When is this security review mandatory?

It triggers automatically whenever files involving auth, security, middleware, sessions, tokens, or SQL patterns are modified.

Can it detect hardcoded secrets?

Yes, the skill uses automated regex-based searches to identify potential API keys, passwords, and tokens accidentally left in the source code.

Does it check for dependency vulnerabilities?

Yes, it integrates with package managers like pnpm and pip to run security audits (e.g., pnpm audit) for known CVEs in your project dependencies.

What is the Security Review skill for Claude Code?

It is a specialized capability that performs automated and guided security audits on code changes related to authentication, APIs, and sensitive data handling.

Which security standards does it follow?

The skill is primarily based on the OWASP Top 10 framework, covering critical categories like Injection, Broken Access Control, and Cryptographic Failures.

Security Review Expert

Name: Security Review Expert
Author: troykelly

bytroykelly

•

Security & Testing

Conducts mandatory OWASP-aligned security audits for sensitive code changes involving authentication, APIs, and databases.

About

The Security Review skill is a specialized capability for Claude Code designed to automate the identification and auditing of security-sensitive code paths. It enforces a rigorous review process whenever changes touch authentication, authorization, middleware, API endpoints, or database schemas. By evaluating code against the OWASP Top 10 vulnerabilities, the skill provides domain-specific guidance on preventing injection, broken access control, and sensitive data exposure. It integrates automated dependency audits and secret detection to ensure that critical vulnerabilities are identified and remediated before code is merged into production.

Key Features

Standardized security reporting with severity categorization
Integrated dependency audits for known CVEs
Hardcoded secret and credential detection using Grep
Automated OWASP Top 10 vulnerability scanning
5 GitHub stars
Mandatory triggering for security-sensitive file patterns

Use Cases

Pre-PR security audits for authentication and middleware changes
Auditing third-party dependencies for security vulnerabilities
Scanning database migrations for potential SQL injection vulnerabilities

About

Key Features

Standardized security reporting with severity categorization
Integrated dependency audits for known CVEs
Hardcoded secret and credential detection using Grep
Automated OWASP Top 10 vulnerability scanning
5 GitHub stars
Mandatory triggering for security-sensitive file patterns

Use Cases

Pre-PR security audits for authentication and middleware changes
Auditing third-party dependencies for security vulnerabilities
Scanning database migrations for potential SQL injection vulnerabilities