About this skill
The 'differential-review' skill empowers AI agents to conduct in-depth security analysis on code changes, including pull requests, individual commits, and arbitrary diffs. Designed with a 'Risk-First' approach, it prioritizes critical security areas such as authentication mechanisms, cryptographic implementations, value transfer operations, and external API calls. Every identified finding is 'Evidence-Based,' linking directly to git history, line numbers, and plausible attack scenarios. The skill is 'Adaptive,' capable of scaling its review depth based on codebase size (SMALL/MEDIUM/LARGE), and 'Honest,' explicitly stating its coverage limits and confidence levels. Its ultimate goal is 'Output-Driven,' generating comprehensive markdown reports detailing potential vulnerabilities and recommended remediation steps. As part of the 'antigravity-awesome-skills' collection, it extends AI agents' capabilities into critical software development security workflows.
Best use case
Ideal for development teams, security engineers, or individual developers who want to integrate automated, security-focused code analysis directly into their development lifecycle. It helps identify and mitigate potential vulnerabilities early, reducing the risk of security incidents in production environments.
Security-focused code review for PRs, commits, and diffs.
A detailed, markdown-formatted security review report for the specified code changes. The report will highlight potential vulnerabilities, provide evidence with specific file and line numbers, describe attack scenarios, and suggest remediation actions. It will also state the confidence level of the findings and the coverage depth of the review.
Practical example
Example input
Perform a differential security review on the pull request linked here: `https://github.com/org/repo/pull/123`. Focus on authentication and data handling vulnerabilities.
Example output
```markdown ## Differential Security Review Report ### Overview - **Target:** PR #123 (main branch vs. feature-x) - **Scope:** Review of new and modified code in `src/auth`, `src/api`, and `src/utils`. - **Confidence:** High - **Coverage:** MEDIUM ### Findings #### 1. Insecure Cryptography - Hardcoded Salt - **File:** `src/auth/hasher.js` - **Line:** 27 - **Description:** Password hashing function `createHash` uses a hardcoded salt value. This significantly weakens the security, as an attacker with knowledge of the salt could pre-compute hash tables for brute-force attacks across all users. - **Attack Scenario:** If the source code is compromised, an attacker can use the known salt to create rainbow tables, making it much easier to crack user passwords. - **Suggested Action:** Implement a cryptographically secure random salt for each user, stored alongside the hashed password. Consider using libraries like `bcrypt` or `scrypt` which handle salt generation internally. #### 2. Unsanitized User Input in API Endpoint - **File:** `src/api/user.js` - **Line:** 68 - **Description:** The `/api/user/profile` endpoint directly uses `req.query.username` in a database query without proper sanitization, making it vulnerable to SQL injection. - **Attack Scenario:** An attacker could inject malicious SQL commands into the `username` parameter (e.g., `?username=admin' OR '1'='1'--`). This could lead to unauthorized data access, modification, or even deletion. - **Suggested Action:** Use parameterized queries or ORM methods that automatically escape input. Implement input validation and sanitization for all user-provided data. ### Summary of Risks - Two High-severity issues identified concerning authentication and data integrity. ### Rationalizations - "Small PR, quick review" was considered, but critical path changes in `auth` necessitated a thorough review. ### End of Report ```
When to use this skill
- Use this skill before merging pull requests to ensure security standards are met, when auditing recent commits for introduced vulnerabilities, or for ad-hoc security assessments of specific code diffs. It's particularly valuable when code changes involve sensitive operations like user authentication, data encryption, financial transactions, or third-party integrations.
When not to use this skill
- This skill is not suitable for general code style reviews, functional testing, or performance optimization. It should not be used as a standalone replacement for comprehensive human-led security audits, penetration testing, or architectural security reviews, but rather as a powerful supplementary tool.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/differential-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How differential-review Compares
| Feature / Agent | differential-review | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Security-focused code review for PRs, commits, and diffs.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Differential Security Review
Security-focused code review for PRs, commits, and diffs.
## When to Use
- You need a security-focused review of a PR, commit range, or diff rather than a general code review.
- The changes touch auth, crypto, external calls, value transfer, permissions, or other high-risk logic.
- You need findings backed by code evidence, attack scenarios, and an explicit report artifact.
## Core Principles
1. **Risk-First**: Focus on auth, crypto, value transfer, external calls
2. **Evidence-Based**: Every finding backed by git history, line numbers, attack scenarios
3. **Adaptive**: Scale to codebase size (SMALL/MEDIUM/LARGE)
4. **Honest**: Explicitly state coverage limits and confidence level
5. **Output-Driven**: Always generate comprehensive markdown report file
---
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|-----------------|----------------|-----------------|
| "Small PR, quick review" | Heartbleed was 2 lines | Classify by RISK, not size |
| "I know this codebase" | Familiarity breeds blind spots | Build explicit baseline context |
| "Git history takes too long" | History reveals regressions | Never skip Phase 1 |
| "Blast radius is obvious" | You'll miss transitive callers | Calculate quantitatively |
| "No tests = not my problem" | Missing tests = elevated risk rating | Flag in report, elevate severity |
| "Just a refactor, no security impact" | Refactors break invariants | Analyze as HIGH until proven LOW |
| "I'll explain verbally" | No artifact = findings lost | Always write report |
---
## Quick Reference
### Codebase Size Strategy
| Codebase Size | Strategy | Approach |
|---------------|----------|----------|
| SMALL (<20 files) | DEEP | Read all deps, full git blame |
| MEDIUM (20-200) | FOCUSED | 1-hop deps, priority files |
| LARGE (200+) | SURGICAL | Critical paths only |
### Risk Level Triggers
| Risk Level | Triggers |
|------------|----------|
| HIGH | Auth, crypto, external calls, value transfer, validation removal |
| MEDIUM | Business logic, state changes, new public APIs |
| LOW | Comments, tests, UI, logging |
---
## Workflow Overview
```
Pre-Analysis → Phase 0: Triage → Phase 1: Code Analysis → Phase 2: Test Coverage
↓ ↓ ↓ ↓
Phase 3: Blast Radius → Phase 4: Deep Context → Phase 5: Adversarial → Phase 6: Report
```
---
## Decision Tree
**Starting a review?**
```
├─ Need detailed phase-by-phase methodology?
│ └─ Read: methodology.md
│ (Pre-Analysis + Phases 0-4: triage, code analysis, test coverage, blast radius)
│
├─ Analyzing HIGH RISK change?
│ └─ Read: adversarial.md
│ (Phase 5: Attacker modeling, exploit scenarios, exploitability rating)
│
├─ Writing the final report?
│ └─ Read: reporting.md
│ (Phase 6: Report structure, templates, formatting guidelines)
│
├─ Looking for specific vulnerability patterns?
│ └─ Read: patterns.md
│ (Regressions, reentrancy, access control, overflow, etc.)
│
└─ Quick triage only?
└─ Use Quick Reference above, skip detailed docs
```
---
## Quality Checklist
Before delivering:
- [ ] All changed files analyzed
- [ ] Git blame on removed security code
- [ ] Blast radius calculated for HIGH risk
- [ ] Attack scenarios are concrete (not generic)
- [ ] Findings reference specific line numbers + commits
- [ ] Report file generated
- [ ] User notified with summary
---
## Integration
**audit-context-building skill:**
- Pre-Analysis: Build baseline context
- Phase 4: Deep context on HIGH RISK changes
**issue-writer skill:**
- Transform findings into formal audit reports
- Command: `issue-writer --input DIFFERENTIAL_REVIEW_REPORT.md --format audit-report`
---
## Example Usage
### Quick Triage (Small PR)
```
Input: 5 file PR, 2 HIGH RISK files
Strategy: Use Quick Reference
1. Classify risk level per file (2 HIGH, 3 LOW)
2. Focus on 2 HIGH files only
3. Git blame removed code
4. Generate minimal report
Time: ~30 minutes
```
### Standard Review (Medium Codebase)
```
Input: 80 files, 12 HIGH RISK changes
Strategy: FOCUSED (see methodology.md)
1. Full workflow on HIGH RISK files
2. Surface scan on MEDIUM
3. Skip LOW risk files
4. Complete report with all sections
Time: ~3-4 hours
```
### Deep Audit (Large, Critical Change)
```
Input: 450 files, auth system rewrite
Strategy: SURGICAL + audit-context-building
1. Baseline context with audit-context-building
2. Deep analysis on auth changes only
3. Blast radius analysis
4. Adversarial modeling
5. Comprehensive report
Time: ~6-8 hours
```
---
## When NOT to Use This Skill
- **Greenfield code** (no baseline to compare)
- **Documentation-only changes** (no security impact)
- **Formatting/linting** (cosmetic changes)
- **User explicitly requests quick summary only** (they accept risk)
For these cases, use standard code review instead.
---
## Red Flags (Stop and Investigate)
**Immediate escalation triggers:**
- Removed code from "security", "CVE", or "fix" commits
- Access control modifiers removed (onlyOwner, internal → external)
- Validation removed without replacement
- External calls added without checks
- High blast radius (50+ callers) + HIGH risk change
These patterns require adversarial analysis even in quick triage.
---
## Tips for Best Results
**Do:**
- Start with git blame for removed code
- Calculate blast radius early to prioritize
- Generate concrete attack scenarios
- Reference specific line numbers and commits
- Be honest about coverage limitations
- Always generate the output file
**Don't:**
- Skip git history analysis
- Make generic findings without evidence
- Claim full analysis when time-limited
- Forget to check test coverage
- Miss high blast radius changes
- Output report only to chat (file required)
---
## Supporting Documentation
- **methodology.md** - Detailed phase-by-phase workflow (Phases 0-4)
- **adversarial.md** - Attacker modeling and exploit scenarios (Phase 5)
- **reporting.md** - Report structure and formatting (Phase 6)
- **patterns.md** - Common vulnerability patterns reference
---
**For first-time users:** Start with methodology.md to understand the complete workflow.
**For experienced users:** Use this page's Quick Reference and Decision Tree to navigate directly to needed content.Related Skills
mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
malware-analyst
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
linux-privilege-escalation
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.