths
- [ ] Session handling is secure
- [ ] Token expiration enforced

### Data Exposure

- [ ] No secrets in logs or responses
- [ ] Sensitive data filtered from error messages
- [ ] PII handling follows policy
- [ ] Debug endpoints disabled in production

### Injection Prevention

- [ ] Parameterized queries for SQL
- [ ] Output encoding for XSS
- [ ] Command injection prevented
- [ ] Path traversal blocked

### Cryptography

- [ ] No custom crypto implementations
- [ ] Strong algorithms used (no MD5/SHA1 for security)
- [ ] Secrets not hardcoded
- [ ] Key rotation possible

## Blast Radius Analysis

For HIGH risk changes:

1. Count direct callers
2. Trace transitive dependencies
3. Identify failure modes
4. Check rollback feasibility
5. Assess data exposure scope

## Red Flags (Stop and Escalate)

- πŸ”΄ Removed validation without replacement
- πŸ”΄ Access control modifiers weakened
- πŸ”΄ External calls added without error handling
- πŸ”΄ Crypto operations changed
- πŸ”΄ Auth bypass paths introduced
- πŸ”΄ Secrets in source code
- πŸ”΄ `eval()` or dynamic code execution
- πŸ”΄ Disabled security controls (even "temporarily")

## Common Vulnerability Patterns

| Pattern                      | Look For                                      |
| ---------------------------- | --------------------------------------------- |
| **IDOR**                     | User-controlled IDs without ownership check   |
| **Mass Assignment**          | Binding request body directly to models       |
| **SSRF**                     | User-controlled URLs in server requests       |
| **Path Traversal**           | User input in file paths without sanitization |
| **Race Condition**           | Check-then-use without locking                |
| **Insecure Deserialization** | Deserializing untrusted data                  |

## Output Format

For each finding:

```markdown
**File**: `path/to/file.py:42`
**Risk**: HIGH | MEDIUM | LOW
**Category**: [Input Validation | Auth | Data Exposure | Injection | Crypto]
**Issue**: [Brief description of what's wrong]
**Evidence**: [Specific code or pattern that demonstrates the issue]
**Recommendation**: [What should be done - without implementing it]
```

## Review Summary Template

```markdown
## Security Review Summary

**Scope**: [Files/changes reviewed]
**Risk Level**: [Overall: HIGH/MEDIUM/LOW]

### Attack Surface

- Inputs: [list]
- External calls: [list]
- Auth points: [list]

### Findings

| #   | Risk | Category | File:Line  | Issue                    |
| --- | ---- | -------- | ---------- | ------------------------ |
| 1   | HIGH | Auth     | file.py:42 | Missing permission check |

### Recommendations

1. [Priority-ordered list of fixes]

### Not Reviewed

[Areas that need separate review or were out of scope]
```

## What NOT to Do

- ❌ Fix the issues (identify only)
- ❌ Assume "internal only" means safe
- ❌ Skip test files (they often reveal behavior)
- ❌ Trust comments that say "safe" or "validated elsewhere"
- ❌ Ignore configuration files

## The Security Reviewer's Creed

> "I'm not here to approveβ€”I'm here to find what's missed."

Trust nothing. Verify everything. Document clearly.

Overview

This skill performs a security-focused code review that maps attack surface and classifies risks. It inspects changes in read-only mode, identifies potential vulnerabilities, and produces prioritized findings and recommendations without fixing code. Use it to audit pull requests, analyze threat exposure, and validate security controls around inputs, auth, crypto, and external calls.

How this skill works

For each changed file the skill enumerates user inputs, database interactions, auth/authz checks, external calls, and cryptographic operations. It flags issues using a HIGH/MEDIUM/LOW risk classification, links concrete evidence to each finding, and produces a concise review summary and blast-radius analysis for high-risk items. The skill never changes code; it only reports issues and actionable recommendations.

When to use it

  • Reviewing pull requests for security regressions
  • Performing pre-merge audits on sensitive services
  • Assessing changes that touch auth, crypto, or external integrations
  • Running a focused threat model or attack-surface mapping
  • Validating that new public APIs or endpoints are safe

Best practices

  • Assume the reviewer is the attacker; validate trust boundaries explicitly
  • Prioritize high-risk items (auth, crypto, value transfer) first
  • Include evidence lines and exact file:line references for every finding
  • Map direct and transitive callers for HIGH risk changes to estimate blast radius
  • Document what was not reviewed and any environment or config assumptions

Example use cases

  • Scan a pull request that modifies authentication flow to detect missing checks
  • Audit a change introducing outbound HTTP calls for SSRF or lack of error handling
  • Review schema and ORM changes to find mass-assignment or injection risks
  • Analyze a refactor that touches token handling or key management
  • Generate a short security summary to attach to a PR showing scope and recommendations

FAQ

Will this skill modify code to fix issues?

No. This skill runs in read-only mode and only identifies issues, evidence, and recommendations; it does not edit or patch code.

How are risks classified?

Risks are classified as HIGH (auth/crypto/external calls/value transfer/validation removal), MEDIUM (business logic/state changes/new public APIs), or LOW (comments/tests/UI/logging).

What output format do you produce?

Each finding includes file:line, risk level, category, issue description, evidence, and a non-implementing recommendation. A review summary aggregates attack surface and prioritized recommendations.