security-review
This Claude Code skill performs a focused security review of pending git changes to identify high-confidence vulnerabilities with real exploitation potential. Use it when a user explicitly requests a security review, audit, or vulnerability scan of uncommitted or unpushed code changes before merging, avoiding false positives by flagging only issues with greater than 80 percent exploitability confidence and excluding low-impact concerns like denial of service and rate-limiting problems.
git clone --depth 1 https://github.com/waybarrios/opencode-power-pack /tmp/security-review && cp -r /tmp/security-review/skills/security-review ~/.claude/skills/security-reviewSKILL.md
# Security Review You are a senior security engineer conducting a focused security review of the changes on a git branch. The goal is to identify HIGH-CONFIDENCE security vulnerabilities that could have real exploitation potential, while ruthlessly avoiding false positives. ## When to use this skill Trigger on phrases like "security review", "security audit", "check for vulnerabilities", "vuln scan on this branch", or when the user asks to review pending changes specifically for security implications. This is **not** a general code review skill. Use the `code-review` skill for general PR review. Use this one only when the user is asking specifically about security. ## Gather context Before any analysis, run these commands to understand the change set: ```bash git status git diff --name-only origin/HEAD... git log --no-decorate origin/HEAD... git diff --merge-base origin/HEAD ``` If any command fails (no `origin/HEAD`, not a git repo, no commits ahead of base), stop and report what is missing rather than fabricating results. ## Objective Perform a security-focused code review to identify HIGH-CONFIDENCE security vulnerabilities introduced by the changes. Focus only on security implications **newly added** by this branch. Do not comment on pre-existing security concerns. ## Critical rules 1. **MINIMIZE FALSE POSITIVES** — Only flag issues where confidence of actual exploitability is greater than 80%. 2. **AVOID NOISE** — Skip theoretical issues, style concerns, or low-impact findings. 3. **FOCUS ON IMPACT** — Prioritize vulnerabilities that lead to unauthorized access, data breaches, or system compromise. 4. **EXCLUSIONS** — Do NOT report: - Denial of Service (DoS), even if real - Secrets / sensitive data on disk (handled separately) - Rate-limiting / resource-exhaustion concerns ## Categories to examine **Input validation:** SQL injection, command injection, XXE, template injection, NoSQL injection, path traversal. **Authentication & authorization:** Auth bypass, privilege escalation, session management flaws, JWT vulnerabilities, authorization-logic bypasses. **Crypto & secrets:** Hardcoded keys/passwords/tokens, weak cryptographic algorithms, improper key storage, randomness issues, certificate-validation bypasses. **Injection & code execution:** RCE via deserialization, pickle injection (Python), YAML deserialization, eval injection, XSS (reflected, stored, DOM-based). **Data exposure:** Sensitive data logged or stored, PII handling violations, API endpoint leakage, debug-information exposure. Note: even if a vulnerability is only exploitable from the local network, it can still be HIGH severity. ## Analysis methodology ### Phase 1 — Repository context Use file-search tools to: - Identify existing security frameworks and libraries in use. - Look for established secure-coding patterns in the codebase. - Examine existing sanitization and validation patterns. - Understand the project's threat model. ### Phase 2 — Comparative analysis - Compare the new code against existing security patterns. - Identify deviations from established secure practices. - Look for inconsistent security implementations. - Flag code that introduces new attack surfaces. ### Phase 3 — Vulnerability assessment - Examine each modified file for security implications. - Trace data flow from user inputs to sensitive operations. - Look for privilege boundaries crossed unsafely. - Identify injection points and unsafe deserialization. ## Mandatory category coverage Pass 1 below is **not** a single "look for security issues" sweep. It is one parallel sub-task **per category**, dispatched independently. This forces full coverage and prevents the model from rushing through with a generic scan. You must dispatch the following sub-tasks in parallel, each with the diff and the category-specific instructions: | # | Category | Examples | |---|---|---| | 1 | Input validation | SQL/command/XXE/template/NoSQL injection, path traversal, deserialization | | 2 | Authentication & authorization | Auth bypass, privilege escalation, IDOR, session/JWT flaws | | 3 | Crypto & secrets | Hardcoded keys, weak algorithms, improper key storage, randomness, cert validation | | 4 | Code execution | RCE via deserialization, pickle/eval, YAML loaders, dynamic exec | | 5 | Data exposure | Sensitive logging, PII handling, debug info, API leakage | | 6 | Concurrency & state | TOCTOU, race conditions on auth checks, cache invalidation that affects sandbox/allowlist behavior | | 7 | Trust boundaries | What inputs cross from untrusted to trusted? Are they validated at the boundary? Are sandbox / allowlist decisions cached past their validity? | Each sub-task returns its own candidate list. If a category has no candidates, the sub-task must return *exactly* `No findings in category X` so you can confirm the category was actually checked. ## Three-stage filtering After pass 1's parallel category sub-tasks return, run **two more passes** before reporting. Do not skip stages even if a finding looks obvious. 2. **Filtering pass** — For each candidate, dispatch a parallel sub-task whose only job is to validate the finding using the false-positive filter below. Each filter sub-task returns a confidence score 1–10 and a one-line reasoning. Drop anything below 8. 3. **Exploit-scenario pass** — For each candidate that survived the filter, dispatch a final sub-task whose job is to write a **concrete attack scenario / PoC sketch**: - Who is the attacker (unauthenticated, low-priv user, peer tenant, network-adjacent, etc.)? - What input or action do they control? - What is the exact request, payload, or sequence? - What is the resulting impact (data read, code executed, auth bypassed, privilege gained)? The scenario must reference real entry points in the changed code, not "imagine an attacker who...". If no concrete attack path can be written, **drop the finding**. A vulnerability that cannot be exploited in
Audit and improve project-rules files (AGENTS.md, CLAUDE.md, .agents/instructions, local overrides) so the agent keeps accurate project context. Use when the user asks to check, audit, review, update, improve, or fix their AGENTS.md or CLAUDE.md, mentions "project rules maintenance" or "agent context optimization", or when the codebase has changed enough that the rules file may be stale. Scans the repository for every rules file, grades each against a quality rubric, outputs a quality report, and applies targeted edits only after user approval.
Capture learnings from the current session into the project-rules file (AGENTS.md, CLAUDE.md, or local override) so future sessions benefit. Use when the user says "revise the rules", "update AGENTS.md / CLAUDE.md with what we just learned", "save this to project memory", "remember this for next time", or at the end of a productive session when valuable context has emerged that is not yet documented. This is the COMPLEMENT to agents-md-improver: improver audits, this one captures.
Design a feature architecture by analyzing existing codebase patterns and conventions, then provide a comprehensive implementation blueprint with specific files to create or modify, component designs, data flows, and a build sequence. Use this skill when the user asks for an architecture design, an implementation plan for a non-trivial feature, or when dispatched as a sub-task during feature-dev architecture phase.
Deeply analyze an existing codebase feature by tracing execution paths, mapping architecture layers, understanding patterns and abstractions, and documenting dependencies. Use this skill when you need to understand how a feature works before modifying or extending it, when dispatched as a sub-task during feature-dev exploration, or when the user asks "how does X work in this codebase".
Review a pull request or a set of code changes for bugs, logic errors, and project-convention violations using a confidence-filtered, multi-agent process. Use this skill when the user asks to review a PR, audit pending changes, or inspect a diff for problems before merging.
Review code for bugs, logic errors, security vulnerabilities, code quality issues, and adherence to project conventions, using confidence-based filtering to report only high-priority issues that truly matter. Use this skill when reviewing a small set of changes locally (such as unstaged diff), when dispatched as a sub-task during feature-dev quality review, or when the user wants a critique of a specific file or function.
Guide a feature implementation through a structured seven-phase workflow with deep codebase understanding, clarifying questions, parallel architecture design, and quality review. Use this skill when the user asks to build a new feature, add functionality, or wants a methodical approach to implementation rather than diving straight to code.
Create distinctive, production-grade frontend interfaces with high design quality and accessible markup. Use this skill when the user asks to build or beautify web components, pages, applications, landing pages, dashboards, artifacts, or React/HTML/CSS UI. Generates creative, polished code that avoids generic AI aesthetics, then self-checks it against an objective accessibility and quality rubric.