security-review

by @TheSimpleApp in Development

# Install this skill:

npx skills add TheSimpleApp/agent-skills --skill "security-review"

Install specific skill from multi-skill repository

# Description

Review code for security vulnerabilities using OWASP guidelines, static analysis patterns, and secure coding practices. Use when auditing code, reviewing PRs, or checking for vulnerabilities.

# SKILL.md

name: security-review
description: Review code for security vulnerabilities using OWASP guidelines, static analysis patterns, and secure coding practices. Use when auditing code, reviewing PRs, or checking for vulnerabilities.
license: MIT
metadata:
author: thesimpleapp
version: "1.0"

Security Review

Systematic security analysis of code for vulnerabilities.

OWASP Top 10 Checklist

1. Injection (SQL, Command, LDAP)

// VULNERABLE
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// SAFE
db.query('SELECT * FROM users WHERE id = ?', [userId]);

2. Broken Authentication

Check session management
Verify password hashing (bcrypt, argon2)
Look for hardcoded credentials
Ensure secure session cookies (HttpOnly, Secure, SameSite)

3. Sensitive Data Exposure

API keys in code or logs
PII in URLs or query strings
Missing encryption for sensitive data
Overly verbose error messages

4. XML External Entities (XXE)

Disable external entity processing
Validate and sanitize XML input

5. Broken Access Control

Missing authorization checks
IDOR (Insecure Direct Object References)
Privilege escalation paths
Missing CORS restrictions

6. Security Misconfiguration

Debug mode in production
Default credentials
Unnecessary features enabled
Missing security headers

7. Cross-Site Scripting (XSS)

// VULNERABLE
element.innerHTML = userInput;

// SAFE
element.textContent = userInput;
// or use DOMPurify for HTML
element.innerHTML = DOMPurify.sanitize(userInput);

8. Insecure Deserialization

Never deserialize untrusted data
Validate object types after deserialization
Use allowlists for permitted classes

9. Using Components with Known Vulnerabilities

Check npm audit / pip audit / cargo audit
Review dependency versions
Monitor for security advisories

10. Insufficient Logging & Monitoring

Log authentication attempts
Log access control failures
Ensure logs don't contain sensitive data

Quick Scan Patterns

Secrets in Code

# Look for:
- API keys: /[A-Za-z0-9_]{20,}/
- AWS keys: /AKIA[0-9A-Z]{16}/
- Private keys: /-----BEGIN.*PRIVATE KEY-----/
- Passwords: /password\s*=\s*['"][^'"]+['"]/

Dangerous Functions

Language	Functions to Review
JavaScript	`eval()`, `innerHTML`, `document.write()`
Python	`eval()`, `exec()`, `pickle.loads()`
PHP	`eval()`, `system()`, `exec()`, `unserialize()`
SQL	String concatenation in queries

Security Headers Checklist

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block

Output Format

For each finding:
1. Severity: Critical / High / Medium / Low
2. Location: File and line number
3. Vulnerability: Type of issue
4. Impact: What could an attacker do?
5. Remediation: How to fix it

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.