Stats
Actions
Tags
From mcp-security-review
Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mcp-security-review:verify-codeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Perform a security review of the following code:
Perform a security review of the following code:
$ARGUMENTS
Review the code provided in the arguments above. If no code was provided, ask the user to paste the code or specify a file path to read. If a file path is mentioned, read the file first.
Identify language and frameworks from:
.py → Python, .ts/.tsx → TypeScript, .go → Go, .java → Java, .rb → Ruby, .php → PHP, .sql → SQLimport django, require('express'), import React, use actix_webdef/class → Python, func → Go, public class → Java, fn → Rust@app.route → Flask, useState → React, @Controller → SpringPython:
os.system(), subprocess with shell=Truepickle.loads() on untrusted dataeval() / exec() with user-controlled input% formatting in queriesopen() with user-supplied pathsJavaScript / TypeScript:
innerHTML, document.write(), dangerouslySetInnerHTML without sanitizationObject.assign / spread with user dataeval() or new Function() with dynamic contentpostMessage handlerslocalStorage or sessionStorageReact:
dangerouslySetInnerHTML without DOMPurify or equivalentJava:
Statement instead of PreparedStatement for SQLRuntime.exec() with user-controlled inputObjectInputStream)Go:
database/sql queriesexec.Command with user inputSQL:
UPDATE/DELETE without WHERE clauseSELECT * returning sensitive columns unnecessarilyVerify ALL of these, regardless of language:
Secrets & Credentials:
Injection:
eval, exec) with user dataInput Validation:
Authentication & Authorization:
Cryptography:
Error Handling & Logging:
Data Exposure:
Produce this exact structure:
File: [file path if known, or "provided code"] Language/Frameworks: [detected list] Risk Level: [LOW | MEDIUM | HIGH | CRITICAL]
[SECURE | NEEDS ATTENTION | INSECURE]
[1–2 sentences summarizing the security posture]
For each vulnerability found:
Location: [function name or line number if identifiable] Description: [what the vulnerability is and why it matters]
Vulnerable code:
[the problematic snippet]
Secure fix:
[the corrected code]
npx claudepluginhub srajangpt1/ai-security-crewPerforms systematic security code review for vulnerabilities including injection, XSS, authentication, authorization, and cryptography issues. Reports only high-confidence exploitable findings after tracing data flow and checking framework protections.
Review code systematically for security vulnerabilities using OWASP Top 10, secure coding patterns, and static analysis best practices. Use when reviewing pull requests, conducting security code reviews, or implementing secure development practices.
Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.