security-review

Use when reviewing code for vulnerabilities, implementing authentication or authorization, handling user input, storing sensitive data, or before any feature that touches security boundaries goes to production

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-review" with this command: npx skills add derhaken/superantigravity/derhaken-superantigravity-security-review

Security Review

Overview

Security is not a feature — it's a property of the entire system. Review security boundaries systematically, not ad-hoc.

When to Use

  • Authentication, authorization, session management code
  • Any user input that touches storage, commands, or rendering
  • Secrets, credentials, API keys in code or config
  • Before a security-sensitive feature ships
  • After any change to auth flows or data access controls

OWASP Top 10 Checklist

Work through these for every security-relevant code change:

A01 - Broken Access Control

  • Every endpoint checks authorization, not just authentication
    • Search: grep -r 'router\.\|app\.\(get\|post\|put\|delete\|patch\)' --include='*.js' --include='*.ts' | grep -v 'auth\|authorize\|permission\|role'
  • Users can only access their own data
    • Search: grep -rn 'req\.params\.id\|req\.query\.id' --include='*.js' --include='*.ts' — verify each result checks ownership
  • Admin functions require explicit admin role check
    • Search: grep -rn 'admin' --include='*.js' --include='*.ts' | grep -v 'isAdmin\|requireAdmin\|role.*admin\|admin.*role'

A02 - Cryptographic Failures

  • No secrets in source code or env files committed to git
    • Search: grep -rn 'password\s*=\s*["\x27][^"\x27]\|api_key\s*=\s*["\x27][^"\x27]\|secret\s*=\s*["\x27][^"\x27]' --include='*.js' --include='*.py' --include='*.ts'
  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
    • Search: grep -r 'password' --include='*.js' --include='*.ts' --include='*.py' | grep -v 'bcrypt\|argon2\|hash'
    • Also check: grep -rn 'md5\|sha1\|sha256' --include='*.js' --include='*.ts' --include='*.py' | grep -i 'password'
  • Data in transit uses TLS
    • Search: grep -rn 'http://' --include='*.js' --include='*.ts' --include='*.py' | grep -v 'localhost\|127\.0\.0\.1\|test\|spec\|comment'
  • Sensitive data not logged
    • Search: grep -rn 'console\.log\|logger\.' --include='*.js' --include='*.ts' | grep -i 'password\|token\|secret\|key\|ssn\|credit'

A03 - Injection

  • All database queries use parameterized queries / ORM (never string concat)
    • Search: grep -rn 'query\s*[+\].(req.|user.|input|params)' --include='.js' --include='.ts' --include='.py'`
    • Also: grep -rn '"SELECT\|"INSERT\|"UPDATE\|"DELETE' --include='*.js' --include='*.ts' | grep '\+'
  • All shell commands use safe exec (never eval with user input)
    • Search: grep -rn 'eval(\|exec(\|system(\|spawn(' --include='*.js' --include='*.ts' --include='*.py'
  • All HTML output is escaped or uses safe template engine
    • Search: grep -rn 'innerHTML\s*=' --include='*.js' --include='*.ts' | grep -v '//.*innerHTML'

A04 - Insecure Design

  • Authentication flows validated against known-good patterns
  • Rate limiting on authentication endpoints
    • Search: grep -rn 'login\|signin\|auth' --include='*.js' --include='*.ts' | grep -v 'rateLimit\|rate_limit\|throttle'
  • Account enumeration prevented (same response for unknown user vs wrong password)
    • Search: grep -rn '"User not found"\|"Invalid username"\|"No account"' --include='*.js' --include='*.ts' --include='*.py'

A05 - Security Misconfiguration

  • Debug mode disabled in production
    • Search: grep -rn 'debug\s*=\s*true\|DEBUG\s*=\s*True\|NODE_ENV.*development' --include='*.js' --include='*.ts' --include='*.py' --include='*.env'
  • Default credentials changed
    • Search: grep -rn 'admin.*admin\|root.*root\|password.*password\|default.*password' --include='*.js' --include='*.ts' --include='*.py'
  • Unnecessary features/endpoints disabled
  • Error messages don't expose stack traces to users
    • Search: grep -rn 'err\.stack\|error\.stack\|traceback' --include='*.js' --include='*.ts' --include='*.py' | grep -v 'log\|console\|logger'

A06 - Vulnerable and Outdated Components

  • Dependencies checked against known CVE databases (npm audit, pip-audit, snyk)
    • Run: npm audit or pip-audit or snyk test
  • No dependencies with known critical/high CVEs in production
    • Run: npm audit --audit-level=high (exits non-zero if high/critical found)
  • Lock files committed (package-lock.json, poetry.lock, etc.)
    • Search: git ls-files | grep -E 'package-lock\.json|yarn\.lock|poetry\.lock|Pipfile\.lock|Gemfile\.lock'
  • Direct dependencies pinned to specific versions
    • Search: grep -E '"\^|"~|">=|">' package.json — each result is a non-pinned dependency

A07 - Authentication Failures

  • Session tokens invalidated on logout
    • Search: grep -rn 'logout\|signout\|sign_out' --include='*.js' --include='*.ts' --include='*.py' | grep -v 'destroy\|invalidate\|clear\|delete\|revoke'
  • Password reset tokens expire and are single-use
    • Search: grep -rn 'reset.*token\|token.*reset' --include='*.js' --include='*.ts' --include='*.py' — verify expiry and single-use enforcement
  • Brute force protection on login
    • Search: grep -rn 'login\|signin' --include='*.js' --include='*.ts' | grep -v 'attempts\|lockout\|rateLimit\|throttle'

A08 - Software and Data Integrity

  • Dependencies pinned to verified versions
  • No eval() or dynamic code execution with user input
    • Search: grep -rn 'eval(' --include='*.js' --include='*.ts' --include='*.py'
    • Also: grep -rn 'new Function(' --include='*.js' --include='*.ts'

A09 - Logging and Monitoring

  • Authentication events logged (success and failure)
    • Search: grep -rn 'login\|signin\|authenticate' --include='*.js' --include='*.ts' --include='*.py' | grep -v 'log\|audit\|event\|monitor'
  • Sensitive operations audited
  • Logs don't contain secrets or PII
    • Search: grep -rn 'log\.' --include='*.js' --include='*.ts' | grep -i 'password\|token\|secret\|ssn\|credit_card\|cvv'

Common Vulnerabilities to Check

VulnerabilityCheck
SQL InjectionAll queries parameterized?
XSSAll user content escaped before rendering?
CSRFState-changing requests have CSRF protection?
Path traversalFile paths sanitized and validated?
Secret exposureNo hardcoded keys/tokens in code?
Mass assignmentOnly allowed fields accepted from user input?

Red Flags in Code

These patterns require immediate review:

  • eval(), exec(), system() with any user-influenced input
  • String concatenation in SQL: "SELECT * FROM users WHERE id = " + userId
  • innerHTML = userContent (XSS)
  • require(userInput) or dynamic imports with user data
  • Secrets in .env files committed to git
  • MD5 or SHA1 for password hashing

Output

For each finding, document:

  1. Vulnerability type (OWASP category)
  2. Severity (Critical/High/Medium/Low)
  3. Location (file:line)
  4. Description (what's wrong and why)
  5. Fix (specific code change or pattern to use)

If no vulnerabilities found: output "Security Review: PASS. No issues found in [scope]. Reviewed: [list of OWASP categories checked]. Verified: [date and reviewer]."

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

using-superantigravity

No summary provided by upstream source.

Repository SourceNeeds Review
8-derhaken
Automation

browser-agent

No summary provided by upstream source.

Repository SourceNeeds Review
5-derhaken
General

writing-plans

No summary provided by upstream source.

Repository SourceNeeds Review
4-derhaken
Coding

requesting-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
4-derhaken