Skill

Community

security-review

Description

Security review checklist for code changes. Automatically activates when reviewing security-sensitive code, authentication, authorization, or data handling.

AI Summary

Automatically activates when reviewing security-sensitive code like authentication, authorization, or data handling. Provides comprehensive security checklist covering OWASP Top 10 vulnerabilities, injection prevention, and secure coding practices.

Install

Add the repository(one-time)

/plugin marketplace add ken2403/.claude-paralell-dev-plugin

Install the plugin

/plugin install pw@claude-parallel-dev-plugin

Tool Access

This skill is limited to using the following tools:

ReadGrepGlob

Skill Content

Security Review Checklist

Apply these security checks when reviewing or writing code that handles sensitive operations.

Authentication

Authentication required for sensitive endpoints
Strong password requirements enforced
Passwords hashed with secure algorithm (bcrypt, argon2)
Session tokens are cryptographically random
Session expiration implemented
Logout invalidates session properly

Authorization

Authorization checked before data access
Role-based or attribute-based access control
Principle of least privilege applied
Ownership verified before operations
Admin functions properly protected

Input Validation

All user input validated
Input length limits enforced
Input type/format validated
Whitelist validation preferred over blacklist
Validation on server-side (not just client)

Injection Prevention

SQL Injection

Parameterized queries / prepared statements
ORM used correctly
No string concatenation in queries

XSS (Cross-Site Scripting)

Output encoding/escaping
Content Security Policy headers
No innerHTML with user data

Command Injection

No shell commands with user input
If unavoidable, strict whitelisting

Data Protection

Sensitive data encrypted at rest
Sensitive data encrypted in transit (TLS)
PII handled according to regulations
Data minimization (collect only needed data)
Secure deletion when required

Secrets Management

No hardcoded credentials
No secrets in source code
Secrets in environment variables or vault
API keys rotatable
Different secrets per environment

Logging & Monitoring

API Security

Common Vulnerabilities (OWASP Top 10)

Broken Access Control - Verify authorization
Cryptographic Failures - Use strong encryption
Injection - Parameterize all queries
Insecure Design - Threat model considered
Security Misconfiguration - Secure defaults
Vulnerable Components - Dependencies updated
Authentication Failures - Strong auth
Data Integrity Failures - Verify signatures
Logging Failures - Audit trail present
SSRF - Validate URLs, restrict access

Security Red Flags

Look for these patterns that often indicate security issues:

# Dangerous patterns
eval(user_input)           # Code injection
exec(user_input)           # Code injection
os.system(user_input)      # Command injection
f"SELECT * FROM {table}"   # SQL injection
innerHTML = userData       # XSS
password = "hardcoded"     # Hardcoded secret
verify=False               # SSL verification disabled

Secure Alternatives

Insecure	Secure Alternative
MD5/SHA1 for passwords	bcrypt/argon2
`pickle.loads(user_data)`	JSON with validation
`eval()`	Explicit parsing
String concatenation SQL	Parameterized queries
Storing plaintext secrets	Environment variables

Links

GitHub Stats

0 forks

Updated 12 days ago

Similar Skills

Command Development

10 files

This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.

plugin-dev

53.4k

Agent Development

6 files

This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.

plugin-dev

53.4k

Hook Development

10 files

This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.

plugin-dev

53.4k