security-review
Security-focused code review checklist for identifying vulnerabilities
Best use case
security-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security-focused code review checklist for identifying vulnerabilities
Teams using security-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-review Compares
| Feature / Agent | security-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security-focused code review checklist for identifying vulnerabilities
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Security Review When reviewing code for security issues, check each category below. Reference the detailed checklist in `references/security-checklist.md`. ## Injection Vulnerabilities - SQL injection: Look for string concatenation in database queries - Command injection: Check for unsanitized input passed to shell commands (`exec`, `spawn`) - XSS: Look for unsanitized user input rendered in HTML/templates - Path traversal: Check for user input in file paths without sanitization ## Authentication & Authorization - Verify authentication checks on protected routes/endpoints - Ensure authorization checks match the required access level - Look for privilege escalation paths (e.g., user can modify other users' data) - Check that password/token comparison uses constant-time comparison ## Secrets & Credentials - Hardcoded API keys, passwords, tokens, or connection strings - Secrets in configuration files that might be committed - Sensitive data in logs or error messages - Credentials passed via URL query parameters ## Input Validation - Validate and sanitize all external input (user input, API responses, file contents) - Check for missing or weak input validation on API endpoints - Verify type coercion doesn't bypass validation - Look for overly permissive CORS or CSP configurations ## Data Exposure - Sensitive data returned in API responses unnecessarily - PII or secrets in application logs - Information leakage in error messages (stack traces, internal paths) - Missing data encryption for sensitive fields ## Severity Levels - 🔴 **CRITICAL**: Exploitable vulnerability (injection, auth bypass, exposed secrets) - 🟠 **HIGH**: Potential vulnerability that needs investigation - 🟡 **MEDIUM**: Security weakness or missing best practice - 🔵 **LOW**: Minor security improvement suggestion
Related Skills
performance-review
Performance-focused code review for identifying bottlenecks and optimization opportunities
code-review
Provides structured code review guidelines for TypeScript projects. Use when reviewing pull requests, analyzing code quality, or suggesting improvements.
code-standards
Code quality standards and style guide for reviewing pull requests
customer-support
Guidelines for handling customer support interactions. Use when responding to user inquiries, troubleshooting issues, or escalating problems.
api-design
Guidelines for designing RESTful APIs and TypeScript interfaces. Use when designing new endpoints, reviewing API contracts, or structuring data models.
brand-guidelines
Applies Mastra's brand colors, typography, and writing style to documentation, code examples, or artifacts. Use when brand colors, style guidelines, visual formatting, or company design standards apply.
tailwind-best-practices
Tailwind CSS styling guidelines for Mastra Playground UI. This skill should be used when writing, reviewing, or refactoring styling code in packages/playground-ui and packages/playground to ensure design system consistency. Triggers on tasks involving Tailwind classes, component styling, or design tokens.
smoke-test
Create a Mastra project using create-mastra and smoke test the studio in Chrome
react-best-practices
React performance optimization guidelines from Mastra Engineering. This skill should be used when writing, reviewing, or refactoring React code to ensure optimal performance patterns. Triggers on tasks involving React components, data fetching, bundle optimization, or performance improvements.
ralph-plan
Interactive planning assistant that helps create focused, well-structured ralph-loop commands through collaborative conversation
mastra-docs
Documentation guidelines for Mastra. This skill should be used when writing or editing documentation for Mastra. Triggers on tasks involving documentation creation or updates.
e2e-tests-studio
REQUIRED when modifying any file in packages/playground-ui or packages/playground. Triggers on: React component creation/modification/refactoring, UI changes, new playground features, bug fixes affecting studio UI. Generates Playwright E2E tests that validate PRODUCT BEHAVIOR, not just UI states.