Security Review Skill

Tooling Notes

This skill should only use read-only commands and avoid modifying files.

Workflow

Copy this checklist and use it to track your progress through a security review:

Security Review Checklist

• Scope the Change
  • Identify entry points, data flows, and trust boundaries.
  • Note any changes to auth, secrets, or external integrations.
• Threat Model
  • Enumerate likely threats (STRIDE or similar).
  • Focus on inputs, storage, and outputs.
• Validate Input & Output
  • Validate and sanitize user-controlled input.
  • Encode outputs to prevent injection.
  • Constrain file paths and URLs (avoid traversal/SSRF).
• AuthN/AuthZ
  • Authentication checks are present and consistent.
  • Authorization rules are explicit and least-privilege.
  • Session/token handling uses secure defaults.
• Secrets & PII
  • No hardcoded secrets or credentials.
  • Logs avoid sensitive data.
  • Storage and transport are protected.
• Dependency Risk
  • New dependencies are minimal and justified.
  • Lockfiles updated and reviewed.
• Verification
  • Add or update tests for security-sensitive behavior.
  • Confirm error handling does not leak data.

Security Guardrails

Review Focus Areas

• Authentication and authorization checks are explicit and consistent.

• Input validation is present on all user-controlled data.

• Secrets and credentials never appear in logs or configs.

• Public endpoints enforce rate limits and safe defaults.

• Dependencies are minimized and vetted for risk.

Common Red Flags

• New endpoints without authN/authZ checks.

• Raw SQL, command execution, or templating with unsanitized input.

• Hardcoded secrets, tokens, or private keys.

• Broad permissions or wildcard roles.

Remediation Notes

When issues are found, propose the smallest safe change that addresses the risk, then add or update tests to prevent regressions.