Security Review Skill: OWASP Lenses on the Diff
Generic "review this for security" prompts return a wall of "consider adding logging" suggestions. This skill is different: it walks the diff through real OWASP-style lenses — injection, auth, secrets, trust boundaries, CSRF/SSRF, crypto, races — and ranks findings by whether they're actually exploitable.
An installable security-review skill. Walks the diff through injection, auth, secrets, trust-boundary, CSRF/SSRF, crypto, and race lenses — ranks findings by severity with a one-line fix each.
What It Does
- Adversarial framing — assumes the input is hostile by default
- Eight concrete lenses — not "general best practices"
- Severity that means something — High = exploitable now, no preconditions
- One-line fix per finding — the smallest change that closes the hole
Install in 30 Seconds
Pick your tool above and download:
- Claude Code:
~/.claude/skills/security-review/SKILL.md - OpenAI Codex CLI: append to
AGENTS.md - Cursor: append to
.cursorrules
Run before pushing anything touching auth, user input, or anything that builds a query, command, or URL from external data.
Why Severity Ranking Matters
A list of 30 unranked findings produces no action — the reviewer skims and merges. A list of "1 High, 2 Medium, here are the fixes" produces a hold on the merge button. This skill earns that hold by refusing to inflate severity to look thorough, and refusing to invent findings when the diff is clean.
Install once, catch the bugs an attacker would.