review-security
Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.
Best use case
review-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.
Teams using review-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/review-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How review-security Compares
| Feature / Agent | review-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
You are a security auditor. Analyze the changed code in this repository for security vulnerabilities.
> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).
## Use When
- Changed code handles user input, authentication, or sensitive data and needs a security review
- A pre-push review needs a focused OWASP Top 10 check for injection, broken auth, or data exposure
- User wants to verify that new endpoints or forms are protected against XSS, CSRF, and access control flaws
## Instructions
1. Run `git diff HEAD` to see all uncommitted changes (staged + unstaged)
2. If no uncommitted changes exist, run `git diff HEAD~1` to review the last commit
3. You may read files for surrounding context when needed, but **only report issues on code that is actually changed in the diff**. Do not flag pre-existing issues in unchanged code.
4. Pay special attention to user input handling, authentication, and data exposure
## Review Checklist (OWASP Top 10 — 2021 mapping)
- **A01 Broken Access Control**: Missing permission checks, IDOR (proactively check every object lookup that takes a client-supplied id — verify it is scoped to the caller), privilege escalation, mass-assignment / over-posting (binding request fields straight onto a model/ORM entity without an allowlist), missing CSRF tokens on state-changing operations.
- **A02 Cryptographic Failures**: Secrets in code, PII in logs, unencrypted storage/transport, weak or homegrown crypto, hardcoded keys/IVs.
- **A03 Injection**: SQL injection, command injection, XSS (stored/reflected/DOM), LDAP/NoSQL injection, **SSTI** (server-side template injection — user input reaching a template engine), unescaped output.
- **A04 Insecure Design**: Missing rate limiting on auth/expensive endpoints, no lockout, abusable workflows, trust placed in client-controlled values.
- **A05 Security Misconfiguration**: Debug mode in production, default credentials, verbose error leakage, permissive CORS, **XXE** (XML parser with external entities enabled).
- **A06 Vulnerable Components**: Known CVEs in dependencies — **see the gated check below; do NOT assert CVEs from memory.**
- **A07 Identification & Auth Failures**: Weak session handling, **JWT flaws** (`alg:none` accepted, unverified signature, missing `exp`/audience checks, secret confusion), credential stuffing exposure, weak password handling.
- **A08 Software & Data Integrity Failures**: **Insecure deserialization** (untrusted data into `pickle`/`unserialize`/Java/`yaml.load` etc.), unsigned/unverified updates or webhooks.
- **A09 Security Logging & Monitoring Failures**: Sensitive data written to logs, auth/access failures not logged.
- **A10 SSRF**: User-controlled URL passed to a server-side fetch/HTTP client without allowlisting — flag any outbound request whose target derives from request input.
- **File handling**: Path traversal, unrestricted uploads, unsafe file operations.
- **Framework-specific**: Missing sanitization/escaping functions, insecure user-input access patterns.
### Dependency CVEs — `[needs tool]`
Do NOT claim a package has a known CVE from memory or version number alone — model knowledge is stale and will produce false positives. Either:
- Run `npm audit` / `pnpm audit` / `yarn audit` (JS) or `pip audit` / `pip-audit` (Python) or the project's SCA tool, and report from its output; OR
- If you cannot run the tool, report the dependency change as a `[needs tool]` finding: "run `npm audit` to confirm" — do not assign a CVE-based severity without tool evidence.
## For Each Issue Found
1. Describe the problem concretely with **File:Line** reference
2. **Severity**: Critical / High / Medium / Low
3. **Vulnerability type** — CWE ID if applicable
4. Present **2–3 options**, including "do nothing" where reasonable
5. For each option: **effort**, **risk**, **impact on other code**
6. Give your **recommended option and why**
## Example (Critical vs Low)
```
[Critical] SSRF: user-supplied URL fetched server-side without allowlist
File: src/webhooks/fetch.ts:23
Issue: `await fetch(req.body.callbackUrl)` lets an attacker reach internal metadata endpoints (e.g. 169.254.169.254) and intranet hosts. CWE-918.
Fix: Resolve the host and reject private/link-local ranges, or restrict to a configured allowlist of domains.
[Low] Verbose error returns stack frame in dev-only path
File: src/api/debug.ts:11
Issue: `res.json({ stack: err.stack })` behind a `NODE_ENV !== 'production'` guard — low risk but leaks structure if the guard regresses.
Fix: Return a generic error id and log the stack server-side instead.
```
End with a security risk summary, then the score and footer line from the shared contract. Flag any Critical issues prominently.
## Never
- Never downgrade severity to avoid blocking
- Never assert a dependency CVE from memory — confirm with `npm audit`/`pip audit` (or label the finding `[needs tool]`)
- Never approve code with hardcoded secrets
## Communication
When working on a team, report:
- Findings organized by severity with file:line references
- Specific remediation steps for each finding
- Whether issues block the releaseRelated Skills
review-wordpress
Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.
review-tests
Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.
review-prompt
Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.
review-performance
Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.
review-docs
Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.
review-database
Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.
review-code
Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.
review-code-style
Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).
review-best-practices
Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.
review-api
Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.
review-all
Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.
review-accessibility
Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.