Security-focused code review. Scans for OWASP Top 10, exposed secrets, injection vulnerabilities, auth issues. Use for security audits or thorough reviews.
Scans code for OWASP Top 10 vulnerabilities, exposed secrets, and injection flaws.
/plugin marketplace add GGPrompts/TabzBeads/plugin install tools@tabz-beadsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Security-focused code review targeting OWASP Top 10 vulnerabilities and common security issues.
/code-review:security # Security audit of uncommitted changes
/code-review:security src/ # Audit specific directory
/code-review:security --full # Full codebase security audit
| Category | What to Find |
|---|---|
| Secrets | API keys, tokens, passwords in code or config |
| Injection | SQL injection, command injection, XSS |
| Auth Issues | Missing authentication, broken authorization |
| Data Exposure | Sensitive data in logs, error messages, responses |
| Category | What to Find |
|---|---|
| OWASP Top 10 | Complete vulnerability assessment |
| Cryptography | Weak algorithms, hardcoded keys, improper storage |
| Session Management | Insecure cookies, session fixation |
| Dependencies | Known vulnerable packages |
# Search for potential secrets
grep -rn "api.key\|apiKey\|api_key" --include="*.ts" --include="*.js"
grep -rn "secret\|token\|password\|credential" --include="*.ts" --include="*.js"
grep -rn "sk_live\|pk_live\|ghp_\|gho_" --include="*"
Red flags:
process.env.API_KEY || "default_key")Confidence: 95-100 for confirmed secrets, BLOCKER status
// BAD - direct string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD - parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
// BAD - user input in shell command
exec(`ls ${userInput}`);
// GOOD - use array form with no shell
execFile('ls', [validatedPath]);
// BAD - unescaped user content
element.innerHTML = userContent;
// GOOD - text content or sanitization
element.textContent = userContent;
Confidence: 90-100 for confirmed injection paths, BLOCKER status
Missing authentication:
Broken authorization:
// BAD - no ownership check
app.delete('/api/posts/:id', async (req, res) => {
await Post.delete(req.params.id); // Anyone can delete any post
});
// GOOD - verify ownership
app.delete('/api/posts/:id', async (req, res) => {
const post = await Post.findById(req.params.id);
if (post.authorId !== req.user.id) return res.status(403).send('Forbidden');
await post.delete();
});
Confidence: 85-95 depending on context
Sensitive data in logs:
// BAD
console.log('Login attempt:', { email, password });
// GOOD
console.log('Login attempt:', { email, password: '[REDACTED]' });
Sensitive data in error messages:
// BAD
throw new Error(`Invalid credentials for ${email}: ${password}`);
// GOOD
throw new Error('Invalid credentials');
Sensitive data in API responses:
// BAD - returning full user object
return res.json(user); // Might include password hash, tokens, etc.
// GOOD - explicit field selection
return res.json({ id: user.id, name: user.name, email: user.email });
Confidence: 80-90 depending on data sensitivity
Weak algorithms:
Improper key storage:
Confidence: 85-95
# Check for known vulnerabilities
npm audit --json 2>/dev/null | jq '.vulnerabilities | length'
# Check for outdated security-critical packages
npm outdated | grep -E "express|helmet|jsonwebtoken|bcrypt"
Confidence: Based on CVE severity
{
"scope": "security",
"files_checked": ["src/api/users.ts", "src/auth/login.ts"],
"vulnerabilities": [
{
"severity": "critical",
"category": "injection",
"type": "sql-injection",
"file": "src/api/users.ts",
"line": 45,
"code": "const query = `SELECT * FROM users WHERE id = ${id}`",
"issue": "User input directly interpolated into SQL query",
"attack_vector": "Attacker can inject SQL: id=1; DROP TABLE users;--",
"confidence": 98,
"fix": "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [id])",
"cwe": "CWE-89",
"owasp": "A03:2021 Injection"
},
{
"severity": "critical",
"category": "secrets",
"type": "exposed-api-key",
"file": "src/config.ts",
"line": 12,
"code": "const API_KEY = 'sk_live_abc123...'",
"issue": "Production API key hardcoded in source code",
"attack_vector": "Anyone with repo access can use this key",
"confidence": 100,
"fix": "Move to environment variable, rotate the exposed key immediately",
"cwe": "CWE-798"
}
],
"blockers": [
{
"type": "security",
"severity": "critical",
"file": "src/api/users.ts",
"issue": "SQL injection vulnerability must be fixed before merge"
}
],
"passed": false,
"summary": "Found 2 critical security vulnerabilities. Must fix before merge."
}
| Severity | Criteria | Action |
|---|---|---|
| critical | Remote code execution, data breach, secret exposure | BLOCKER - fix immediately |
| high | Auth bypass, injection possible but limited | BLOCKER - fix before merge |
| medium | Information disclosure, session issues | Flag - fix soon |
| low | Minor information leakage, best practice violations | Note - fix when convenient |
Security review is part of thorough mode:
Task(
subagent_type="code-review:reviewer",
prompt="THOROUGH review - include security audit"
)
Run independently for dedicated security review:
/code-review:security --full # Full codebase audit
ALWAYS BLOCK (confidence ≥90):
FLAG (confidence 80-89):
NOTE (confidence 70-79):
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.