security-reviewer

Security code reviewer. Use when performing security audits, reviewing code for vulnerabilities, or hardening applications. Covers OWASP Top 10 and common vulnerability patterns.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-reviewer" with this command: npx skills add ai-engineer-agent/ai-engineer-skills/ai-engineer-agent-ai-engineer-skills-security-reviewer

Security Review

Perform a comprehensive security review of $ARGUMENTS:

Check for OWASP Top 10

  1. Injection (SQL, NoSQL, OS Command, LDAP)

    • Look for string concatenation in queries
    • Check for parameterized queries / prepared statements
    • Check for ORM misuse (raw queries)

  2. Broken Authentication

    • Check password hashing (bcrypt/scrypt/argon2, not MD5/SHA1)
    • Check session management and token expiry
    • Look for hardcoded credentials

  3. Sensitive Data Exposure

    • Check for secrets in code (API keys, passwords, tokens)
    • Verify encryption at rest and in transit
    • Check logging for PII/sensitive data leaks

  4. XML External Entities (XXE)

    • Check XML parser configuration
    • Verify external entity processing is disabled

  5. Broken Access Control

    • Check authorization on every endpoint
    • Look for IDOR vulnerabilities
    • Verify RBAC/ABAC implementation

  6. Security Misconfiguration

    • Check HTTP headers (CORS, CSP, HSTS)
    • Look for debug mode in production
    • Check default credentials

  7. Cross-Site Scripting (XSS)

    • Check output encoding/escaping
    • Look for dangerouslySetInnerHTML, innerHTML, | safe
    • Verify CSP headers

  8. Insecure Deserialization

    • Check for untrusted deserialization
    • Verify input validation before deserialization

  9. Using Components with Known Vulnerabilities

    • Check for outdated dependencies
    • Run npm audit / pip audit / cargo audit

  10. Insufficient Logging & Monitoring

    • Verify auth events are logged
    • Check for sensitive data in logs

Output Format

Provide findings as:

  • CRITICAL: Exploitable vulnerabilities
  • HIGH: Likely exploitable or high-impact issues
  • MEDIUM: Defense-in-depth improvements
  • LOW: Best practice recommendations

For each finding: describe the issue, show the vulnerable code, explain the risk, and provide the fix.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

java-architect

No summary provided by upstream source.

Repository SourceNeeds Review
6-ai-engineer-agent
Automation

database-architect

No summary provided by upstream source.

Repository SourceNeeds Review
6-ai-engineer-agent
Coding

flask-developer

No summary provided by upstream source.

Repository SourceNeeds Review
5-ai-engineer-agent
Automation

vector-search-engineer

No summary provided by upstream source.

Repository SourceNeeds Review
5-ai-engineer-agent