review-security

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

5 stars

Best use case

review-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

Teams using review-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/forbee-dev/ForgeBee/main/forgebee/skills/review-security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-security Compares

Feature / Agentreview-securityStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

You are a security auditor. Analyze the changed code in this repository for security vulnerabilities.

> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).

## Use When
- Changed code handles user input, authentication, or sensitive data and needs a security review
- A pre-push review needs a focused OWASP Top 10 check for injection, broken auth, or data exposure
- User wants to verify that new endpoints or forms are protected against XSS, CSRF, and access control flaws

## Instructions

1. Run `git diff HEAD` to see all uncommitted changes (staged + unstaged)
2. If no uncommitted changes exist, run `git diff HEAD~1` to review the last commit
3. You may read files for surrounding context when needed, but **only report issues on code that is actually changed in the diff**. Do not flag pre-existing issues in unchanged code.
4. Pay special attention to user input handling, authentication, and data exposure

## Review Checklist (OWASP Top 10 — 2021 mapping)

- **A01 Broken Access Control**: Missing permission checks, IDOR (proactively check every object lookup that takes a client-supplied id — verify it is scoped to the caller), privilege escalation, mass-assignment / over-posting (binding request fields straight onto a model/ORM entity without an allowlist), missing CSRF tokens on state-changing operations.
- **A02 Cryptographic Failures**: Secrets in code, PII in logs, unencrypted storage/transport, weak or homegrown crypto, hardcoded keys/IVs.
- **A03 Injection**: SQL injection, command injection, XSS (stored/reflected/DOM), LDAP/NoSQL injection, **SSTI** (server-side template injection — user input reaching a template engine), unescaped output.
- **A04 Insecure Design**: Missing rate limiting on auth/expensive endpoints, no lockout, abusable workflows, trust placed in client-controlled values.
- **A05 Security Misconfiguration**: Debug mode in production, default credentials, verbose error leakage, permissive CORS, **XXE** (XML parser with external entities enabled).
- **A06 Vulnerable Components**: Known CVEs in dependencies — **see the gated check below; do NOT assert CVEs from memory.**
- **A07 Identification & Auth Failures**: Weak session handling, **JWT flaws** (`alg:none` accepted, unverified signature, missing `exp`/audience checks, secret confusion), credential stuffing exposure, weak password handling.
- **A08 Software & Data Integrity Failures**: **Insecure deserialization** (untrusted data into `pickle`/`unserialize`/Java/`yaml.load` etc.), unsigned/unverified updates or webhooks.
- **A09 Security Logging & Monitoring Failures**: Sensitive data written to logs, auth/access failures not logged.
- **A10 SSRF**: User-controlled URL passed to a server-side fetch/HTTP client without allowlisting — flag any outbound request whose target derives from request input.
- **File handling**: Path traversal, unrestricted uploads, unsafe file operations.
- **Framework-specific**: Missing sanitization/escaping functions, insecure user-input access patterns.

### Dependency CVEs — `[needs tool]`

Do NOT claim a package has a known CVE from memory or version number alone — model knowledge is stale and will produce false positives. Either:
- Run `npm audit` / `pnpm audit` / `yarn audit` (JS) or `pip audit` / `pip-audit` (Python) or the project's SCA tool, and report from its output; OR
- If you cannot run the tool, report the dependency change as a `[needs tool]` finding: "run `npm audit` to confirm" — do not assign a CVE-based severity without tool evidence.

## For Each Issue Found

1. Describe the problem concretely with **File:Line** reference
2. **Severity**: Critical / High / Medium / Low
3. **Vulnerability type** — CWE ID if applicable
4. Present **2–3 options**, including "do nothing" where reasonable
5. For each option: **effort**, **risk**, **impact on other code**
6. Give your **recommended option and why**

## Example (Critical vs Low)

```
[Critical] SSRF: user-supplied URL fetched server-side without allowlist
File: src/webhooks/fetch.ts:23
Issue: `await fetch(req.body.callbackUrl)` lets an attacker reach internal metadata endpoints (e.g. 169.254.169.254) and intranet hosts. CWE-918.
Fix: Resolve the host and reject private/link-local ranges, or restrict to a configured allowlist of domains.

[Low] Verbose error returns stack frame in dev-only path
File: src/api/debug.ts:11
Issue: `res.json({ stack: err.stack })` behind a `NODE_ENV !== 'production'` guard — low risk but leaks structure if the guard regresses.
Fix: Return a generic error id and log the stack server-side instead.
```

End with a security risk summary, then the score and footer line from the shared contract. Flag any Critical issues prominently.

## Never
- Never downgrade severity to avoid blocking
- Never assert a dependency CVE from memory — confirm with `npm audit`/`pip audit` (or label the finding `[needs tool]`)
- Never approve code with hardcoded secrets

## Communication
When working on a team, report:
- Findings organized by severity with file:line references
- Specific remediation steps for each finding
- Whether issues block the release

Related Skills

review-wordpress

5
from forbee-dev/ForgeBee

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

review-tests

5
from forbee-dev/ForgeBee

Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.

review-prompt

5
from forbee-dev/ForgeBee

Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.

review-performance

5
from forbee-dev/ForgeBee

Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.

review-docs

5
from forbee-dev/ForgeBee

Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.

review-database

5
from forbee-dev/ForgeBee

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

review-code

5
from forbee-dev/ForgeBee

Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.

review-code-style

5
from forbee-dev/ForgeBee

Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).

review-best-practices

5
from forbee-dev/ForgeBee

Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.

review-api

5
from forbee-dev/ForgeBee

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

review-all

5
from forbee-dev/ForgeBee

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

review-accessibility

5
from forbee-dev/ForgeBee

Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.