review-security

Security audit for common vulnerabilities and unsafe patterns.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "review-security" with this command: npx skills add nielsmadan/agentic-coding/nielsmadan-agentic-coding-review-security

Review Security

Security audit for common vulnerabilities and unsafe patterns.

Usage

/review-security # Review context-related code /review-security --staged # Review staged changes /review-security --all # Full codebase audit (parallel agents)

Scope

Flag Scope Method

(none) Context-related code Files from the current conversation context: any files the user has discussed, opened, or that you have read/edited in this session. If no conversation context exists, ask the user to specify files or use --staged /--all .

--staged

Staged changes git diff --cached --name-only

--all

Full codebase Glob source files, parallel agents

Do NOT skip checks:

  • "This code is internal only" -- Internal code gets compromised too

  • "This is just a prototype" -- Prototypes become production code

  • "I already checked for the obvious issues" -- The non-obvious ones are the dangerous ones

Workflow

  • Determine scope based on flags (see Scope table above)

  • Review each file against the Security Checklist below, prioritizing categories in this order:

  • Injection (OWASP 2021 A03) — highest exploitation likelihood

  • Sensitive Data Exposure (OWASP 2021 A02) — hardcoded secrets are easy wins

  • Broken Authentication (OWASP 2021 A07) — auth bugs have outsized impact

  • Security Misconfiguration (OWASP 2021 A05) — config issues are common in PRs

  • Dependency Vulnerabilities — run audit commands last (they take time)

  • Parallelize if scope has >5 files: spawn one sub-agent per checklist category, each scanning all files. Merge results and deduplicate.

  • Check dependencies using the ecosystem-specific commands in the Dependency Vulnerabilities section

  • Classify severity for each finding:

  • Critical: Exploitable vulnerability with direct user/data impact (e.g., SQL injection on a public endpoint, hardcoded production secret)

  • High: Vulnerability requiring specific conditions to exploit but with serious impact (e.g., XSS in admin panel, missing rate limiting on login)

  • Medium: Security weakness that increases attack surface (e.g., overly permissive CORS, debug mode flag)

  • Suggestion: Defense-in-depth improvement (e.g., adding CSP headers, tightening cookie flags)

  • Report findings grouped by severity using the Output Format below

Security Checklist

References below use OWASP Top 10 2021 category numbers (A01–A10).

Injection (OWASP A03)

SQL Injection:

// BAD: String concatenation const query = SELECT * FROM users WHERE id = ${userId};

// GOOD: Parameterized query const query = 'SELECT * FROM users WHERE id = ?'; db.query(query, [userId]);

Command Injection:

// BAD: Unsanitized input to shell exec(ls ${userInput});

// GOOD: Use array form or escape execFile('ls', [sanitizedPath]);

XSS (Cross-Site Scripting):

// BAD: Direct HTML insertion element.innerHTML = userContent;

// GOOD: Use textContent or sanitize element.textContent = userContent; // Or use DOMPurify for HTML element.innerHTML = DOMPurify.sanitize(userContent);

Broken Authentication (OWASP A07)

  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)

  • Rate limiting on login endpoints

  • Session tokens are secure (HttpOnly, Secure, SameSite)

  • No credentials in URLs or logs

  • Account lockout after failed attempts

Sensitive Data Exposure (OWASP A02)

Hardcoded Secrets:

// BAD: Secrets in code const apiKey = 'sk-1234567890abcdef'; const password = 'admin123';

// GOOD: Environment variables const apiKey = process.env.API_KEY;

Patterns to grep for:

password\s*=\s*['"][^'"]+['"] api[-]?key\s*=\s*['"][^'"]+['"] secret\s*=\s*['"][^'"]+['"] token\s*=\s*['"][^'"]+['"] Bearer\s+[A-Za-z0-9-]+

False-positive filtering: Before reporting a match:

  • Skip lines containing example , placeholder , test , TODO , CHANGEME , or xxx

  • Skip files in test/ , tests/ , _test. , .test. , .spec.

  • Skip .md files (documentation examples)

  • If the matched value is a well-known placeholder (e.g., sk-... with all zeros, your-api-key-here ), skip it

Logging Sensitive Data:

// BAD: Logging credentials console.log('User login:', { email, password });

// GOOD: Redact sensitive fields console.log('User login:', { email, password: '[REDACTED]' });

Security Misconfiguration (OWASP A05)

  • Debug mode disabled in production

  • No default/test credentials

  • Error messages don't expose internals

  • CORS properly configured (not * for sensitive APIs)

  • Security headers set (CSP, X-Frame-Options, etc.)

CORS Issues:

// BAD: Overly permissive app.use(cors({ origin: '*' }));

// GOOD: Specific origins app.use(cors({ origin: ['https://myapp.com'] }));

Dependency Vulnerabilities

Check commands by ecosystem:

Node.js

npm audit npx audit-ci --critical

Python

pip-audit safety check

Ruby

bundle audit

Go

govulncheck ./...

Report any Critical or High severity vulnerabilities.

Output Format

Security Review: {scope}

Critical (fix immediately)

  • {file}:{line} - {vulnerability type}: {description} Fix: {remediation}

High Priority

  • {file}:{line} - {issue} Fix: {remediation}

Medium Priority

  • {file} - {issue}

Dependency Vulnerabilities

PackageSeverityCVEFix Version
{pkg}CriticalCVE-XXXX-XXXX{version}

Suggestions

  • {improvement}

Examples

Staged changes introduce SQL injection:

/review-security --staged

Reviews staged files and catches a login handler using string concatenation to build a SQL query with user input. Reports it as Critical with a fix showing parameterized queries.

Pre-release audit finds hardcoded secret:

/review-security --all

Parallel agents scan the full codebase by security category. Finds a hardcoded API key in a config file and a JWT secret committed as a string literal, along with an overly permissive CORS policy allowing all origins.

Troubleshooting

False positive on an intentional security pattern

Solution: If the flagged code is deliberate (e.g., a test fixture with hardcoded credentials, or a localhost-only CORS wildcard), add a comment like // SECURITY: intentional - <reason> so future audits can skip it with context.

Obfuscated or generated code blocks the audit

Solution: Exclude generated files (e.g., *.min.js , dist/ , generated/ ) from the scope and audit only the source inputs. For vendored code, check the upstream project's security advisories rather than scanning the minified output.

Notes

  • Focus on exploitable vulnerabilities, not theoretical risks

  • Always provide remediation guidance

  • For --all , use parallel agents per category for speed

  • Check both source code and configuration files

  • Dependency checks require package manager files (package.json, requirements.txt, etc.)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

pdf

No summary provided by upstream source.

Repository SourceNeeds Review
20-nielsmadan
Research

research-online

No summary provided by upstream source.

Repository SourceNeeds Review
10-nielsmadan
Coding

code-review

No summary provided by upstream source.

Repository SourceNeeds Review
9-nielsmadan
Automation

review-comments

No summary provided by upstream source.

Repository SourceNeeds Review
9-nielsmadan