From security-guidance
Security review for generated code. Provides pattern warnings for known-dangerous patterns, LLM diff review for vulnerabilities, and agentic commit review.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-guidance:security-guidanceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security review for generated code. Three layers:
Security review for generated code. Three layers:
Edit/Write for ~25 known-dangerous patterns (yaml.load, torch.load(weights_only=False), pickle.load on untrusted data, raw innerHTML, hardcoded secrets, etc.).git commit, an SDK-driven reviewer reads related files (Read/Grep/Glob) to trace data flow across the codebase, catching multi-file vulnerabilities.Findings cover common web-vulnerability classes — injection, XSS, SSRF, hardcoded secrets, IDOR, auth bypass, unsafe deserialization, and path traversal among others.
All configuration is via environment variables. None are required for default behavior.
SECURITY_REVIEW_MODEL controls the LLM diff review. SG_AGENTIC_MODEL controls the agentic commit reviewer.
Kill switches:
SECURITY_GUIDANCE_DISABLE=1ENABLE_PATTERN_RULES=0ENABLE_CODE_SECURITY_REVIEW=0ENABLE_STOP_REVIEW=0ENABLE_COMMIT_REVIEW=0Higher-recall mode:
SG_DUAL_OR=on
Drop a claude-security-guidance.md in ~/.claude/ or <project>/.claude/ to apply organization rules to the security review.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Provides protocol-based dependency injection patterns for testable Swift code, enabling mocking of file system, network, and external APIs with Swift Testing.
npx claudepluginhub andersonlimahw/lemon-ai-hub --plugin security-guidance