Plugin

mcp-security-review

Name: mcp-security-review
Author: srajangpt1

Perform pre-coding security assessments on tasks to identify risks and OWASP mitigations, generate developer-focused threat models with attack scenarios and fixes, and review code for vulnerabilities like injections, XSS, and deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby.

npx claudepluginhub srajangpt1/ai-security-crew

Component Overview

Commands

Skills

Component Details

Commands (3)

Instructions

/sec-review

Perform a pre-coding security review for the following task:

Instructions

/threat-model

Perform a threat model for the following feature or component:

Instructions

/verify-code

Perform a security review of the following code:

Skills (3)

security-review

/security-review

Pre-coding security assessment for any development task. Use this skill whenever the user is about to start coding a feature and wants to know the security requirements, risks, or considerations first — even if they don't say "security review" explicitly. Trigger on phrases like "before I code this", "what are the security requirements for", "security considerations for", "is this secure to build", "what should I watch out for when building", or when a user describes a feature (login, payments, file upload, API, auth, etc.) and asks how to approach it safely. Also trigger when user asks to "vibe code" securely or mentions they want security built in from the start.

threat-model

/threat-model

Threat modeling for a feature, component, or system. Use this skill whenever the user wants to think through what could go wrong security-wise with something they're building, asks "what are the security threats for", "threat model this", "what attacks should I worry about", "help me think through the security of", or is designing a new feature and wants to identify risks before coding. Also trigger for phrases like "attack surface", "what can an attacker do", "security design review", or when building something involving auth, payments, file handling, multi-tenancy, external APIs, or sensitive data flows. This produces a concrete, developer-friendly threat model — not abstract frameworks — with actionable mitigations and an optional threat-model.md file.

verify-code

/verify-code

Security review of code for vulnerabilities. Use this skill whenever the user wants to check code for security issues, asks "is this code secure?", "review this for vulnerabilities", "any security issues here?", or pastes code and asks for feedback. Also trigger when the user has just finished coding a feature (especially auth, APIs, file handling, database queries, or anything that handles user input) and wants to verify it before shipping. Trigger on phrases like "review the code", "check for vulnerabilities", "audit this", "is this safe?", "security check on this", or after generating code with an AI and wanting to validate it. Works with any language: Python, JavaScript, TypeScript, Java, Go, Ruby, SQL, etc.

README

AI Security Crew

License

A lightweight MCP server for security reviews built for vibe coding — injects security requirements prior to code generation, scans dependencies for CVEs, and verifies generated code, all without breaking your coding rhythm.

Jump to installation:

MCP Server — full feature set with Jira, Confluence, CVE scanning (with reachability), and threat modeling
Claude Code Plugin — install 3 security skills globally in Claude Code (no Jira/MCP needed)
Claude Code Skills only — manually add slash commands to a specific project

Claude Code Plugin

Install all three security skills directly into Claude Code — no MCP server, no Jira, no configuration required.

/plugin install Srajangpt1/ai_security_crew

This gives you three commands available in any project:

Command	When to use
`/sec-review`	Before coding — get risk level, OWASP guidelines, and a security prompt for AI code generation
`/verify-code`	After coding — review code for vulnerabilities with a checklist and prioritized fixes
`/threat-model`	For new features — identify threats with evidence links, mitigations, and optional `threat-model.md`

Claude Code Skills

If you prefer to add the skills to a specific project only (instead of globally), clone this repo and the slash commands in .claude/commands/ are available automatically in Claude Code when working in the project directory.

Tools

Pre-coding

Tool	When to Use
`lightweight_security_review`	Before any coding task — get security requirements and guidelines for your tech stack
`assess_ticket_security`	Before coding from a Jira ticket — pull security requirements directly from the ticket
`perform_threat_model`	For significant new features — generate a structured threat model (STRIDE, attack surfaces)

Dependency security

Tool	When to Use
`verify_packages`	When adding packages — confirm they exist with valid versions (catches hallucinated package names)
`scan_dependencies`	When adding packages — scan for CVEs and check reachability in your code

Post-coding

Tool	When to Use
`verify_code_security`	After generating code — AI-powered security review against OWASP guidelines

Threat model persistence

Tool	When to Use
`search_previous_threat_models`	Before creating a new threat model — check if one already exists in Confluence
`update_threat_model_file`	After `perform_threat_model` — write the threat model to `threat-model.md` in the repo

Agent Workflow

The server automatically sends workflow instructions to any connecting agent (Claude, Cursor, etc.) via the MCP initialize handshake. Agents will follow this workflow without additional configuration:

Before coding — call lightweight_security_review (or assess_ticket_security for Jira tickets)
When adding packages — call verify_packages, then scan_dependencies with the code that uses them
After generating code — call verify_code_security and follow the review_prompt to report findings
For significant features — call perform_threat_model and persist with update_threat_model_file

Dependency Scanning

scan_dependencies uses OSV.dev to find CVEs and performs reachability analysis to determine if vulnerable code paths are actually called:

Status	Meaning
`reachable`	Vulnerable function is called in your code — action required
`not_reachable`	Vulnerable function is not called
`not_imported`	Package is not imported at all
`uncertain`	AI analyzed the code but could not determine reachability
`no_code_provided`	No code snippets were passed to the tool

Reachability is determined by (in order): OSV function-level symbols → keyword matching against the vuln summary → AI analysis via ctx.sample().

Quick Start

1. Build the image

docker build -t mcp-security-review:latest .

2. Configure your IDE

Add to your MCP config (Claude Desktop, Cursor, etc.):

View full README on GitHub

Similar Plugins

sentinel

Security scanning, dependency CVE audits, and exposure-aware risk prioritization.

Stats

Version1.0.0

Stars50

Forks17

MaintenanceGood

AddedMar 24, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Help us improve

Share bugs, ideas, or general feedback.

Back to Plugins

AI Security Crew

License

Jump to installation:

MCP Server — full feature set with Jira, Confluence, CVE scanning (with reachability), and threat modeling
Claude Code Plugin — install 3 security skills globally in Claude Code (no Jira/MCP needed)
Claude Code Skills only — manually add slash commands to a specific project

Claude Code Plugin

Install all three security skills directly into Claude Code — no MCP server, no Jira, no configuration required.

/plugin install Srajangpt1/ai_security_crew

This gives you three commands available in any project:

Command	When to use
`/sec-review`	Before coding — get risk level, OWASP guidelines, and a security prompt for AI code generation
`/verify-code`	After coding — review code for vulnerabilities with a checklist and prioritized fixes
`/threat-model`	For new features — identify threats with evidence links, mitigations, and optional `threat-model.md`

Claude Code Skills

Tools

Pre-coding

Tool	When to Use
`lightweight_security_review`	Before any coding task — get security requirements and guidelines for your tech stack
`assess_ticket_security`	Before coding from a Jira ticket — pull security requirements directly from the ticket
`perform_threat_model`	For significant new features — generate a structured threat model (STRIDE, attack surfaces)

Dependency security

Tool	When to Use
`verify_packages`	When adding packages — confirm they exist with valid versions (catches hallucinated package names)
`scan_dependencies`	When adding packages — scan for CVEs and check reachability in your code

Post-coding

Tool	When to Use
`verify_code_security`	After generating code — AI-powered security review against OWASP guidelines

Threat model persistence

Tool	When to Use
`search_previous_threat_models`	Before creating a new threat model — check if one already exists in Confluence
`update_threat_model_file`	After `perform_threat_model` — write the threat model to `threat-model.md` in the repo

Agent Workflow

Before coding — call lightweight_security_review (or assess_ticket_security for Jira tickets)
When adding packages — call verify_packages, then scan_dependencies with the code that uses them
After generating code — call verify_code_security and follow the review_prompt to report findings
For significant features — call perform_threat_model and persist with update_threat_model_file

Dependency Scanning

scan_dependencies uses OSV.dev to find CVEs and performs reachability analysis to determine if vulnerable code paths are actually called:

Status	Meaning
`reachable`	Vulnerable function is called in your code — action required
`not_reachable`	Vulnerable function is not called
`not_imported`	Package is not imported at all
`uncertain`	AI analyzed the code but could not determine reachability
`no_code_provided`	No code snippets were passed to the tool

Reachability is determined by (in order): OSV function-level symbols → keyword matching against the vuln summary → AI analysis via ctx.sample().

Quick Start

1. Build the image

docker build -t mcp-security-review:latest .

2. Configure your IDE

Add to your MCP config (Claude Desktop, Cursor, etc.):

mcp-security-review

Component Overview

Component Details

Commands (3)

Skills (3)

README

AI Security Crew

Claude Code Plugin

Claude Code Skills

Tools

Pre-coding

Dependency security

Post-coding

Threat model persistence

Agent Workflow

Dependency Scanning

Quick Start

1. Build the image

2. Configure your IDE

Similar Plugins

sentinel

Help us improve

Help us improve

mcp-security-review

Component Overview

Component Details

Commands (3)

Skills (3)

README

AI Security Crew

Claude Code Plugin

Claude Code Skills

Tools

Pre-coding

Dependency security

Post-coding

Threat model persistence

Agent Workflow

Dependency Scanning

Quick Start

1. Build the image

2. Configure your IDE

Similar Plugins

sentinel

Help us improve

openai-security-threat-model

cyber-neo

security-test-scanner

security-guidance

cybersecurity