review-security-structure

Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.

11 stars

Best use case

review-security-structure is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.

Teams using review-security-structure should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-security-structure/SKILL.md --create-dirs "https://raw.githubusercontent.com/aktsmm/Agent-Skills/main/review-security-structure/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-security-structure/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-security-structure Compares

Feature / Agentreview-security-structureStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Review owned or authorized code for security using structure-first evidence: AST/structure maps, call graphs, complexity, Source/Sink flow, and defensive findings. Use when asked for security review, vulnerability review, AST structure map review, SAST triage, Source/Sink, taint flow, parser/scanner hardening, CI/CD security, LLM/agent tool boundary review, 脆弱性レビュー, 構造マップ, セキュリティレビュー.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# Review Security Structure

Defensively review code or structure artifacts by reading architecture and data flow before reading full source. Use structural signals to identify vulnerabilities, logic flaws, parser/scanner risks, CI/CD risks, and LLM/agent tool-boundary risks.

## When to Use

- **security review**, **vulnerability review**, **SAST triage**, **AST**, **structure map**, **call graph**, **Source/Sink**, **taint flow**
- **脆弱性レビュー**, **セキュリティレビュー**, **構造マップ**, **AST レポート**, **依存関係**, **複雑度**
- Reviewing owned or explicitly authorized code, design docs, scan results, or generated structure maps
- Hardening parsers, scanners, CI/CD tools, file walkers, and agent/tool-call boundaries against malformed or adversarial input

## Safety Scope

- Keep the work defensive: review, risk explanation, safe verification ideas, and minimal fixes.
- Do not provide unauthorized testing, intrusion, persistence, evasion, credential theft, weaponized PoC, or destructive external steps.
- If exploitability is uncertain, place the item in Hypotheses rather than Findings.
- If code changes are requested, keep them minimal and verify with existing tests or a focused local check.

## Inputs to Prefer

Use provided structure artifacts first, then inspect the smallest code/config range needed.

| Input          | Examples                                                            |
| -------------- | ------------------------------------------------------------------- |
| Structure      | AST summaries, class/function lists, Mermaid graphs, JSON reports   |
| Data flow      | Source, Propagator, Sanitizer, Sink, taint flow                     |
| Call graph     | caller -> callee edges, boundary-crossing calls, fallback paths     |
| Complexity     | large functions, branch concentration, exception density            |
| Scope/state    | variable scope, global state, shared mutable state, auth boundaries |
| Static results | secret scan, dependency scan, lint/type/SAST warnings               |
| Context        | README, design notes, CI workflow, deployment config                |

## Structure Map Build

If no equivalent structure artifact exists, create a minimal read-oriented structure map before starting findings review. Do not skip this step unless generation is genuinely blocked; record blockers and limits in the Structure Map Summary.

1. Look for existing artifacts in reports, manifest, tmp, CI output, README, package scripts, Makefile, or workflows.
2. Prefer existing language-aware tools: TypeScript compiler, eslint, dependency graph scripts, language server data, test/coverage config, or standard-library parsers.
3. Favor maps that include summaries, class/call graphs, function metrics, variable scopes, imports, taint flow, static findings, dependency audit, and high-complexity hotspots.
4. Avoid installing new dependencies unless clearly justified. Prefer lockfile-backed local tools.
5. Do not execute the target application behavior just to map it. Keep extraction static or read-only when possible.
6. Redact secret values. Record only kind and location, not token/password/key material.
7. For large repos, map entry points, changed files, public APIs, trust boundaries, and dangerous Sink neighborhoods first.

Minimum map contract:

| Item         | Requirement                                                                    |
| ------------ | ------------------------------------------------------------------------------ |
| entry_points | CLI, API handlers, commands, jobs, public APIs, workflows                      |
| files        | reviewed files, language, inferred role                                        |
| symbols      | classes/functions/methods and inferred responsibility                          |
| imports      | external deps, dangerous APIs, security-boundary deps                          |
| call_edges   | caller -> callee edges when practical                                          |
| complexity   | large or high-branch functions when practical                                  |
| sources      | HTTP, CLI args, env, files, network, deserialization, LLM input                |
| sinks        | command, SQL, eval, template, path, file write, network, secret/log, tool call |
| sanitizers   | validate, escape, normalize, authn/authz, schema checks                        |
| scan_limits  | missing, approximate, unsupported, or unparsed areas                           |

## Review Flow

1. Gate the target: assume review is allowed for current workspace/user-provided artifacts; ask only if ownership or authorization is unclear.
2. Classify the target: web app, CLI, library, scanner, CI/CD tool, infrastructure definition, data processor, extension, or agent tool.
3. Read an existing structure map, or build the minimal map from the contract above before full source reading.
4. Model trust boundaries: who controls which input, where it flows, what authority the Sink has, and what data is sensitive.
5. Trace Source -> Propagator -> Sanitizer -> Sink. Look for missing validation, wrong order, branch gaps, implicit deserialization, and type-conversion surprises.
6. Review call graph paths that bypass authn/authz, validation, initialization, feature flags, or normal handlers.
7. Review complexity and logic risks: giant functions, broad try/catch, deep nesting, fallback behavior, shared state, TOCTOU, and cache races.
8. For parsers/scanners/file walkers, prioritize crash, unbounded recursion, symlink loops, huge/deep ASTs, encoding edge cases, dependency resolution failures, and detection bypass.
9. For CI/CD, review workflow inputs, artifact/cache trust, token permissions, PR boundaries, release gates, and secret exposure.
10. For LLM/agent code, review prompt injection paths, external document trust, tool-call authorization, path safety, command policy, and log redaction.

## Evidence Rules

- Findings require structural signal, reachability, impact, and a defensive verification or fix direction.
- Confidence is High, Medium, or Low. Avoid certainty language unless verified.
- Keep unsupported ideas in Hypotheses with the missing evidence and next check.
- Reference local files with precise paths and line links when possible. Do not paste full source files.

## Output Format

Lead with Findings. If there are no confirmed findings, state that clearly first.

### Findings

| #   | Severity | Confidence | Target | Structural Signal | Reachability | Impact | Defensive Verification | Minimal Fix |
| --- | -------- | ---------- | ------ | ----------------- | ------------ | ------ | ---------------------- | ----------- |

### Structure Map Summary

| Item      | Value                                                                |
| --------- | -------------------------------------------------------------------- |
| Source    | existing artifact / newly generated / quick extraction / unavailable |
| Artifact  | saved path, or none                                                  |
| Scope     | reviewed paths and boundaries                                        |
| Method    | tools, scripts, or manual extraction used                            |
| Limits    | unparsed or approximate areas                                        |
| Redaction | redacted secret values, or none applicable                           |

### Hypotheses

| #   | Hypothesis | Missing Evidence | Next Check |
| --- | ---------- | ---------------- | ---------- |

### Code to Inspect

| Priority | Path / Symbol | Why |
| -------- | ------------- | --- |

### Recommended Fix Plan

1. Fix clear, reachable, high-impact issues first.
2. Add safety guards such as size limits, timeouts, input validation, path normalization, auth checks, and log redaction.
3. Split high-complexity code only where it reduces risk or enables tests.
4. Verify the Source -> Sink path is blocked or constrained after the fix.

### Verification Summary

- Checks run: command/tool/read-only review performed, or not run with reason
- Remaining risk: unresolved items, or none
- External references: URLs used, or none

## Thanks to / References

Inspired by these structure-first review resources. Treat them as references, not required dependencies.

- https://github.com/harumaki4649/ast-structure-map
- https://qiita.com/harupython/items/ed256553d10578cfec2a
- https://qiita.com/harupython/items/4d572a384c62016c51f2

Related Skills

x-hashtag-research

11
from aktsmm/Agent-Skills

Collect and analyze public X posts from hashtags to discover primary sources, official docs, related GitHub repos, and reusable images. Use when researching launch-day announcements, event hashtags like #MSBuild or #MicrosoftBuild, keynote reactions, or when you want to turn noisy X posts into a structured research note under research/. X専用のハッシュタグ調査 workflow。

web-accessibility

11
from aktsmm/Agent-Skills

Build and review accessible web products using WCAG 2.2 AA. Use when implementing or reviewing forms, dialogs, navigation, keyboard flows, focus management, ARIA, color contrast, responsive UI, or framework-specific accessibility in React/Next.js, Angular, and Vue.

vscode-extension-guide

11
from aktsmm/Agent-Skills

Guide for creating VS Code extensions and plugins from scratch through Marketplace publication. Use when developing a VS Code extension/plugin, adding commands or keybindings, building TreeView or Webview UI, publishing to Marketplace, or troubleshooting activation and packaging issues.

skill-finder

11
from aktsmm/Agent-Skills

Search, install, and manage Agent Skills locally and from GitHub, then help decide whether the task really needs a skill or another customization primitive. Use when looking for skills, installing skills, managing a skill collection, or choosing between a skill, prompt, instruction, or agent.

skill-creator-plus

11
from aktsmm/Agent-Skills

Create or review a reusable skill (SKILL.md) that packages a workflow, and decide whether the request should be a skill instead of a prompt, instruction, agent, or hook. Use when creating a new skill, extracting a workflow from a conversation, updating an existing skill, reviewing SKILL.md quality, or fixing weak skill triggering. Triggers on "create skill", "/create-skill", "new skill", "review skill", "fix skill trigger", "SKILL.md", "スキル作成".

retro-copilot

11
from aktsmm/Agent-Skills

Run a retro for ~/.copilot assets and turn incident learnings into updates for copilot-instructions, instructions, skills, agents, and hooks. Triggers on retro, retrospective, incident learning, error analysis, copilot setup, instructions update, インシデント, and 知見反映.

receipt-ocr-sorter

11
from aktsmm/Agent-Skills

Automatically OCR, rename, and sort receipt images/PDFs/videos by date, amount, and project, with summary reports and D365 expense mapping. Use when sorting receipts, organizing expense files, OCR renaming, receipt sorting, レシート仕分け, or D365経費カテゴリマッピング.

powerpoint-automation

11
from aktsmm/Agent-Skills

Create and edit professional PowerPoint presentations from web articles, blog posts, existing PPTX files, or templates. Use when creating PPTX, converting articles to slides, translating presentations, editing open PowerPoint files, or doing COM Automation / RefURL / overflow review work.

peer-feedback

11
from aktsmm/Agent-Skills

同僚への半期ピアフィードバック下書きを自動生成する。workIQ で 1:1 チャット・グループチャット・メンション・共通会議・メール・SPO の履歴を収集し、6項目テンプレートに沿ってポジティブかつプロモーション志向で起票する。Use when: ピアフィードバック, フィードバック下書き, 同僚評価, 半期フィードバック, 360度フィードバック。

packet-capture-analysis

11
from aktsmm/Agent-Skills

Use when analyzing pcap or pcapng files, triaging network captures, labeling IPs with evidence, generating PNG charts, or writing packet analysis reports. Keywords: pcap, pcapng, tshark, Wireshark, scapy, DNS, TLS SNI, RDAP, graph, matplotlib, gnuplot, packet capture.

ocr-super-surya

11
from aktsmm/Agent-Skills

GPU-optimized OCR using Surya. Use when: (1) Extracting text from images/screenshots, (2) Processing PDFs with embedded images, (3) Multi-language document OCR, (4) Layout analysis and table detection. Supports 90+ languages with 2x accuracy over Tesseract.

microsoft-graph-gateway

11
from aktsmm/Agent-Skills

Route Microsoft Graph work in this workspace. Use when users want to read or write Outlook mail, calendar events, contacts, OneDrive or SharePoint files, Teams, Planner, To Do, users, groups, directory data, or arbitrary Microsoft Graph endpoints from VS Code. Prefer WorkIQ for common read scenarios. Use Microsoft Graph for write actions and gap-read scenarios that need exact Graph properties, filters, permissions, or endpoints.