home / skills / yeachan-heo / oh-my-claudecode / security-review
This skill performs a comprehensive security review of code, detecting OWASP issues, hardcoded secrets, and insecure patterns to strengthen defenses.
npx playbooks add skill yeachan-heo/oh-my-claudecode --skill security-reviewReview the files below or copy the command above to add this skill to your agents.
---
name: security-review
description: Run a comprehensive security review on code
---
# Security Review Skill
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
## When to Use
This skill activates when:
- User requests "security review", "security audit"
- After writing code that handles user input
- After adding new API endpoints
- After modifying authentication/authorization logic
- Before deploying to production
- After adding external dependencies
## What It Does
Delegates to the `security-reviewer` agent (Opus model) for deep security analysis:
1. **OWASP Top 10 Scan**
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection (SQL, NoSQL, Command, XSS)
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server-Side Request Forgery (SSRF)
2. **Secrets Detection**
- Hardcoded API keys
- Passwords in source code
- Private keys in repo
- Tokens and credentials
- Connection strings with secrets
3. **Input Validation**
- All user inputs sanitized
- SQL/NoSQL injection prevention
- Command injection prevention
- XSS prevention (output escaping)
- Path traversal prevention
4. **Authentication/Authorization**
- Proper password hashing (bcrypt, argon2)
- Session management security
- Access control enforcement
- JWT implementation security
5. **Dependency Security**
- Run `npm audit` for known vulnerabilities
- Check for outdated dependencies
- Identify high-severity CVEs
## Agent Delegation
```
Task(
subagent_type="oh-my-claudecode:security-reviewer",
model="opus",
prompt="SECURITY REVIEW TASK
Conduct comprehensive security audit of codebase.
Scope: [specific files or entire codebase]
Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)
Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
```
## External Model Consultation (Preferred)
The security-reviewer agent SHOULD consult Codex for cross-validation.
### Protocol
1. **Form your OWN security analysis FIRST** - Complete the review independently
2. **Consult for validation** - Cross-check findings with Codex
3. **Critically evaluate** - Never blindly adopt external findings
4. **Graceful fallback** - Never block if tools unavailable
### When to Consult
- Authentication/authorization code
- Cryptographic implementations
- Input validation for untrusted data
- High-risk vulnerability patterns
- Production deployment code
### When to Skip
- Low-risk utility code
- Well-audited patterns
- Time-critical security assessments
- Code with existing security tests
### Tool Usage
Before first MCP tool use, call `ToolSearch("mcp")` to discover deferred MCP tools.
Use `mcp__x__ask_codex` with `agent_role: "security-reviewer"`.
If ToolSearch finds no MCP tools, fall back to the `security-reviewer` Claude agent.
**Note:** Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
## Output Format
```
SECURITY REVIEW REPORT
======================
Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z
CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
Finding: AWS API key hardcoded in source code
Impact: Credential exposure if code is public or leaked
Remediation: Move to environment variables, rotate key immediately
Reference: OWASP A02:2021 – Cryptographic Failures
2. src/db/query.ts:45 - SQL Injection Vulnerability
Finding: User input concatenated directly into SQL query
Impact: Attacker can execute arbitrary SQL commands
Remediation: Use parameterized queries or ORM
Reference: OWASP A03:2021 – Injection
HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
Finding: Passwords hashed with MD5 (cryptographically broken)
Impact: Passwords can be reversed via rainbow tables
Remediation: Use bcrypt or argon2 with appropriate work factor
Reference: OWASP A02:2021 – Cryptographic Failures
4. src/components/UserInput.tsx:67 - XSS Vulnerability
Finding: User input rendered with dangerouslySetInnerHTML
Impact: Cross-site scripting attack vector
Remediation: Sanitize HTML or use safe rendering
Reference: OWASP A03:2021 – Injection (XSS)
5. src/api/upload.ts:34 - Path Traversal Vulnerability
Finding: User-controlled filename used without validation
Impact: Attacker can read/write arbitrary files
Remediation: Validate and sanitize filenames, use allowlist
Reference: OWASP A01:2021 – Broken Access Control
...
MEDIUM (8)
----------
...
LOW (12)
--------
...
DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:
CRITICAL: [email protected] - Server-Side Request Forgery (CVE-2021-3749)
Installed: [email protected]
Fix: npm install [email protected]
HIGH: [email protected] - Prototype Pollution (CVE-2020-8203)
Installed: [email protected]
Fix: npm install [email protected]
...
OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies
Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
```
## Security Checklist
The security-reviewer agent verifies:
### Authentication & Authorization
- [ ] Passwords hashed with strong algorithm (bcrypt/argon2)
- [ ] Session tokens cryptographically random
- [ ] JWT tokens properly signed and validated
- [ ] Access control enforced on all protected resources
- [ ] No authentication bypass vulnerabilities
### Input Validation
- [ ] All user inputs validated and sanitized
- [ ] SQL queries use parameterization (no string concatenation)
- [ ] NoSQL queries prevent injection
- [ ] File uploads validated (type, size, content)
- [ ] URLs validated to prevent SSRF
### Output Encoding
- [ ] HTML output escaped to prevent XSS
- [ ] JSON responses properly encoded
- [ ] No user data in error messages
- [ ] Content-Security-Policy headers set
### Secrets Management
- [ ] No hardcoded API keys
- [ ] No passwords in source code
- [ ] No private keys in repo
- [ ] Environment variables used for secrets
- [ ] Secrets not logged or exposed in errors
### Cryptography
- [ ] Strong algorithms used (AES-256, RSA-2048+)
- [ ] Proper key management
- [ ] Random number generation cryptographically secure
- [ ] TLS/HTTPS enforced for sensitive data
### Dependencies
- [ ] No known vulnerabilities in dependencies
- [ ] Dependencies up to date
- [ ] No CRITICAL or HIGH CVEs
- [ ] Dependency sources verified
## Severity Definitions
**CRITICAL** - Exploitable vulnerability with severe impact (data breach, RCE, credential theft)
**HIGH** - Vulnerability requiring specific conditions but serious impact
**MEDIUM** - Security weakness with limited impact or difficult exploitation
**LOW** - Best practice violation or minor security concern
## Remediation Priority
1. **Rotate exposed secrets** - Immediate (within 1 hour)
2. **Fix CRITICAL** - Urgent (within 24 hours)
3. **Fix HIGH** - Important (within 1 week)
4. **Fix MEDIUM** - Planned (within 1 month)
5. **Fix LOW** - Backlog (when convenient)
## Use with Other Skills
**With Pipeline:**
```
/pipeline security "review authentication module"
```
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
**With Swarm:**
```
/swarm 4:security-reviewer "audit all API endpoints"
```
Parallel security review across multiple endpoints.
**With Ralph:**
```
/ralph security-review then fix all issues
```
Review, fix, re-review until all issues resolved.
## Best Practices
- **Review early** - Security by design, not afterthought
- **Review often** - Every major feature or API change
- **Automate** - Run security scans in CI/CD pipeline
- **Fix immediately** - Don't accumulate security debt
- **Educate** - Learn from findings to prevent future issues
- **Verify fixes** - Re-run security review after remediation
This skill performs a comprehensive security review of a codebase, focusing on OWASP Top 10 issues, hardcoded secrets, input validation, authentication/authorization, and dependency vulnerabilities. It produces a prioritized report with file:line findings, CVE references when relevant, and concrete remediation steps. Use it to validate security posture before deployment or after changes to sensitive code paths.
The skill delegates analysis to a dedicated security-reviewer agent that inspects specified files or the entire repository. It runs pattern-based and semantic checks for OWASP Top 10 categories, secrets discovery, input validation issues, authentication flaws, and npm dependency scans (npm audit). Findings are cross-validated where possible and returned as a severity-sorted report with remediation guidance.
What outputs does the review provide?
A security report with a summary by severity, file:line findings, CVE references (if applicable), and step-by-step remediation guidance.
Does the skill automatically fix issues?
No. It identifies and explains issues and recommended fixes; remediation must be applied by developers or follow-up automation.
Can it scan only specific files or folders?
Yes. You can scope the review to specific files, modules, or the entire codebase.