How does it handle security false positives?

It uses a specific Severity Graduation Criteria framework to help distinguish between functional vulnerabilities and harmless test data or protected framework paths.

Does it support dependency auditing?

Yes, it analyzes lockfiles and manifests for supply chain risks, unpinned versions, and suspicious package sources like low-reputation GitHub URLs.

How does the Security Patterns skill activate?

The skill automatically triggers when it detects changes to security-relevant files in your diff, such as authentication logic, environment variables, or dependency manifests.

What kind of vulnerabilities can it find?

It identifies common OWASP risks including SQL injection, cross-site scripting (XSS), insecure direct object references (IDOR), and SSRF that might otherwise be missed.

Security Patterns & PR Review

Name: Security Patterns & PR Review
Author: Kiwi-Home

byKiwi-Home

0•

安全与测试

Performs automated security audits and PR reviews using advanced detection heuristics for vulnerabilities like SQLi, XSS, and hardcoded secrets.

This skill provides a comprehensive security review framework for Claude Code, enabling the detection of complex vulnerabilities that standard AI analysis often misses. It automatically activates when security-sensitive files—such as authentication modules, dependency manifests, or configuration files—are modified. By mapping findings to OWASP standards and providing specific severity graduation criteria, it helps developers identify SSRF, IDOR, insecure dependency injections, and secret leaks directly within their pull request workflows, ensuring robust application integrity and compliance without manual prompting.

主要功能

01Severity graduation framework to distinguish critical risks from false positives

02Advanced heuristics for SSRF, SQLi, DOM-based XSS, and IDOR detection

03Comprehensive dependency auditing for supply chain risks and typosquatting

04Automated activation for auth, secrets, and dependency-related file changes

05Secret management detection for hardcoded keys and insecure CI/CD configurations

060 GitHub stars

使用场景

01Enforcing secret management best practices and preventing accidental credential leaks

02Vetting new third-party dependencies for supply chain vulnerabilities and reputation

03Conducting deep security audits on pull requests involving authentication or data handling

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add kiwi-home/ai-coding-resources security-patterns

For use in Claude.ai and ChatGPT

Download Skill