playbooks

home / skills / shotaiuchi / dotclaude / review-security

review-security skill

/dotclaude/skills/review-security

This skill helps perform security-focused code reviews by validating authentication, input handling, data protection, and OWASP risk coverage.

npx playbooks add skill shotaiuchi/dotclaude --skill review-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.6 KB
---
name: review-security
description: >-
  Security-focused code review. Apply when reviewing code for vulnerabilities,
  authentication, authorization, input validation, injection attacks,
  CSRF, XSS, secrets exposure, and OWASP Top 10 issues.
user-invocable: false
---

# Security Review

Review code from a security perspective.

## Review Checklist

### Authentication & Authorization
- Verify proper authentication on all endpoints
- Check authorization logic for privilege escalation
- Validate token handling (JWT expiry, refresh, storage)
- Ensure session management is secure

### Input Validation
- Check all user inputs are validated and sanitized
- Verify parameterized queries (no SQL injection)
- Check for command injection vulnerabilities
- Validate file upload handling

### Data Protection
- Ensure secrets are not hardcoded or logged
- Check sensitive data is encrypted at rest and in transit
- Verify PII handling follows best practices
- Check for information leakage in error messages

### OWASP Top 10
- Injection (SQLi, XSS, command injection)
- Broken authentication
- Sensitive data exposure
- XML external entities (XXE)
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring

## Output Format

Report findings with severity ratings:

| Severity | Description |
|----------|-------------|
| Critical | Exploitable vulnerability, immediate fix required |
| High | Significant risk, fix before merge |
| Medium | Potential risk, should fix soon |
| Low | Minor concern, consider fixing |
| Info | Best practice suggestion |

Overview

This skill performs a security-focused code review to identify vulnerabilities and misconfigurations across authentication, authorization, input handling, data protection, and OWASP Top 10 issues. It produces a prioritized findings report with severity ratings and actionable remediation suggestions. Use it to gate code merges, harden services, and prepare for security assessments.

How this skill works

The review inspects endpoints, authentication flows, token handling, session management, and access control logic for privilege escalation and broken auth. It scans input handling for injection risks (SQLi, command injection, XSS), validates use of parameterized queries and safe file upload handling, and verifies secrets management and encryption practices. The skill flags OWASP Top 10 patterns, checks for hardcoded secrets, insecure dependencies, and insufficient logging, and classifies findings by severity (Critical, High, Medium, Low, Info).

When to use it

  • Before merging changes that touch auth, access control, or input handling
  • When adding new endpoints, APIs, or file upload features
  • During security sprints or pre-release audits
  • When integrating third-party libraries or updating dependencies
  • If you suspect secrets or sensitive data might be exposed

Best practices

  • Require authentication and strict authorization checks on all endpoints
  • Validate and sanitize all user input; prefer parameterized queries and safe libraries
  • Avoid hardcoding secrets; use secret managers and environment vaults
  • Enforce TLS for data in transit and encrypt sensitive data at rest
  • Log security-relevant events without leaking PII or secrets
  • Keep dependencies updated and monitor vulnerability databases

Example use cases

  • Review a pull request that introduces a new REST endpoint handling user input
  • Audit authentication and token lifecycle after adding single-sign-on
  • Assess file upload handling for potential path or content-based injection
  • Scan a codebase for hardcoded credentials and insecure logging
  • Validate dependency updates for known CVEs before deployment

FAQ

What severity means a fix is required before merging?

Critical and High findings should be fixed before merging; Critical items indicate exploitable vulnerabilities and High items present significant risk.

Does this skill test runtime behavior like CSRF or XSS in browsers?

This skill focuses on static review of code and configuration patterns that enable CSRF, XSS, and similar issues; complement it with dynamic testing or automated scanners for runtime verification.