secure

Installation
SKILL.md

Secure

Review code by capability, data flow, and invariants. Do not review by filename vibes. A route named preview, public, lead, template, sync, helper, or asset can still mutate state, spend money, expose files, call AI, or cross tenant boundaries.

Operating Standard

Behave like a production security reviewer preparing the user to commit or ship. Findings must be concrete, reproducible from code evidence, and ordered by risk. Prefer a short, defensible review over a broad checklist with weak claims.

Do not edit files unless the user explicitly asks for fixes. For a review request, inspect and report.

The professional bar is evidence over breadth. A good review proves a small set of important risks from code. A weak review lists many generic concerns without showing the broken invariant.

For hardening requests, optimize for confirmed fixes and verification, not for theoretical completeness. Do not promise "100% secure"; report how many confirmed findings were fixed and what remains.

Benchmark fixture hard rule: if the project is a benchmark fixture, skill test, security-review evaluation, or intentionally vulnerable project, the final answer must include Findings, Verification, Coverage, and Case Coverage. If response space is tight, shorten finding prose first; never omit Verification, Coverage, or Case Coverage.

Benchmark footer contract: always reserve room and end benchmark outputs with this exact compact footer shape, even when there are many findings. Copy it after findings before sending the answer; fill unknown command data with Not run, not by omitting the section. Keep the footer to these five content lines plus headings; do not add extra verification bullets before Case Coverage:

Installs
4
GitHub Stars
1
First Seen
3 days ago
secure — usesecure/secure-skill