Skill

security-review

Install

Install the plugin

npx claudepluginhub sd0xdev/sd0x-dev-flow --plugin sd0x-dev-flow

Want just this skill?

Add to a custom plugin, then install with one command.

Description

Security review via Codex MCP. Use when: OWASP Top 10 audit, dependency vulnerability check, security-sensitive changes. Not for: code review (use codex-code-review), test review (use test-review). Output: security findings + audit report.

Tool Access

This skill is limited to using the following tools:

mcp__codex__codexmcp__codex__codex-replyBash(git:*)ReadGrepGlob

Supporting Assets

View in Repository

references/codex-prompt-security.md

references/examples.md

Skill Content

Security Review Skill

Trigger

Keywords: security review, OWASP, vulnerability, dep-audit, npm audit, dependency security

When NOT to Use

General code review (use codex-code-review)
Functional testing (use test-review)
Performance issues (not security-related)

Commands

Command	Purpose	When
`/codex-security`	OWASP Top 10 audit	Security-sensitive code
`/dep-audit`	Dependency security audit	Periodic / PR

Workflow: `/codex-security`

Determine scope → Collect changes → Codex OWASP review → Findings + Gate → Loop if Must fix

Step 1: Determine Scope

Parse --scope from arguments, default to src/.

Step 2: Collect Code Changes

Priority order:

Uncommitted changes: git diff HEAD -- <scope> | head -1500
Recent commits: git diff HEAD~5..HEAD -- <scope> | head -1500
Key security files: Glob("**/*{auth,login,password,token,secret,key,credential}*")

Step 3: Codex Security Review

First review: mcp__codex__codex with OWASP prompt. See references/codex-prompt-security.md.

Config: sandbox: 'read-only', approval-policy: 'never'

Save the returned threadId.

Loop review: mcp__codex__codex-reply with re-review template. See references/codex-prompt-security.md.

Step 4: Consolidate Output

Organize results into findings summary table + detailed findings + gate.

OWASP Top 10

Code	Category	Check Focus
A01	Broken Access Ctrl	IDOR, permission bypass, CORS
A02	Crypto Failures	Sensitive data encryption, weak crypto
A03	Injection	SQL/NoSQL/Cmd Injection
A04	Insecure Design	Rate Limiting, business logic
A05	Misconfiguration	Debug mode, default passwords
A06	Vulnerable Comp	Known vulnerable dependencies
A07	Auth Failures	Brute force, session, weak passwords
A08	Integrity Failures	Deserialization, CI/CD
A09	Logging Failures	Sensitive data in logs, auditing
A10	SSRF	URL validation, internal network access

Review Loop

⚠️ @CLAUDE.md auto-loop: fix → re-review → ... → ✅ PASS ⚠️

⛔ Must fix → fix P0 issues → /codex-security --continue <threadId> → repeat until ✅ Mergeable.

Max 3 rounds. Still failing → report blocker.

Verification

Each issue tagged with severity (P0/P1/P2)
Gate is explicit (✅ Mergeable / ⛔ Must fix)
Fix recommendations are specific and actionable
Includes verification test method
Codex independently researched auth/input/sensitive code

References

OWASP prompt: references/codex-prompt-security.md
Examples: references/examples.md
Standards: @rules/security.md

Examples

Input: /codex-security --scope src/controller/
Action: OWASP Top 10 check → output issues + Gate

Input: /dep-audit --level high
Action: npm audit → filter high/critical → output report

Links

Stats

Stars90

Forks12

Last CommitMar 9, 2026

Actions

Similar Skills

skill-lookup

Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.

153.8k

prompt-lookup

Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.