security-review

Overview of security-review skill

The security-review skill is a practical review helper for catching common application security issues before they ship. It is best for developers and AI agents working on authentication, user input, secrets, APIs, payments, uploads, or other sensitive flows where a generic prompt is too vague and the cost of a miss is high.

The main job-to-be-done is not abstract “security theory”; it is to turn a code change into a targeted security check with concrete pass/fail expectations. This security-review skill is most useful when you want a fast, structured review that flags risky defaults, missing validation, and secret-handling mistakes without requiring you to manually assemble a checklist from scratch.

What makes it useful

Compared with a one-off prompt, the security-review skill gives you a repeatable review frame: when to activate it, what to inspect first, and which failure modes matter most. It also includes explicit examples of bad versus safe patterns, which helps when you are reviewing code across different stacks.

Best-fit use cases

Use security-review for Security Audit tasks involving:

• login, session, or authorization logic
• forms, uploads, query parameters, and other untrusted input
• API routes that store, expose, or transform sensitive data
• secret access, environment variables, and deployment config
• payment or third-party integration code where abuse risk is non-trivial

What to expect from it

This skill is strongest when you want a focused review rather than a full pen-test. It helps you identify whether security basics are present, whether the implementation is obviously unsafe, and what to inspect next if the first pass finds gaps.

How to Use security-review skill

Install and place it in context

Install the security-review skill with:

npx skills add affaan-m/everything-claude-code --skill security-review

Use it when the task is security-sensitive, not for every routine refactor. The best results come when you frame the request as a review of a specific change, route, component, or feature, not a broad “check my app.”

Read the right files first

For a security-review install, start with SKILL.md, then inspect nearby repo guidance such as README.md, AGENTS.md, metadata.json, and any linked folders or support docs. In this repo, the most relevant source file paths are SKILL.md and cloud-infrastructure-security.md.

If you are adopting the skill in your own workflow, read the skill file first to understand activation criteria, then map those checks onto your codebase’s actual authentication, validation, and deployment patterns.

Give the skill a review-shaped prompt

A strong prompt names the surface area, the threat, and the output you want. For example:

• “Review this signup flow for auth bypass, weak validation, and secret exposure.”
• “Check this API route for injection risk, broken access control, and unsafe error handling.”
• “Review this payment webhook handler and list the concrete security issues with fixes.”

That is better than “do a security review” because it tells the security-review usage flow what to prioritize and what evidence to look for.

Work from rough goal to actionable review

A good security-review guide workflow is:

1. State the feature and sensitive data involved.
2. Share the relevant files or diff.
3. Ask for a risk-ranked list of findings.
4. Request exact fix suggestions or patched code.

If you want the output to be more actionable, add constraints like framework, runtime, and deployment environment, since secret handling and validation patterns differ across stacks.

security-review skill FAQ

Is the security-review skill only for experts?

No. It is useful for beginners because it turns vague security concerns into concrete checks. The skill is especially helpful if you know a feature is sensitive but are unsure which failure modes matter most.

How is it different from a normal prompt?

A normal prompt often produces generic advice. The security-review skill is better when you need a repeatable review process with clear triggers, explicit “do not do this” patterns, and practical verification steps that can be applied to real code.

When should I not use it?

Do not use security-review for low-risk cosmetic changes or simple internal refactors with no auth, input, secrets, or external integration impact. It is also not a substitute for a full security audit, penetration test, or compliance review when those are required.

Does it fit non-Node projects?

Yes, the ideas are broadly portable, but you should adapt the examples to your stack. The skill is strongest when you translate its review logic into your framework’s own validation, secret storage, and access-control conventions.

How to Improve security-review skill

Give it the risky path, not the whole app

The best outputs come from a narrow target: one endpoint, one auth flow, one webhook, or one upload path. If you hand it an entire repo, the review can become shallow. For security-review for Security Audit, scope beats volume.

Include concrete constraints and threat context

Stronger inputs mention:

• what data is sensitive
• who can call the feature
• what external systems are involved
• whether the code is public-facing or internal
• what you already suspect is weak

That lets the skill focus on the right class of failures instead of wasting attention on irrelevant issues.

Ask for fixes that match your stack

If you want better results, ask for output in the same terms as your codebase: middleware names, schema validators, environment variable patterns, or webhook verification steps. The security-review skill is most useful when it can map recommendations directly to code you can change.

Iterate after the first pass

Treat the first review as a triage step. If it finds one issue, ask it to re-check the same files for related problems such as authorization drift, unsafe defaults, or missing logging. If it finds none, narrow the scope and resubmit only the sensitive path so the security-review usage remains focused and high-signal.