review-security-structure
Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.
Best use case
review-security-structure is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.
Teams using review-security-structure should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/review-security-structure/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How review-security-structure Compares
| Feature / Agent | review-security-structure | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Review Security Structure Defensively review code or structure artifacts by reading architecture and data flow before reading full source. Use structural signals to identify vulnerabilities, logic flaws, parser/scanner risks, CI/CD risks, and LLM/agent tool-boundary risks. ## When to Use - **security review**, **vulnerability review**, **SAST triage**, **AST**, **structure map**, **call graph**, **Source/Sink**, **taint flow** - **脆弱性レビュー**, **セキュリティレビュー**, **構造マップ**, **AST レポート**, **依存関係**, **複雑度** - Reviewing owned or explicitly authorized code, design docs, scan results, or generated structure maps - Hardening parsers, scanners, CI/CD tools, file walkers, and agent/tool-call boundaries against malformed or adversarial input ## Safety Scope - Keep the work defensive: review, risk explanation, safe verification ideas, and minimal fixes. - Do not provide unauthorized testing, intrusion, persistence, evasion, credential theft, weaponized PoC, or destructive external steps. - If exploitability is uncertain, place the item in Hypotheses rather than Findings. - If code changes are requested, keep them minimal and verify with existing tests or a focused local check. ## Inputs to Prefer Use provided structure artifacts first, then inspect the smallest code/config range needed. | Input | Examples | | -------------- | ------------------------------------------------------------------- | | Structure | AST summaries, class/function lists, Mermaid graphs, JSON reports | | Data flow | Source, Propagator, Sanitizer, Sink, taint flow | | Call graph | caller -> callee edges, boundary-crossing calls, fallback paths | | Complexity | large functions, branch concentration, exception density | | Scope/state | variable scope, global state, shared mutable state, auth boundaries | | Static results | secret scan, dependency scan, lint/type/SAST warnings | | Context | README, design notes, CI workflow, deployment config | ## Structure Map Build If no equivalent structure artifact exists, create a minimal read-oriented structure map before starting findings review. Do not skip this step unless generation is genuinely blocked; record blockers and limits in the Structure Map Summary. 1. Look for existing artifacts in reports, manifest, tmp, CI output, README, package scripts, Makefile, or workflows. 2. Prefer existing language-aware tools: TypeScript compiler, eslint, dependency graph scripts, language server data, test/coverage config, or standard-library parsers. 3. Favor maps that include summaries, class/call graphs, function metrics, variable scopes, imports, taint flow, static findings, dependency audit, and high-complexity hotspots. 4. Avoid installing new dependencies unless clearly justified. Prefer lockfile-backed local tools. 5. Do not execute the target application behavior just to map it. Keep extraction static or read-only when possible. 6. Redact secret values. Record only kind and location, not token/password/key material. 7. For large repos, map entry points, changed files, public APIs, trust boundaries, and dangerous Sink neighborhoods first. Minimum map contract: | Item | Requirement | | ------------ | ------------------------------------------------------------------------------ | | entry_points | CLI, API handlers, commands, jobs, public APIs, workflows | | files | reviewed files, language, inferred role | | symbols | classes/functions/methods and inferred responsibility | | imports | external deps, dangerous APIs, security-boundary deps | | call_edges | caller -> callee edges when practical | | complexity | large or high-branch functions when practical | | sources | HTTP, CLI args, env, files, network, deserialization, LLM input | | sinks | command, SQL, eval, template, path, file write, network, secret/log, tool call | | sanitizers | validate, escape, normalize, authn/authz, schema checks | | scan_limits | missing, approximate, unsupported, or unparsed areas | ## Review Flow 1. Gate the target: assume review is allowed for current workspace/user-provided artifacts; ask only if ownership or authorization is unclear. 2. Classify the target: web app, CLI, library, scanner, CI/CD tool, infrastructure definition, data processor, extension, or agent tool. 3. Read an existing structure map, or build the minimal map from the contract above before full source reading. 4. Model trust boundaries: who controls which input, where it flows, what authority the Sink has, and what data is sensitive. 5. Trace Source -> Propagator -> Sanitizer -> Sink. Look for missing validation, wrong order, branch gaps, implicit deserialization, and type-conversion surprises. 6. Review call graph paths that bypass authn/authz, validation, initialization, feature flags, or normal handlers. 7. Review complexity and logic risks: giant functions, broad try/catch, deep nesting, fallback behavior, shared state, TOCTOU, and cache races. 8. For parsers/scanners/file walkers, prioritize crash, unbounded recursion, symlink loops, huge/deep ASTs, encoding edge cases, dependency resolution failures, and detection bypass. 9. For CI/CD, review workflow inputs, artifact/cache trust, token permissions, PR boundaries, release gates, and secret exposure. 10. For LLM/agent code, review prompt injection paths, external document trust, tool-call authorization, path safety, command policy, and log redaction. ## Evidence Rules - Findings require structural signal, reachability, impact, and a defensive verification or fix direction. - Confidence is High, Medium, or Low. Avoid certainty language unless verified. - Keep unsupported ideas in Hypotheses with the missing evidence and next check. - Reference local files with precise paths and line links when possible. Do not paste full source files. ## Output Format Lead with Findings. If there are no confirmed findings, state that clearly first. ### Findings | # | Severity | Confidence | Target | Structural Signal | Reachability | Impact | Defensive Verification | Minimal Fix | | --- | -------- | ---------- | ------ | ----------------- | ------------ | ------ | ---------------------- | ----------- | ### Structure Map Summary | Item | Value | | --------- | -------------------------------------------------------------------- | | Source | existing artifact / newly generated / quick extraction / unavailable | | Artifact | saved path, or none | | Scope | reviewed paths and boundaries | | Method | tools, scripts, or manual extraction used | | Limits | unparsed or approximate areas | | Redaction | redacted secret values, or none applicable | ### Hypotheses | # | Hypothesis | Missing Evidence | Next Check | | --- | ---------- | ---------------- | ---------- | ### Code to Inspect | Priority | Path / Symbol | Why | | -------- | ------------- | --- | ### Recommended Fix Plan 1. Fix clear, reachable, high-impact issues first. 2. Add safety guards such as size limits, timeouts, input validation, path normalization, auth checks, and log redaction. 3. Split high-complexity code only where it reduces risk or enables tests. 4. Verify the Source -> Sink path is blocked or constrained after the fix. ### Verification Summary - Checks run: command/tool/read-only review performed, or not run with reason - Remaining risk: unresolved items, or none - External references: URLs used, or none ## Thanks to / References Inspired by these structure-first review resources. Treat them as references, not required dependencies. - https://github.com/harumaki4649/ast-structure-map - https://qiita.com/harupython/items/ed256553d10578cfec2a - https://qiita.com/harupython/items/4d572a384c62016c51f2
Related Skills
x-hashtag-research
Collect and analyze public X posts from hashtags to discover primary sources, official docs, related GitHub repos, and reusable images. Use when researching launch-day announcements, event hashtags like #MSBuild or #MicrosoftBuild, keynote reactions, or when you want to turn noisy X posts into a structured research note under research/. X専用のハッシュタグ調査 workflow。
web-accessibility
Build and review accessible web products using WCAG 2.2 AA. Use when implementing or reviewing forms, dialogs, navigation, keyboard flows, focus management, ARIA, color contrast, responsive UI, or framework-specific accessibility in React/Next.js, Angular, and Vue.
vscode-extension-guide
Guide for creating VS Code extensions and plugins from scratch through Marketplace publication. Use when developing a VS Code extension/plugin, adding commands or keybindings, building TreeView or Webview UI, publishing to Marketplace, or troubleshooting activation and packaging issues.
skill-finder
Search, install, and manage Agent Skills locally and from GitHub, then help decide whether the task really needs a skill or another customization primitive. Use when looking for skills, installing skills, managing a skill collection, or choosing between a skill, prompt, instruction, or agent.
skill-creator-plus
Create or review a reusable skill (SKILL.md) that packages a workflow, and decide whether the request should be a skill instead of a prompt, instruction, agent, or hook. Use when creating a new skill, extracting a workflow from a conversation, updating an existing skill, reviewing SKILL.md quality, or fixing weak skill triggering. Triggers on "create skill", "/create-skill", "new skill", "review skill", "fix skill trigger", "SKILL.md", "スキル作成".
retro-copilot
Run a retro for ~/.copilot assets and turn incident learnings into updates for copilot-instructions, instructions, skills, agents, and hooks. Triggers on retro, retrospective, incident learning, error analysis, copilot setup, instructions update, インシデント, and 知見反映.
receipt-ocr-sorter
Automatically OCR, rename, and sort receipt images/PDFs/videos by date, amount, and project, with summary reports and D365 expense mapping. Use when sorting receipts, organizing expense files, OCR renaming, receipt sorting, レシート仕分け, or D365経費カテゴリマッピング.
powerpoint-automation
Create and edit professional PowerPoint presentations from web articles, blog posts, existing PPTX files, or templates. Use when creating PPTX, converting articles to slides, translating presentations, editing open PowerPoint files, or doing COM Automation / RefURL / overflow review work.
peer-feedback
同僚への半期ピアフィードバック下書きを自動生成する。workIQ で 1:1 チャット・グループチャット・メンション・共通会議・メール・SPO の履歴を収集し、6項目テンプレートに沿ってポジティブかつプロモーション志向で起票する。Use when: ピアフィードバック, フィードバック下書き, 同僚評価, 半期フィードバック, 360度フィードバック。
packet-capture-analysis
Use when analyzing pcap or pcapng files, triaging network captures, labeling IPs with evidence, generating PNG charts, or writing packet analysis reports. Keywords: pcap, pcapng, tshark, Wireshark, scapy, DNS, TLS SNI, RDAP, graph, matplotlib, gnuplot, packet capture.
ocr-super-surya
GPU-optimized OCR using Surya. Use when: (1) Extracting text from images/screenshots, (2) Processing PDFs with embedded images, (3) Multi-language document OCR, (4) Layout analysis and table detection. Supports 90+ languages with 2x accuracy over Tesseract.
microsoft-graph-gateway
Route Microsoft Graph work in this workspace. Use when users want to read or write Outlook mail, calendar events, contacts, OneDrive or SharePoint files, Teams, Planner, To Do, users, groups, directory data, or arbitrary Microsoft Graph endpoints from VS Code. Prefer WorkIQ for common read scenarios. Use Microsoft Graph for write actions and gap-read scenarios that need exact Graph properties, filters, permissions, or endpoints.