Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From dev-kit
Use when the user asks for a security review, security check, or wants to audit changes before merging — especially changes that touch auth, input handling, external API calls, file I/O, shell commands, or infrastructure configuration.
npx claudepluginhub atalias-mkyle/claude-dev-kit --plugin dev-kitHow this skill is triggered — by the user, by Claude, or both
Slash command
/dev-kit:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
If a `security-reviewer` subagent is available in the current context, invoke it and pass the diff. Otherwise, proceed inline with the steps below.
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
If a security-reviewer subagent is available in the current context, invoke it and pass the diff. Otherwise, proceed inline with the steps below.
Run git diff <base>...HEAD (or git diff for uncommitted changes). Read every hunk before forming opinions. Know what the change is trying to do before deciding whether it does it safely.
Grep the diff for patterns that indicate hardcoded credentials. Flag any match:
AKIA[0-9A-Z]{16}sk- keys: sk-[a-zA-Z0-9]{20,}ghp_[a-zA-Z0-9]{36} or github_pat_xox[bpoas]-Bearer [a-zA-Z0-9\-._~+/]{20,}password\s*=\s*["'][^"']{4,}["'] (case-insensitive)://[^:]+:[^@]+@Any match is an automatic BLOCK regardless of what the other steps find.
Detect the stack from lockfiles or manifests, then run the appropriate audit command:
| Stack | Command |
|---|---|
| Node / npm | npm audit --audit-level=high |
| Node / yarn | yarn audit --level high |
| Python | pip-audit --desc --fix-dry-run |
| Rust | cargo audit |
| Go | govulncheck ./... |
Parse output for HIGH and CRITICAL severity only. Ignore LOW and MEDIUM in the verdict unless they are in the specific code path being changed. If the audit tool is not installed, note it and skip — do not block on a missing tool.
For each new or modified function that accepts data from an external source (HTTP body, query param, form field, file upload, environment variable read at runtime, message queue payload):
?, %s, or named bind parameters — not f-strings or concatenationhtml.escape, encodeURIComponent, template auto-escaping) before renderingos.path.join / path.join anchored to a known root, and traversal sequences (../) are rejected before useFlag any location where user-controlled data reaches one of these sinks without going through the appropriate sanitizer.
Scan new HTTP route handlers, RPC handlers, and GraphQL resolvers for:
decode(token, options={verify: false}) or equivalent); algorithm is pinned, not accepted from the token headerCheck the diff for these specific patterns:
https://, not http://verify=False, InsecureSkipVerify: true, NODE_TLS_REJECT_UNAUTHORIZED=0)One of:
For each finding:
[SEVERITY] category: short description
File: path/to/file.ext:line
Recommendation: specific fix
Severity levels: CRITICAL / HIGH / MEDIUM / LOW / INFO
One of:
Issue an automatic BLOCK verdict if any of the following are true:
A BLOCK is not a judgment call. If the criterion is met, the verdict is BLOCK.