security-review
Installation
SKILL.md
Security Review
Use this workflow before merging or releasing changes that touch authentication, authorization, data handling, network surfaces, infrastructure, dependencies, or LLM-facing inputs.
Workflow
- Establish the review scope with the user request, current branch, pull request, commit range, or changed files.
- Inspect the diff first, then read the smallest amount of surrounding code needed to validate each candidate issue.
- Review by concern:
- Injection: SQL, NoSQL, shell, template, deserialization, path traversal, prompt injection.
- Authn/Authz: session handling, tokens, RBAC, object-level authorization, privilege boundaries.
- Secrets: committed credentials, unsafe logging, insufficient redaction, private key material.
- Supply chain: new dependencies, unpinned executables, lockfile drift, install scripts.
- Infrastructure: public exposure, missing encryption, weak defaults, overly broad permissions.
- Business logic: state bypasses, replay, race conditions, idempotency, rollback gaps.
- Confirm reachability before reporting a finding. Do not report pattern matches that cannot execute.
- Redact any secret values. Cite only enough structure to identify the issue safely.
- Rank findings by severity and provide concrete fix directions.
- If no issues are found, say so clearly and note the remaining verification gaps.