How does this skill detect security vulnerabilities?

It uses a specialized security agent to perform a two-pass 'thorough' and 'gaps' analysis, specifically targeting injection, authentication failures, and sensitive data exposure.

Does it follow the OWASP Top 10 standards?

Absolutely. The skill is mapped to the OWASP Top 10 categories, including Broken Access Control, Cryptographic Failures, Injection, and SSRF.

Can it find hardcoded API keys?

Yes, the skill includes auto-validated patterns specifically designed to instantly identify hardcoded passwords, API keys, and other sensitive credentials with high confidence.

Will it suggest fixes for the issues it finds?

Yes, the skill generates reports that include prioritized findings along with suggested code diffs or prompts to automatically remediate the identified security risks.

How does it handle false positives?

The skill includes a validation step to filter results and explicitly avoids flagging security issues in test files or internal-only code where the risk is mitigated.

Security Code Review

Name: Security Code Review
Author: JesseNaranjo

byJesseNaranjo

•

Security & Testing

Conducts deep security audits to identify vulnerabilities, hardcoded secrets, and OWASP compliance issues within your codebase.

About

The Security Code Review skill empowers Claude to act as a specialized security engineer, performing multi-pass audits to detect critical flaws like injection attacks, broken access control, and sensitive data exposure. By leveraging high-reasoning models for thorough vulnerability detection, it scans for OWASP Top 10 risks, validates input handling, and identifies hardcoded credentials, providing severity-prioritized reports with actionable diff-based fixes to harden your application throughout the development lifecycle.

Key Features

Detection of SQL injection, XSS, and command injection vulnerabilities
In-depth analysis of authentication and authorization logic including IDOR
Multi-pass auditing using a specialized security agent for thorough coverage
1 GitHub stars
Automated identification of hardcoded secrets, API keys, and credentials
OWASP Top 10 compliance mapping with severity-prioritized reporting

Use Cases

Performing pre-release security audits to catch vulnerabilities before they reach production
Automated security reviews of complex pull requests to ensure secure coding standards
Scanning legacy repositories for hardcoded secrets and outdated cryptographic patterns

About

Key Features

Detection of SQL injection, XSS, and command injection vulnerabilities
In-depth analysis of authentication and authorization logic including IDOR
Multi-pass auditing using a specialized security agent for thorough coverage
1 GitHub stars
Automated identification of hardcoded secrets, API keys, and credentials
OWASP Top 10 compliance mapping with severity-prioritized reporting

Use Cases

Performing pre-release security audits to catch vulnerabilities before they reach production
Automated security reviews of complex pull requests to ensure secure coding standards
Scanning legacy repositories for hardcoded secrets and outdated cryptographic patterns