Skill File

Security Review

Name: Security Review
Author: jmashburn

Perform security review focusing on common vulnerabilities and OWASP Top 10

jmashburn0 starsMar 25, 2026

Occupation: Information Security Analysts
Categories: Security

Skill Content

Security Review Skill

Performs security audits with focus on preventing common vulnerabilities.

When to Use

Invoke this skill when:

Reviewing code for security issues
Before deploying to production
After adding authentication/authorization
When handling user input or sensitive data
Regular security audits

Quick Security Scan

1. Secrets & Credentials

# Search for common secret patterns
grep -r "api_key\|apikey\|secret\|password\|token" --include="*.js" --include="*.py" --include="*.go"

# Check for .env files in version control
git log --all --full-history -- "**/.env*"

2. SQL Injection

Related Skills

Security Review | Skills Pool

# Bad
query = f"SELECT * FROM users WHERE id = {user_id}"

# Good
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))

// Bad
exec(`convert ${userFilename}`)

// Good
exec('convert', [userFilename])

// Bad
element.innerHTML = userInput

// Good
element.textContent = userInput
// or use framework escaping (React, Vue, etc.)

# Check for vulnerabilities
npm audit
pip-audit
go list -json -m all | nancy sleuth

// Eval usage
eval(userInput)

// Unsafe reflection
eval(`require('${userModule}')`)

// Direct file path from user
fs.readFile(userPath)

// Unsafe deserialization
pickle.loads(user_data)

# Weak random
import random
token = random.randint(1, 1000000)  # Use secrets module

# Hash without salt
md5(password)  # Use bcrypt/argon2

# Timing attacks
if user_token == expected_token:  # Use constant-time compare

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block

# JavaScript
npm outdated
npm audit fix

# Python
pip list --outdated
pip-audit

# Go
go list -u -m all

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
X-RateLimit-Reset: 1623456789

// Be specific, not *
cors({
  origin: 'https://yourdomain.com',
  credentials: true
})

## Security Review Report
**Date**: YYYY-MM-DD
**Scope**: [what was reviewed]

### Critical Issues
- [Issue] at [location]
  - **Risk**: [description]
  - **Fix**: [recommendation]

### High Priority
[Same format]

### Medium Priority
[Same format]

### Recommendations
- [General security improvements]

### Summary
- Critical: X
- High: X
- Medium: X
- Low: X

Security Review

Security Review Skill

When to Use

Quick Security Scan

1. Secrets & Credentials

2. SQL Injection

Security Review

Security Review Skill

When to Use

Quick Security Scan

1. Secrets & Credentials

2. SQL Injection

3. Command Injection

4. XSS Prevention

5. Authentication Issues

6. Authorization Issues

OWASP Top 10 Checklist

A01: Broken Access Control

A02: Cryptographic Failures

A03: Injection

A04: Insecure Design

A05: Security Misconfiguration

A06: Vulnerable Components

A07: Authentication Failures

A08: Data Integrity Failures

A09: Security Logging Failures

A10: Server-Side Request Forgery

Code Patterns to Flag

High Risk

Medium Risk

Security Headers

Dependency Security

Regular Updates

Lock Files

API Security

Authentication

Rate Limiting

CORS Configuration

Security Review Report Template

Quick Wins

Tools to Use

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security