Skill

performing-security-code-review

Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.

Bash

Javascript

Node

security

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin security-agent

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGrepGlobBash(cmd:*)

Preview

Conducts security-focused code reviews by scanning source files for common vulnerability patterns including SQL injection, XSS, authentication flaws, insecure dependencies, and secret exposure. Produces structured severity-rated reports with specific remediation guidance.

Supporting Assets

assets/README.mdassets/example_code_secure.pyassets/example_code_vulnerable.pyassets/report_template.mdreferences/README.mdscripts/README.mdscripts/code_analyzer.py

SKILL.md

Similar Skills

security-review

29.8k

Scans codebases for vulnerabilities like injections, XSS, secrets exposure, insecure deps, and access control flaws across JavaScript, TypeScript, Python, Java, PHP, Go, Ruby, Rust.

5 files

awesome-copilot-refactor

security-scanner

Scans code for hardcoded secrets like API keys, SQL injection, XSS, insecure dependencies via npm/pip/cargo audits, and OWASP Top 10 issues using grep and bash.

1 file4 tools

glincker-claude-code-marketplace

scan

Scans code for security vulnerabilities like auth bypass, injection, IDOR, mass assignment, race conditions, secrets, and insecure defaults. Audits Node.js/Python dependencies.

1 file5 tools

universe

Stats

Parent Repo Stars1853

Parent Repo Forks248

Last CommitApr 3, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Performing Security Code Review

Overview

Prerequisites

Read access to all source files in the target project
grep available on PATH for pattern matching
Access to package.json or equivalent dependency manifest for dependency auditing
Familiarity with OWASP Top 10 vulnerability categories

Instructions

Identify the scope of the review: specific files, directories, or the entire codebase. Confirm the primary language(s) and framework(s) in use.
Scan for hardcoded secrets and credentials:
- Search for patterns matching API keys, tokens, passwords, AWS access keys (AKIA...), and private key headers (BEGIN PRIVATE KEY).
- Flag any .env files or configuration files containing plaintext secrets.
Analyze code for injection vulnerabilities:
- Identify raw SQL string concatenation (SQL injection risk).
- Locate unsanitized user input rendered in HTML (XSS risk).
- Check for eval(), exec(), or Function() calls with dynamic input (code injection risk).
Review authentication and authorization logic:
- Verify password hashing uses strong algorithms (bcrypt, argon2) rather than MD5/SHA1.
- Check for missing authentication on sensitive endpoints.
- Identify overly permissive CORS configurations.
Audit dependencies for known vulnerabilities:
- Run npm audit or equivalent package manager audit command.
- Cross-reference dependency versions against known CVE databases.
Check for insecure communication patterns:
- Flag HTTP URLs where HTTPS is expected.
- Identify disabled TLS certificate verification.
Compile findings into a structured report sorted by severity (Critical, High, Medium, Low), including the vulnerable code location, explanation, and remediation steps.

Output

A structured security review report containing:

Summary with total findings count by severity level
Per-finding entries with: file path, line number, vulnerability type, severity, code snippet, explanation, and recommended fix
Dependency audit results with CVE identifiers where applicable
Overall risk assessment (Critical / High / Medium / Low / Clean)

Error Handling

Error	Cause	Solution
No source files found	Incorrect scope path or empty directory	Verify the target directory path and confirm it contains source files
Binary files in scan	Non-text files matched by search patterns	Exclude binary extensions and `node_modules/` from scans
Dependency manifest missing	No `package.json`, `requirements.txt`, or equivalent	Skip dependency audit; note in report that dependency analysis was not possible
Permission denied on files	Restricted file access	Request read permissions or narrow the review scope to accessible files
False positive on secret pattern	Benign string matching secret regex	Verify context before reporting; mark as potential false positive if the match appears in test fixtures or documentation

Examples

SQL injection review: Trigger: "Review this database query code for SQL injection vulnerabilities." Process: Scan all files containing SQL query construction. Identify string concatenation with user input ("SELECT * FROM users WHERE id = " + userId). Report as High severity with remediation: use parameterized queries or prepared statements.

Dependency vulnerability scan: Trigger: "Check this project's dependencies for known security vulnerabilities." Process: Run npm audit on the project. Parse output for vulnerabilities. Report each finding with CVE identifier, affected package, installed version, and patched version. Recommend npm audit fix or manual version pinning.

Full codebase security audit: Trigger: "Run a security scan on this codebase." Process: Execute all seven scan categories (secrets, injection, auth, dependencies, communication, dangerous commands, obfuscation). Produce a comprehensive report with findings grouped by category and sorted by severity.

Resources

OWASP Top 10 -- industry-standard vulnerability classification
Node.js Security Checklist -- Node-specific security guidance
CWE/SANS Top 25 -- most dangerous software weaknesses
${CLAUDE_SKILL_DIR}/references/README.md -- bundled reference materials