Differential Security Review
Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.
Best use case
Differential Security Review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.
Teams using Differential Security Review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/differential-security-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Differential Security Review Compares
| Feature / Agent | Differential Security Review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Skill: Differential Security Review ## Metadata | Field | Value | |-------|-------| | **Skill ID** | SKL-0030 | | **Version** | 1.0 | | **Owner** | reviewer | | **Inputs** | Git diff, STATE.md, DECISIONS.md | | **Outputs** | Differential security report, STATE.md updated | | **Triggers** | `DIFF_SECURITY_REVIEW_REQUESTED` | --- ## Purpose Review code *changes* (not the full codebase) through a security lens. Every diff is a potential new attack surface. This skill identifies security implications of recent modifications — things a standard code review misses because it focuses on correctness, not security. Inspired by [Trail of Bits' differential-review skill](https://github.com/trailofbits/skills). > **See also:** For full codebase security audit, see SKL-0015 (Security Audit). --- ## Procedure ### Step 1 — Collect the Diff Determine the diff scope: 1. If a branch is specified: `git diff main...HEAD` 2. If staged changes exist: `git diff --cached` 3. Otherwise: `git diff` (unstaged changes) 4. If no changes found: report "No changes to review" and stop List all modified files and categorize by risk: | File Category | Risk Level | Examples | |---------------|-----------|---------| | Auth/session handling | HIGH | `auth/`, `middleware/`, `session/`, `*auth*`, `*login*` | | API endpoints | HIGH | `routes/`, `api/`, `controllers/` | | Database queries | HIGH | `*model*`, `*query*`, `*migration*` | | Configuration | MEDIUM | `config/`, `.env*`, `docker-compose*` | | Input handling | MEDIUM | `*form*`, `*input*`, `*validation*` | | UI rendering | MEDIUM | `*template*`, `*component*` (XSS risk) | | Tests | LOW | `test/`, `spec/`, `__tests__/` | | Documentation | LOW | `docs/`, `*.md` | ### Step 2 — Analyze Security-Sensitive Changes For each HIGH and MEDIUM risk file, examine the diff for: **Added code:** - New API endpoints without authentication checks - New database queries (SQL injection surface) - New user input handling without validation - New file upload or download functionality - New external service calls without error handling - New environment variable reads without defaults **Removed code:** - Removed authentication or authorization checks - Removed input validation or sanitization - Removed rate limiting - Removed encryption or hashing - Removed CSRF/XSS protections - Removed error handling around security-sensitive operations **Changed code:** - Modified auth logic (any change to who-can-access-what) - Changed encryption algorithms or key handling - Weakened validation rules - Changed session management - Modified CORS or CSP policies ### Step 3 — Cross-Reference Decisions Read DECISIONS.md to check if any security-relevant changes were intentional and documented. If a change looks risky but has a documented decision, note it as "Acknowledged risk" rather than a finding. ### Step 4 — Generate Report For each finding: - **File and diff context** (the specific lines changed) - **Risk category** (new surface / removed protection / weakened control) - **Severity** (CRITICAL / HIGH / MEDIUM / LOW) - **Before vs. After** (what changed and why it matters) - **Recommendation** (keep, revert, or mitigate) ### Step 5 — Update STATE.md Record review completion, files analyzed, and severity summary. --- ## Constraints - Read-only analysis — does not modify source files - Reviews diffs only, not the entire codebase (use SKL-0015 for full audits) - Does not fix issues — provides actionable recommendations - If no security-relevant changes are found, say so explicitly (a clean diff review is a valid result) --- ## Primary Agent reviewer --- ## Definition of Done - [ ] Diff scope determined and all changed files categorized by risk - [ ] All HIGH and MEDIUM risk files analyzed for security implications - [ ] Added, removed, and changed code examined separately - [ ] Cross-referenced with DECISIONS.md for intentional changes - [ ] Each finding has file, diff context, severity, and recommendation - [ ] STATE.md updated ## Output Contract | Field | Value | |-------|-------| | **Artifacts** | Differential security report (findings with severity and recommendations) | | **State Update** | `.claude/project/STATE.md` — mark task complete, log files analyzed and severity summary | | **Handoff Event** | `TASK_COMPLETED` (security review complete) |
Related Skills
Security Audit
Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.
Quality Review
Review code, content, or deliverables for quality, clarity, and correctness. Adapts review criteria based on artifact type (code, documentation, PRD, design, configuration). Use this skill when a quality review has been requested on completed work.
Code Review
Review code for correctness, maintainability, and best practices. Uses a structured two-pass review (CRITICAL then INFORMATIONAL) with interactive issue resolution. Includes scope challenge, failure mode analysis, and TODOS.md cross-reference. Use this skill when a code review is requested on new or modified code.
Supply Chain Audit
Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.
SEO Audit
Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.
Pitch Deck
Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.
Launch Checklist
Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.
Insecure Defaults Detection
Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.
Copywriting
Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.
Competitor Analysis
Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.
UX Design
Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.
User Acceptance Testing
Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.