sec-context-depth
Comprehensive AI code security review using 27 sec-context anti-patterns. Use for code review when security vulnerabilities are suspected, especially for AI-generated code.
Best use case
sec-context-depth is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Comprehensive AI code security review using 27 sec-context anti-patterns. Use for code review when security vulnerabilities are suspected, especially for AI-generated code.
Teams using sec-context-depth should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sec-context-depth/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sec-context-depth Compares
| Feature / Agent | sec-context-depth | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive AI code security review using 27 sec-context anti-patterns. Use for code review when security vulnerabilities are suspected, especially for AI-generated code.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Sec-Context Depth: AI Code Security Anti-Patterns Review
## v2.90.1 Changes
- **References-driven**: Uses LOCAL reference files with full BAD/GOOD examples
- **Model-agnostic**: Works with any configured model
- **No flags required**: Works with the configured default model
Perform comprehensive security reviews on AI-generated code, detecting **27 security anti-patterns** from the sec-context framework.
> Based on: [Arcanum-Sec/sec-context](https://github.com/Arcanum-Sec/sec-context)
> Source: 150+ security research sources, OWASP, CWE
## MANDATORY: Load Reference Files First
**Before analyzing any code, you MUST read the local reference files** that contain the full detection patterns with BAD/GOOD examples:
1. **BREADTH reference** (comprehensive coverage of all 27 patterns):
```
Read: .claude/skills/sec-context-depth/references/ANTI_PATTERNS_BREADTH.md
```
2. **DEPTH reference** (deep-dive into 7 most critical patterns):
```
Read: .claude/skills/sec-context-depth/references/ANTI_PATTERNS_DEPTH.md
```
These files contain:
- Pseudocode BAD examples (what to detect)
- Pseudocode GOOD examples (secure alternatives)
- CWE identifiers and severity scores
- Attack scenarios and exploitation techniques
- Edge cases frequently overlooked by AI models
**Do NOT rely only on this SKILL.md** — the pattern titles below are an index only. The actual detection logic is in the reference files.
---
## Execution Steps
1. **Read** both reference files above
2. **Glob** target files: `Glob pattern="src/**/*.{ts,js,py,java,go}"` (adjust to target)
3. **Grep** for each anti-pattern using the BAD examples from references
4. **Report** findings organized by Priority (P0 → P2)
---
## Statistics (Why This Matters)
- **86% XSS failure rate** in AI-generated code
- **72% of Java AI code** contains vulnerabilities
- AI code is **2.74x more likely** to have XSS vulnerabilities
- **81% of organizations** have shipped vulnerable AI-generated code
- **5-21% of AI-suggested packages don't exist** (slopsquatting)
---
## Priority Classification
| Priority | Score | Action | Count |
|----------|-------|--------|-------|
| **P0 Critical** | 21-24 | BLOCKING - Must fix before merge | 13 patterns |
| **P1 High** | 18-20 | BLOCKING - Should fix before merge | 8 patterns |
| **P2 Medium** | 15-17 | ADVISORY - Review and fix if feasible | 6 patterns |
## Pattern Index (details in reference files)
### P0: CRITICAL (13)
| # | Pattern | CWE | Score |
|---|---------|-----|-------|
| 1 | Hardcoded Secrets | CWE-798 | 23 |
| 2 | API Key Prefixes | CWE-798 | 23 |
| 3 | Private Keys | CWE-321 | 23 |
| 4 | SQL Injection - String Concat | CWE-89 | 22 |
| 5 | SQL Injection - f-string | CWE-89 | 22 |
| 6 | Command Injection | CWE-78 | 21 |
| 7 | Command Injection - Concat | CWE-78 | 21 |
| 8 | XSS - innerHTML | CWE-79 | 23 |
| 9 | XSS - document.write | CWE-79 | 23 |
| 10 | XSS - React Unsafe | CWE-79 | 23 |
| 11 | NoSQL Injection | CWE-943 | 22 |
| 12 | Template Injection SSTI | CWE-1336 | 22 |
| 13 | Hardcoded Encryption Key | CWE-798 | 22 |
### P1: HIGH (8)
| # | Pattern | CWE | Score |
|---|---------|-----|-------|
| 14 | JWT None Algorithm | CWE-287 | 22 |
| 15 | Weak Hash MD5/SHA1 | CWE-327 | 20 |
| 16 | ECB Mode | CWE-327 | 20 |
| 17 | DES/RC4 | CWE-327 | 20 |
| 18 | Insecure Random | CWE-330 | 18 |
| 19 | Path Traversal | CWE-22 | 20 |
| 20 | LDAP Injection | CWE-90 | 20 |
| 21 | XPath Injection | CWE-643 | 20 |
### P2: MEDIUM (6)
| # | Pattern | CWE | Score |
|---|---------|-----|-------|
| 22 | Open CORS | CWE-346 | 17 |
| 23 | Verbose Errors | CWE-209 | 16 |
| 24 | Insecure Temp Files | CWE-377 | 16 |
| 25 | Unvalidated Redirect | CWE-601 | 16 |
| 26 | Insecure Deserialization | CWE-502 | 18 |
| 27 | Debug Mode | CWE-489 | 15 |
---
## Detection Checklist
When reviewing code, systematically check:
- [ ] **Secrets**: Environment variables, not hardcoded
- [ ] **Queries**: Parameterized, not concatenated
- [ ] **Commands**: Array arguments, shell=False
- [ ] **HTML**: textContent/sanitized, not innerHTML
- [ ] **Crypto**: Modern algorithms (AES-GCM, bcrypt)
- [ ] **Random**: Cryptographic sources
- [ ] **Files**: Path validation, secure temp
- [ ] **Errors**: Generic messages in production
- [ ] **Auth**: Session regeneration, rate limiting
---
## Output Format
```markdown
# Sec-Context Depth Audit Report
## Summary
- Files scanned: N
- Findings: X (P0: N, P1: N, P2: N)
## P0 Critical Findings
### [Pattern Name] (CWE-XXX) - file:line
- **BAD**: [code snippet]
- **GOOD**: [secure alternative from reference]
- **Impact**: [description]
## P1 High Findings
...
## P2 Medium Findings
...
## Recommendations
1. ...
```
---
## Integration with Hook
The `sec-context-validate.sh` hook automatically checks these 27 patterns on every Edit/Write operation via PostToolUse.
---
## Related Skills
- /adversarial - Adversarial spec refinement
- /security - Security audit
- /gates - Quality gates validationRelated Skills
context7-usage
Patterns for using Context7 MCP for library documentation (v2.25)
context-engineer
Determines WHAT context an agent needs and packages it optimally. Actions: analyze (identify needed context), load (assemble from sources), prune (trim to token budget), inject (write to .claude/context-payload.md). Use when: (1) before spawning teammates, (2) context window is limited, (3) multi-source context assembly. Triggers: /context-engineer, 'prepare context', 'package context', 'context for agent'.
worktree-pr
Manage git worktrees with PR workflow and multi-agent review (Claude + Codex). Use when developing features in isolation with easy rollback.
vercel-react-best-practices
React and Next.js performance optimization guidelines from Vercel Engineering. Use when writing, reviewing, or refactoring React/Next.js code. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
vault
Living knowledge base management. Actions: search (query vault), save (store learning), index (update indices), compile (raw->wiki->rules graduation), init (create vault structure). Follows Karpathy pipeline: ingest->compile->query. Use when: (1) searching accumulated knowledge, (2) saving learnings, (3) compiling raw notes into wiki, (4) initializing a new vault. Triggers: /vault, 'vault search', 'knowledge base', 'save learning'.
testing-anti-patterns
Custom skill for testing-anti-patterns
task-visualizer
Visualize task dependencies and progress (Gastown-style)
task-classifier
Classifies task complexity (1-10) for model and agent routing
task-batch
Autonomous batch task execution with PRD parsing, task decomposition, and continuous execution until all tasks complete. Uses /orchestrator internally. Stops only for major failures (no internet, token limit, system crash). Use when: (1) processing task lists autonomously, (2) PRD-driven development, (3) batch feature implementation. Triggers: /task-batch, 'batch tasks', 'process PRD', 'run task queue'.
tap-explorer
Tree of Attacks with Pruning for systematic code analysis
stop-slop
A skill for removing AI-generated writing patterns ('slop') from prose. Eliminates telltale signs of AI writing like filler phrases, excessive hedging, overly formal language, and mechanical sentence structures. Use when: writing content that should sound human and natural, editing AI-generated drafts, cleaning up prose for publication, or any content that needs to sound authentic rather than AI-generated. Triggers: 'stop-slop', 'remove AI tells', 'clean up prose', 'make it sound human', 'edit AI writing'.
spec
Produce a verifiable technical specification before coding. 6 mandatory sections: Interfaces, Behaviors, Invariants (from Aristotle Phase 2), File Plan, Test Plan, Exit Criteria (executable bash commands + expected results). Use when: (1) before implementing features with complexity > 4, (2) as Step 1.5 in orchestrator workflow, (3) when requirements need formalization. Triggers: /spec, 'create spec', 'write specification', 'technical spec'.