Skill

Security Review

securitycode reviewagentic

Save the file as ~/.claude/skills/security-review/SKILL.md (user-level, available everywhere) or .claude/skills/security-review/SKILL.md (project-level). Claude Code loads it automatically when its trigger condition matches.

Security Review Skill: OWASP Lenses on the Diff

Generic "review this for security" prompts return a wall of "consider adding logging" suggestions. This skill is different: it walks the diff through real OWASP-style lenses — injection, auth, secrets, trust boundaries, CSRF/SSRF, crypto, races — and ranks findings by whether they're actually exploitable.

Full Prompt
An installable security-review skill. Walks the diff through injection, auth, secrets, trust-boundary, CSRF/SSRF, crypto, and race lenses — ranks findings by severity with a one-line fix each.

What It Does

  • Adversarial framing — assumes the input is hostile by default
  • Eight concrete lenses — not "general best practices"
  • Severity that means something — High = exploitable now, no preconditions
  • One-line fix per finding — the smallest change that closes the hole

Install in 30 Seconds

Pick your tool above and download:

  • Claude Code: ~/.claude/skills/security-review/SKILL.md
  • OpenAI Codex CLI: append to AGENTS.md
  • Cursor: append to .cursorrules

Run before pushing anything touching auth, user input, or anything that builds a query, command, or URL from external data.

Why Severity Ranking Matters

A list of 30 unranked findings produces no action — the reviewer skims and merges. A list of "1 High, 2 Medium, here are the fixes" produces a hold on the merge button. This skill earns that hold by refusing to inflate severity to look thorough, and refusing to invent findings when the diff is clean.

Install once, catch the bugs an attacker would.