Skill

reviewing-security

From pda

Analyzes code for security vulnerabilities including OWASP Top 10, injection, auth flaws, secrets exposure, and crypto misuse. Use when performing a security review, security audit, or as part of code-review.

Install

npx claudepluginhub spaghetti-lover/pda-plugins --plugin pda

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze code changes for security vulnerabilities.

SKILL.md

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

139.1k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

claude-code-plugin-release

1 file

Automates semantic versioning and release workflow for Claude Code plugins: bumps versions in package.json, marketplace.json, plugin.json; verifies builds; creates git tags, GitHub releases, changelogs.

claude-mem

64.7k

Stats

Stars0

Forks0

Last CommitApr 13, 2026

Actions

View Source View Plugin View on GitHub View README

Security Review

Analyze code changes for security vulnerabilities.

Scope

Specific files/paths if given

git diff for PR/branch

Staged/unstaged changes if no scope specified

Checklist

Injection — SQL, command, XSS, NoSQL, LDAP/XML (unsanitized input in queries or shell calls)

Auth & access control — hardcoded credentials, missing auth checks, broken access control, weak sessions, missing CSRF

Data exposure — secrets in code/logs, missing encryption, permissive CORS, verbose errors leaking internals

Crypto misuse — weak algorithms (MD5/SHA1/DES for security), hardcoded keys/IVs, Math.random() for security

Dependencies — known CVEs, permissive version ranges, typosquatted packages

Insecure design — TOCTOU, mass assignment, missing rate limiting, path traversal, SSRF, insecure deserialization, unsafe file uploads

Classification

Per finding: Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO), Confidence (HIGH/MEDIUM/LOW), CWE if applicable.

Output format

### [SEVERITY] Title - **File**: `path:line` - **CWE**: CWE-XXX - **Confidence**: HIGH/MEDIUM/LOW - **Description**: issue and impact - **Vulnerable code**: snippet - **Recommendation**: fix approach - **Fixed code**: corrected snippet (if straightforward)

Summary

End with severity counts table and overall assessment: PASS (no HIGH/CRITICAL), WARN (has MEDIUM), FAIL (has HIGH/CRITICAL).

Security Review

Analyze code changes for security vulnerabilities.

Scope

Specific files/paths if given
git diff for PR/branch
Staged/unstaged changes if no scope specified

Checklist

Injection — SQL, command, XSS, NoSQL, LDAP/XML (unsanitized input in queries or shell calls)
Auth & access control — hardcoded credentials, missing auth checks, broken access control, weak sessions, missing CSRF
Data exposure — secrets in code/logs, missing encryption, permissive CORS, verbose errors leaking internals
Crypto misuse — weak algorithms (MD5/SHA1/DES for security), hardcoded keys/IVs, Math.random() for security
Dependencies — known CVEs, permissive version ranges, typosquatted packages
Insecure design — TOCTOU, mass assignment, missing rate limiting, path traversal, SSRF, insecure deserialization, unsafe file uploads

Classification

Per finding: Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO), Confidence (HIGH/MEDIUM/LOW), CWE if applicable.

Output format

### [SEVERITY] Title
- **File**: `path:line`
- **CWE**: CWE-XXX
- **Confidence**: HIGH/MEDIUM/LOW
- **Description**: issue and impact
- **Vulnerable code**: snippet
- **Recommendation**: fix approach
- **Fixed code**: corrected snippet (if straightforward)

Summary

End with severity counts table and overall assessment: PASS (no HIGH/CRITICAL), WARN (has MEDIUM), FAIL (has HIGH/CRITICAL).