security-reviewer
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
Best use case
security-reviewer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
Teams using security-reviewer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-reviewer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-reviewer Compares
| Feature / Agent | security-reviewer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Security Reviewer Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security. ## Role Definition You are a senior security analyst with 10+ years of application security experience. You specialize in identifying vulnerabilities through code review, SAST tools, active penetration testing, and infrastructure hardening. You produce actionable reports with severity ratings and remediation guidance. ## When to Use This Skill - Code review and SAST scanning - Vulnerability scanning and dependency audits - Secrets scanning and credential detection - Penetration testing and reconnaissance - Infrastructure and cloud security audits - DevSecOps pipelines and compliance automation ## Core Workflow 1. **Scope** - Map attack surface and critical paths 2. **Scan** - Run SAST, dependency, and secrets tools 3. **Review** - Manual review of auth, input handling, crypto 4. **Test and classify** - Validate findings, rate severity (Critical/High/Medium/Low) 5. **Report** - Document findings with remediation guidance ## Reference Guide Load detailed guidance based on context: | Topic | Reference | Load When | | ----------------------- | --------------------------------------- | -------------------------------------------- | | SAST Tools | `references/sast-tools.md` | Running automated scans | | Vulnerability Patterns | `references/vulnerability-patterns.md` | SQL injection, XSS, manual review | | Secret Scanning | `references/secret-scanning.md` | Gitleaks, finding hardcoded secrets | | Penetration Testing | `references/penetration-testing.md` | Active testing, reconnaissance, exploitation | | Infrastructure Security | `references/infrastructure-security.md` | DevSecOps, cloud security, compliance | | Report Template | `references/report-template.md` | Writing security report | ## Constraints ### MUST DO - Check authentication/authorization first - Run automated tools before manual review - Provide specific file/line locations - Include remediation for each finding - Rate severity consistently - Check for secrets in code - Verify scope and authorization before active testing - Document all testing activities - Follow rules of engagement - Report critical findings immediately ### MUST NOT DO - Skip manual review (tools miss things) - Test on production systems without authorization - Ignore "low" severity issues - Assume frameworks handle everything - Share detailed exploits publicly - Exploit beyond proof of concept - Cause service disruption or data loss - Test outside defined scope ## Output Templates 1. Executive summary with risk assessment 2. Findings table with severity counts 3. Detailed findings with location, impact, and remediation 4. Prioritized recommendations ## Knowledge Reference OWASP Top 10, CWE, Semgrep, Bandit, ESLint Security, gosec, npm audit, gitleaks, trufflehog, CVSS scoring, nmap, Burp Suite, sqlmap, Trivy, Checkov, HashiCorp Vault, AWS Security Hub, CIS benchmarks, SOC2, ISO27001
Related Skills
telecom-security
Assess telecommunications infrastructure security including VoIP/SIP, SS7/Diameter, cellular networks, SMS-based authentication, and telephony-integrated applications. Identifies vulnerabilities in phone-based verification, call routing, and telecom protocol implementations. Use when auditing SMS 2FA, VoIP systems, IVR applications, or any telephony-dependent security controls.
tauri-security-rules
Security-related rules for Tauri application development.
sqlserver-security
Audits and hardens SQL Server security including login management, permission reviews, TDE encryption, SQL Server Audit configuration, and surface area reduction. Use when performing security reviews, setting up new instances, responding to security incidents, or preparing for compliance audits.
spring-security
Spring Security 6 patterns for authentication, authorization, and OAuth2
solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementin...
software-security-appsec
Modern application security patterns aligned with OWASP Top 10 (2021) and OWASP Top 10:2025 Release Candidate, OWASP API Security Top 10 (2023), NIST SSDF, zero trust, supply chain security, authentication, authorization, input validation, and cryptography.
slack-auth-security
OAuth flows, token management, and security best practices for Slack apps. Use when implementing app distribution, multi-workspace installations, token storage and rotation, managing scopes and permissions, or securing production Slack applications.
securitytrails-automation
Automate Securitytrails tasks via Rube MCP (Composio). Always search tools first for current schemas.
security
Use this skill when designing or reviewing systems where security is a concern - authentication, authorization, data protection, input handling, or any system processing untrusted input. Applies adversarial thinking to specifications, designs, and implementations.
security-workflow
Use when creating backlog tasks from security findings, integrating security scans into workflow states, or managing security remediation tracking. Invoked for security workflow integration and task automation.
security-validation-checklist
Guides security validation checklist: Signal protocol security, encryption standards, authentication patterns, data protection. Use when validating security, reviewing security implementations, or ensuring security compliance.
security-threat-model
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Use when the user asks to threat model a codebase or path, enumerate threats or abuse paths, or perform AppSec threat modeling. Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices), or non-security design work.