Security Review Skill
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
When to Use
This skill activates when:
- •User requests "security review", "security audit"
- •After writing code that handles user input
- •After adding new API endpoints
- •After modifying authentication/authorization logic
- •Before deploying to production
- •After adding external dependencies
What It Does
Delegates to the security-reviewer agent (Opus model) for deep security analysis:
- •
OWASP Top 10 Scan
- •A01: Broken Access Control
- •A02: Cryptographic Failures
- •A03: Injection (SQL, NoSQL, Command, XSS)
- •A04: Insecure Design
- •A05: Security Misconfiguration
- •A06: Vulnerable and Outdated Components
- •A07: Identification and Authentication Failures
- •A08: Software and Data Integrity Failures
- •A09: Security Logging and Monitoring Failures
- •A10: Server-Side Request Forgery (SSRF)
- •
Secrets Detection
- •Hardcoded API keys
- •Passwords in source code
- •Private keys in repo
- •Tokens and credentials
- •Connection strings with secrets
- •
Input Validation
- •All user inputs sanitized
- •SQL/NoSQL injection prevention
- •Command injection prevention
- •XSS prevention (output escaping)
- •Path traversal prevention
- •
Authentication/Authorization
- •Proper password hashing (bcrypt, argon2)
- •Session management security
- •Access control enforcement
- •JWT implementation security
- •
Dependency Security
- •Run
npm auditfor known vulnerabilities - •Check for outdated dependencies
- •Identify high-severity CVEs
- •Run
Agent Delegation
Task( subagent_type="oh-my-codex:security-reviewer", model="opus", prompt="SECURITY REVIEW TASK Conduct comprehensive security audit of codebase. Scope: [specific files or entire codebase] Security Checklist: 1. OWASP Top 10 scan 2. Hardcoded secrets detection 3. Input validation review 4. Authentication/authorization review 5. Dependency vulnerability scan (npm audit) Output: Security review report with: - Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW) - Specific file:line locations - CVE references where applicable - Remediation guidance for each issue - Overall security posture assessment" )
External Model Consultation (Preferred)
The security-reviewer agent SHOULD consult Codex for cross-validation.
Protocol
- •Form your OWN security analysis FIRST - Complete the review independently
- •Consult for validation - Cross-check findings with Codex
- •Critically evaluate - Never blindly adopt external findings
- •Graceful fallback - Never block if tools unavailable
When to Consult
- •Authentication/authorization code
- •Cryptographic implementations
- •Input validation for untrusted data
- •High-risk vulnerability patterns
- •Production deployment code
When to Skip
- •Low-risk utility code
- •Well-audited patterns
- •Time-critical security assessments
- •Code with existing security tests
Tool Usage
Before first MCP tool use, call ToolSearch("mcp") to discover deferred MCP tools.
Use mcp__x__ask_codex with agent_role: "security-reviewer".
If ToolSearch finds no MCP tools, fall back to the security-reviewer Claude agent.
Note: Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
Output Format
SECURITY REVIEW REPORT ====================== Scope: Entire codebase (42 files scanned) Scan Date: 2026-01-24T14:30:00Z CRITICAL (2) ------------ 1. src/api/auth.ts:89 - Hardcoded API Key Finding: AWS API key hardcoded in source code Impact: Credential exposure if code is public or leaked Remediation: Move to environment variables, rotate key immediately Reference: OWASP A02:2021 – Cryptographic Failures 2. src/db/query.ts:45 - SQL Injection Vulnerability Finding: User input concatenated directly into SQL query Impact: Attacker can execute arbitrary SQL commands Remediation: Use parameterized queries or ORM Reference: OWASP A03:2021 – Injection HIGH (5) -------- 3. src/auth/password.ts:22 - Weak Password Hashing Finding: Passwords hashed with MD5 (cryptographically broken) Impact: Passwords can be reversed via rainbow tables Remediation: Use bcrypt or argon2 with appropriate work factor Reference: OWASP A02:2021 – Cryptographic Failures 4. src/components/UserInput.tsx:67 - XSS Vulnerability Finding: User input rendered with dangerouslySetInnerHTML Impact: Cross-site scripting attack vector Remediation: Sanitize HTML or use safe rendering Reference: OWASP A03:2021 – Injection (XSS) 5. src/api/upload.ts:34 - Path Traversal Vulnerability Finding: User-controlled filename used without validation Impact: Attacker can read/write arbitrary files Remediation: Validate and sanitize filenames, use allowlist Reference: OWASP A01:2021 – Broken Access Control ... MEDIUM (8) ---------- ... LOW (12) -------- ... DEPENDENCY VULNERABILITIES -------------------------- Found 3 vulnerabilities via npm audit: CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749) Installed: axios@0.21.0 Fix: npm install axios@0.21.2 HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203) Installed: lodash@4.17.19 Fix: npm install lodash@4.17.21 ... OVERALL ASSESSMENT ------------------ Security Posture: POOR (2 CRITICAL, 5 HIGH issues) Immediate Actions Required: 1. Rotate exposed AWS API key 2. Fix SQL injection in db/query.ts 3. Upgrade password hashing to bcrypt 4. Update vulnerable dependencies Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
Security Checklist
The security-reviewer agent verifies:
Authentication & Authorization
- • Passwords hashed with strong algorithm (bcrypt/argon2)
- • Session tokens cryptographically random
- • JWT tokens properly signed and validated
- • Access control enforced on all protected resources
- • No authentication bypass vulnerabilities
Input Validation
- • All user inputs validated and sanitized
- • SQL queries use parameterization (no string concatenation)
- • NoSQL queries prevent injection
- • File uploads validated (type, size, content)
- • URLs validated to prevent SSRF
Output Encoding
- • HTML output escaped to prevent XSS
- • JSON responses properly encoded
- • No user data in error messages
- • Content-Security-Policy headers set
Secrets Management
- • No hardcoded API keys
- • No passwords in source code
- • No private keys in repo
- • Environment variables used for secrets
- • Secrets not logged or exposed in errors
Cryptography
- • Strong algorithms used (AES-256, RSA-2048+)
- • Proper key management
- • Random number generation cryptographically secure
- • TLS/HTTPS enforced for sensitive data
Dependencies
- • No known vulnerabilities in dependencies
- • Dependencies up to date
- • No CRITICAL or HIGH CVEs
- • Dependency sources verified
Severity Definitions
CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
Remediation Priority
- •Rotate exposed secrets - Immediate (within 1 hour)
- •Fix CRITICAL - Urgent (within 24 hours)
- •Fix HIGH - Important (within 1 week)
- •Fix MEDIUM - Planned (within 1 month)
- •Fix LOW - Backlog (when convenient)
Use with Other Skills
With Pipeline:
/pipeline security "review authentication module"
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.
Best Practices
- •Review early - Security by design, not afterthought
- •Review often - Every major feature or API change
- •Automate - Run security scans in CI/CD pipeline
- •Fix immediately - Don't accumulate security debt
- •Educate - Learn from findings to prevent future issues
- •Verify fixes - Re-run security review after remediation