Skill

secure-code-review

Systematic security code review methodology. Use this skill when reviewing pull requests for security issues, auditing critical code paths, or performing security assessments. Activate when: security review, code audit, secure code, review PR for security, find vulnerabilities, security assessment.

npx claudepluginhub latestaiagents/agent-skills --plugin security-guardian

Tool Access

This skill uses the workspace's default tool permissions.

Preview

**A systematic approach to finding security vulnerabilities in code.**

SKILL.md

Similar Skills

security-review

Performs exploitability review of targeted code, tracing untrusted inputs through validation/processing/output, checking authorization completeness like IDOR, using shieldkit_scan baseline.

1 file5 tools

universe

verify-code

Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.

mcp-security-review

evm-token-decimals

175.2k

Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.

everything-claude-code

Stats

Parent Repo Stars2

Parent Repo Forks0

Last CommitFeb 5, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Secure Code Review

A systematic approach to finding security vulnerabilities in code.

When to Use

Reviewing pull requests
Auditing security-critical code
Before production deployments
Compliance requirements
After security incidents

Review Methodology

1. Understand Context

## Pre-Review Questions

- [ ] What does this code do?
- [ ] What data does it handle? (PII, financial, auth)
- [ ] Who can access this functionality?
- [ ] What are the trust boundaries?
- [ ] What could go wrong?

2. Security Review Checklist

## Input Handling
- [ ] All user input validated
- [ ] Input length limits enforced
- [ ] Type checking performed
- [ ] Whitelisting over blacklisting

## Authentication
- [ ] Authentication required where needed
- [ ] Passwords hashed properly (bcrypt/argon2)
- [ ] Session management secure
- [ ] MFA considered for sensitive actions

## Authorization
- [ ] Authorization checks on all endpoints
- [ ] Resource ownership verified
- [ ] No privilege escalation paths
- [ ] Default deny policy

## Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] TLS for data in transit
- [ ] No sensitive data in logs
- [ ] Proper data masking

## Injection Prevention
- [ ] Parameterized queries used
- [ ] No eval() with user data
- [ ] Command injection prevented
- [ ] XSS prevention (encoding/CSP)

## Error Handling
- [ ] No stack traces to users
- [ ] No sensitive data in errors
- [ ] Proper logging of security events

## Dependencies
- [ ] No known vulnerabilities
- [ ] Packages from trusted sources
- [ ] Lock files up to date

3. High-Risk Areas

Focus extra attention on:

// File uploads
app.post('/upload', (req, res) => {
  // Check: file type validation, size limits, storage location
});

// Authentication
app.post('/login', (req, res) => {
  // Check: rate limiting, timing attacks, error messages
});

// Authorization
app.get('/admin/*', (req, res) => {
  // Check: role verification, access control
});

// Data queries
db.query(sql, params);
// Check: parameterized queries, access control

// External API calls
fetch(url);
// Check: SSRF prevention, URL validation

// Serialization
JSON.parse(input);
pickle.loads(input);
// Check: deserialization safety

// Crypto operations
crypto.createCipher();
// Check: algorithm strength, key management

Vulnerability Patterns by Language

JavaScript/TypeScript

// VULNERABLE: Prototype pollution
Object.assign(target, userInput);
target[userKey] = userValue;

// SAFE: Use Map or validate keys
const safeObj = Object.create(null);
if (!['__proto__', 'constructor'].includes(key)) {
  safeObj[key] = value;
}

// VULNERABLE: ReDoS
const regex = /^(a+)+$/;  // Catastrophic backtracking

// SAFE: Use bounded quantifiers
const regex = /^a{1,100}$/;

// VULNERABLE: Path traversal
const file = path.join(uploadDir, userFilename);

// SAFE: Validate and normalize
const safeName = path.basename(userFilename);
const file = path.join(uploadDir, safeName);

Python

# VULNERABLE: Format string injection
query = "SELECT * FROM users WHERE id = %s" % user_id
eval(f"config['{user_input}']")

# SAFE: Parameterized queries
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

# VULNERABLE: Arbitrary file read
with open(user_path) as f:
    return f.read()

# SAFE: Validate path
if not user_path.startswith(ALLOWED_DIR):
    raise ValueError("Invalid path")

Java

// VULNERABLE: XML External Entities
DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document doc = db.parse(userInput);

// SAFE: Disable XXE
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

// VULNERABLE: Unsafe reflection
Class.forName(userInput).newInstance();

// SAFE: Whitelist allowed classes
if (ALLOWED_CLASSES.contains(className)) {
    Class.forName(className).newInstance();
}

Review Comments Template

### 🔴 Critical Security Issue

**Location:** `src/auth/login.js:45`
**Issue:** SQL injection vulnerability
**Impact:** Database compromise, data exfiltration
**Fix:**
```javascript
// Before (vulnerable)
const query = `SELECT * FROM users WHERE email = '${email}'`;

// After (safe)
const query = 'SELECT * FROM users WHERE email = $1';
const result = await db.query(query, [email]);

🟡 Security Concern

Location: src/api/users.js:23 Issue: Missing rate limiting on authentication endpoint Risk: Brute force attacks Recommendation: Add rate limiting (see example in /middleware/rateLimit.js)

🟢 Security Suggestion

Location: src/utils/crypto.js:12 Suggestion: Consider using Argon2 instead of bcrypt for password hashing Reason: Better resistance to GPU attacks


## Automated Security Scanning

```bash
# Static Analysis (SAST)
# JavaScript
npx eslint --plugin security .
npx njsscan .

# Python
pip install bandit
bandit -r .

# Java
# Use SpotBugs with FindSecBugs plugin

# Multi-language
# Semgrep
semgrep --config auto .

# CodeQL (GitHub)
# Configure in .github/workflows/codeql.yml

Security Review Report Template

# Security Review Report

**Project:** [Name]
**Reviewer:** [Name]
**Date:** [Date]
**Scope:** [Files/Features reviewed]

## Executive Summary
[1-2 paragraph summary of findings]

## Risk Rating
- Critical: X
- High: X
- Medium: X
- Low: X

## Findings

### Critical Findings
1. [Finding title]
   - Location: [file:line]
   - Description: [Details]
   - Impact: [What could happen]
   - Remediation: [How to fix]

### High Findings
[...]

## Recommendations
1. [Priority recommendation]
2. [...]

## Appendix
- Tools used
- Time spent
- Out of scope items

Best Practices

Review in Layers: Input → Processing → Output
Think Like an Attacker: How would you exploit this?
Follow Data Flow: Track untrusted data through the code
Check Trust Boundaries: Where does trust change?
Use Checklists: Don't rely on memory
Automate What You Can: SAST tools catch low-hanging fruit
Document Findings: Clear, actionable reports
Verify Fixes: Re-review remediated issues