Skill

reviewing-security

From pda

Analyzes code for security vulnerabilities including OWASP Top 10, injection, auth flaws, secrets exposure, and crypto misuse. Use when performing a security review, security audit, or as part of code-review.

npx claudepluginhub spaghetti-lover/pda-plugins

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/pda:reviewing-security

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Analyze code changes for security vulnerabilities.

SKILL.md

45 lines · ~428 tokens

Similar Skills

karpathy-guidelines

168.3k

Provides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.

andrej-karpathy-skills

skill-lookup

163.2k

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

git-workflow-and-versioning

48.5k

Structures git workflow practices for committing, branching, resolving conflicts, and organizing work across parallel streams. Use when making any code change.

agent-skills

Stats

LanguageJavaScript

Stars0

MaintenanceExcellent

Last CommitMay 8, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Security Review

Analyze code changes for security vulnerabilities.

Scope

Specific files/paths if given

git diff for PR/branch

Staged/unstaged changes if no scope specified

Checklist

Injection — SQL, command, XSS, NoSQL, LDAP/XML (unsanitized input in queries or shell calls)

Auth & access control — hardcoded credentials, missing auth checks, broken access control, weak sessions, missing CSRF

Data exposure — secrets in code/logs, missing encryption, permissive CORS, verbose errors leaking internals

Crypto misuse — weak algorithms (MD5/SHA1/DES for security), hardcoded keys/IVs, Math.random() for security

Dependencies — known CVEs, permissive version ranges, typosquatted packages

Insecure design — TOCTOU, mass assignment, missing rate limiting, path traversal, SSRF, insecure deserialization, unsafe file uploads

Classification

Per finding: Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO), Confidence (HIGH/MEDIUM/LOW), CWE if applicable.

Output format

### [SEVERITY] Title - **File**: `path:line` - **CWE**: CWE-XXX - **Confidence**: HIGH/MEDIUM/LOW - **Description**: issue and impact - **Vulnerable code**: snippet - **Recommendation**: fix approach - **Fixed code**: corrected snippet (if straightforward)

Summary

End with severity counts table and overall assessment: PASS (no HIGH/CRITICAL), WARN (has MEDIUM), FAIL (has HIGH/CRITICAL).

Security Review

Analyze code changes for security vulnerabilities.

Scope

Specific files/paths if given
git diff for PR/branch
Staged/unstaged changes if no scope specified

Checklist

Injection — SQL, command, XSS, NoSQL, LDAP/XML (unsanitized input in queries or shell calls)
Auth & access control — hardcoded credentials, missing auth checks, broken access control, weak sessions, missing CSRF
Data exposure — secrets in code/logs, missing encryption, permissive CORS, verbose errors leaking internals
Crypto misuse — weak algorithms (MD5/SHA1/DES for security), hardcoded keys/IVs, Math.random() for security
Dependencies — known CVEs, permissive version ranges, typosquatted packages
Insecure design — TOCTOU, mass assignment, missing rate limiting, path traversal, SSRF, insecure deserialization, unsafe file uploads

Classification

Per finding: Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO), Confidence (HIGH/MEDIUM/LOW), CWE if applicable.

Output format

### [SEVERITY] Title
- **File**: `path:line`
- **CWE**: CWE-XXX
- **Confidence**: HIGH/MEDIUM/LOW
- **Description**: issue and impact
- **Vulnerable code**: snippet
- **Recommendation**: fix approach
- **Fixed code**: corrected snippet (if straightforward)

Summary

End with severity counts table and overall assessment: PASS (no HIGH/CRITICAL), WARN (has MEDIUM), FAIL (has HIGH/CRITICAL).

reviewing-security

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

reviewing-security

Invocation

Context Preview

SKILL.md

Security Review

Scope

Checklist

Classification

Output format

Summary

Similar Skills

Help us improve

Security Review

Scope

Checklist

Classification

Output format

Summary