Skip to content
Security Review (Code) cover
SecurityFree · MIT

Security Review (Code)

Vulnerability review of a diff with executable sweeps + OWASP/CWE mapping. Findings ranked by demonstrated exploit, each with a concrete fix.

v1.0.0 · ~599 tokens · ⬇ 0 · Updated July 6, 2026

What it does

Reviews a change for security bugs: executable secret/injection/dependency sweeps plus manual review mapped to CWE (input validation, authZ, SQLi, XSS, SSRF, crypto, object-level access). Output ranked by demonstrated impact with a specific fix per finding. No exploit path = no CRITICAL.

Example uses

Review a PR for vulnerabilities

A pull request touches authentication or user input and you want real vulnerabilities caught before it merges.

Security-review the diff on my current branch. It adds a password-reset endpoint to our Node/Express API — check for injection, whether the endpoint verifies who is allowed to reset (not just who is logged in), and whether the reset token ever leaks into logs or error responses.

Audit a file upload handler

You wrote a server-side upload feature and want it checked against path traversal, SSRF, and injection before it ships.

Security-review src/api/upload.ts. Users upload profile images that we resize and store on S3, and the request includes a callback URL we fetch after processing. Rank findings by severity with the concrete exploit path and the exact fix — I care most about path traversal and SSRF through that callback parameter.

Run a pre-deploy security pass

You are about to release and want a focused review of what changed since the last tag, not a full-repo audit.

We deploy tomorrow. Run a security review on everything that changed since the v2.3 tag — mainly two new GraphQL resolvers and a webhook receiver. Map each finding to its CWE, cite file and line, and tell me which findings actually block the deploy versus which can wait.

Install

# 1. Create the skill folder in your Claude setup
mkdir -p ~/.claude/skills/security-review-code

# 2. Download SKILL.md into it (or move the file you just downloaded)
#    → ~/.claude/skills/security-review-code/SKILL.md

# 3. Claude Code auto-discovers it on next launch.

Inside the skill

SKILL.md
---
name: security-review-code
description: Security review of a code change or file, with executable checks and OWASP/CWE mapping. Use before shipping, on a diff, or when the user asks to "check for vulnerabilities", "security review", "is this safe to deploy". Outputs findings ranked by severity with concrete fixes.
---

# Security Review (code)

Find real vulnerabilities in the change under review — not a lecture. Every finding
names a location, a concrete exploit, a severity, and a fix. Prefer checks you can run.

## Scope first

Review the DIFF (or named files), plus any code it directly calls. Don't audit the
whole repo unless asked. New attack surface = new inputs, new queries, new outputs,
new auth paths.

## Executable sweeps (run these, cite hits)

- **Secrets in code**: `(api[_-]?key|secret|password|token)\s*[:=]\s*['"][^'"]{8,}`,
  `sk-[A-Za-z0-9]{20,}`, `BEGIN [A-Z ]+PRIVATE KEY`.
- **Injection**: string-built SQL (`"SELECT .*" + `, f-strings in queries),
  `exec/eval/system(` on user input, shell calls with unescaped variables.
- **Dependencies**: run the ecosystem audit (`npm audit`, `pip-audit`) if lockfile touched.

## Manual review (map each to CWE)

- **Input validation** (CWE-20): every external input validated + bounded before use.
- **AuthZ** (CWE-285): does this endpoint/action check *who* is allowed, not just *authenticated*?
- **SQL/command injection** (CWE-89/78): parameterized queries only; no shell string-building.
- **XSS** (CWE-79): output encoded for its sink (HTML vs attr vs JS vs URL).
- **SSRF** (CWE-918): user-controlled URLs fetched server-side — allowlist hosts.
- **Secrets/logging** (CWE-532): no secrets in logs, errors, or client responses.
- **Crypto** (CWE-327): no MD5/SHA1 for security, no hardcoded IVs/keys, TLS verified.
- **Access control on objects** (CWE-639): can user A reach user B's record by ID?

## Output

```
SECURITY REVIEW — <target>
CRITICAL / HIGH / MEDIUM / LOW (grouped)
  [severity] <title> — <file:line>
    Exploit: <concrete: input X → outcome Y>
    CWE: <id>
    Fix: <specific change>
Clean: <areas checked and found sound>
```

## Rules

- No exploit path, no CRITICAL. Speculative severity erodes trust — rank by demonstrated impact.
- "Validate input" is not a fix. Say WHICH input, WHERE, and the exact rule.
- Don't flag framework behavior you haven't confirmed is reachable/exploitable here.

Changelog

  • v1.0.02026-07-03Initial clean-room write.

Frequently asked questions

Is Security Review (Code) free?

Yes. Security Review (Code) is free to download and MIT-licensed.

Where do I install Security Review (Code)?

Place the SKILL.md file in ~/.claude/skills/security-review-code/ and Claude Code auto-discovers it on next launch.

How many tokens does Security Review (Code) use?

About 599 tokens — it is designed to be token-lean.

Anthony M. — Founder & Lead Reviewer
Anthony M.Verified Builder

We're developers and SaaS builders who use these tools daily in production. Every review comes from hands-on experience building real products — DealPropFirm, ThePlanetIndicator, PropFirmsCodes, and many more. We don't just review tools — we build and ship with them every day.

Written and tested by developers who build with these tools daily.