Can it detect hardcoded secrets and API keys?

Yes, it is specifically configured to identify hardcoded tokens, private keys, and PII (Personally Identifiable Information) that should not be stored in your repository.

Does this skill modify my source code automatically?

No, the Security Review skill is designed to use read-only tools to analyze your files and provide remediation guidance for you to review and implement manually.

What methodology does the skill use for threat modeling?

The skill typically follows the STRIDE framework, focusing on Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

How does it handle third-party dependency risks?

It reviews lockfiles and new dependencies to ensure they are minimal, justified, and vetted for known risks before they are integrated into your project.

Security Review Specialist

Name: Security Review Specialist
Author: nicholasgriffintn

bynicholasgriffintn

0•

安全与测试

Conducts comprehensive security audits, threat modeling, and remediation guidance for software projects using standardized safety frameworks.

The Security Review skill empowers Claude to perform deep-dive security assessments across your codebase, focusing on critical areas such as authentication, data validation, and secrets management. By utilizing read-only tools like Grep and Glob, it identifies potential vulnerabilities—including unsanitized inputs, hardcoded credentials, and dependency risks—without making unauthorized changes. It follows a structured workflow to provide actionable remediation notes and ensure that security best practices, such as the STRIDE model, are integrated directly into your development lifecycle.

主要功能

01Validation of authentication and authorization logic for least-privilege compliance.

02Input/Output sanitization audits to prevent injection, XSS, and SSRF attacks.

03Automated threat modeling to identify entry points and trust boundaries.

040 GitHub stars

05Security-focused dependency risk assessment and lockfile verification.

06Deep scan for hardcoded secrets, PII, and sensitive credentials in logs or configs.

使用场景

01Reviewing code changes for new public endpoints or external API integrations.

02Evaluating third-party dependency upgrades for potential supply chain vulnerabilities.

03Auditing authentication and permission systems after a major architecture refactor.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add nicholasgriffintn/claude-code security-review

For use in Claude.ai and ChatGPT

Download Skill