
Security Review (Code)
Vulnerability review of a diff with executable sweeps + OWASP/CWE mapping. Findings ranked by demonstrated exploit, each with a concrete fix.
v1.0.0 · ~599 tokens · ⬇ 0 · Updated July 6, 2026
What it does
Reviews a change for security bugs: executable secret/injection/dependency sweeps plus manual review mapped to CWE (input validation, authZ, SQLi, XSS, SSRF, crypto, object-level access). Output ranked by demonstrated impact with a specific fix per finding. No exploit path = no CRITICAL.
Example uses
Review a PR for vulnerabilities
A pull request touches authentication or user input and you want real vulnerabilities caught before it merges.
Security-review the diff on my current branch. It adds a password-reset endpoint to our Node/Express API — check for injection, whether the endpoint verifies who is allowed to reset (not just who is logged in), and whether the reset token ever leaks into logs or error responses.Audit a file upload handler
You wrote a server-side upload feature and want it checked against path traversal, SSRF, and injection before it ships.
Security-review src/api/upload.ts. Users upload profile images that we resize and store on S3, and the request includes a callback URL we fetch after processing. Rank findings by severity with the concrete exploit path and the exact fix — I care most about path traversal and SSRF through that callback parameter.Run a pre-deploy security pass
You are about to release and want a focused review of what changed since the last tag, not a full-repo audit.
We deploy tomorrow. Run a security review on everything that changed since the v2.3 tag — mainly two new GraphQL resolvers and a webhook receiver. Map each finding to its CWE, cite file and line, and tell me which findings actually block the deploy versus which can wait.Install
# 1. Create the skill folder in your Claude setup mkdir -p ~/.claude/skills/security-review-code # 2. Download SKILL.md into it (or move the file you just downloaded) # → ~/.claude/skills/security-review-code/SKILL.md # 3. Claude Code auto-discovers it on next launch.
Inside the skill
---
name: security-review-code
description: Security review of a code change or file, with executable checks and OWASP/CWE mapping. Use before shipping, on a diff, or when the user asks to "check for vulnerabilities", "security review", "is this safe to deploy". Outputs findings ranked by severity with concrete fixes.
---
# Security Review (code)
Find real vulnerabilities in the change under review — not a lecture. Every finding
names a location, a concrete exploit, a severity, and a fix. Prefer checks you can run.
## Scope first
Review the DIFF (or named files), plus any code it directly calls. Don't audit the
whole repo unless asked. New attack surface = new inputs, new queries, new outputs,
new auth paths.
## Executable sweeps (run these, cite hits)
- **Secrets in code**: `(api[_-]?key|secret|password|token)\s*[:=]\s*['"][^'"]{8,}`,
`sk-[A-Za-z0-9]{20,}`, `BEGIN [A-Z ]+PRIVATE KEY`.
- **Injection**: string-built SQL (`"SELECT .*" + `, f-strings in queries),
`exec/eval/system(` on user input, shell calls with unescaped variables.
- **Dependencies**: run the ecosystem audit (`npm audit`, `pip-audit`) if lockfile touched.
## Manual review (map each to CWE)
- **Input validation** (CWE-20): every external input validated + bounded before use.
- **AuthZ** (CWE-285): does this endpoint/action check *who* is allowed, not just *authenticated*?
- **SQL/command injection** (CWE-89/78): parameterized queries only; no shell string-building.
- **XSS** (CWE-79): output encoded for its sink (HTML vs attr vs JS vs URL).
- **SSRF** (CWE-918): user-controlled URLs fetched server-side — allowlist hosts.
- **Secrets/logging** (CWE-532): no secrets in logs, errors, or client responses.
- **Crypto** (CWE-327): no MD5/SHA1 for security, no hardcoded IVs/keys, TLS verified.
- **Access control on objects** (CWE-639): can user A reach user B's record by ID?
## Output
```
SECURITY REVIEW — <target>
CRITICAL / HIGH / MEDIUM / LOW (grouped)
[severity] <title> — <file:line>
Exploit: <concrete: input X → outcome Y>
CWE: <id>
Fix: <specific change>
Clean: <areas checked and found sound>
```
## Rules
- No exploit path, no CRITICAL. Speculative severity erodes trust — rank by demonstrated impact.
- "Validate input" is not a fix. Say WHICH input, WHERE, and the exact rule.
- Don't flag framework behavior you haven't confirmed is reachable/exploitable here.
Changelog
- v1.0.02026-07-03Initial clean-room write.
Frequently asked questions
Is Security Review (Code) free?
Yes. Security Review (Code) is free to download and MIT-licensed.
Where do I install Security Review (Code)?
Place the SKILL.md file in ~/.claude/skills/security-review-code/ and Claude Code auto-discovers it on next launch.
How many tokens does Security Review (Code) use?
About 599 tokens — it is designed to be token-lean.

We're developers and SaaS builders who use these tools daily in production. Every review comes from hands-on experience building real products — DealPropFirm, ThePlanetIndicator, PropFirmsCodes, and many more. We don't just review tools — we build and ship with them every day.
Written and tested by developers who build with these tools daily.