security-review
Audit code for security vulnerabilities using OWASP Top 10 guidelines. Use for security audits, pre-deployment checks, authentication reviews, or when checking for XSS, SQL injection, CSRF, or authorization issues. EXCLUSIVE to security-expert agent.
Resources
1Install
npx skillscat add htooayelwinict/claude-config/security-review Install via the SkillsCat registry.
SKILL.md
Security Review
Exclusive to: security-expert agent
MCP Helpers (Brain + Memory + Web)
๐ง Gemini-Bridge โ Security Analysis
mcp_gemini-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")๐ Open-Bridge โ Alternative Security Analysis
mcp_open-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")๐ป Codex-Bridge โ Code Security Review
mcp_codex-bridge_consult_codex(query="Find security vulnerabilities in: [code]", directory=".")๐ Context7 (Memory) โ Up-to-Date Docs
Lookup security patterns and vulnerability mitigations:
mcp_context7_resolve-library-id(libraryName="laravel", query="csrf protection")
mcp_context7_query-docs(libraryId="/laravel/docs", query="authentication security")๐ Web Search โ CVE and Vulnerability Lookup
mcp_web-search-prime_search(query="[package name] CVE vulnerability 2025")Validation Loop (MANDATORY)
Every security review MUST run these dependency checks:
composer audit # Check PHP vulnerabilities
npm audit # Check JS vulnerabilities
php artisan route:list --compact # Verify route middlewareReport any vulnerabilities found as Critical findings.
Instructions
- Run
git diffto identify changed files - Scan for security vulnerabilities using checklist below
- Check authentication and authorization patterns
- Review input validation and sanitization
- Report findings by severity (Critical โ Warning โ Suggestion)
OWASP Top 10 Checklist
| # | Vulnerability | Laravel Check | React Check |
|---|---|---|---|
| A01 | Broken Access Control | Policies, Gates | Route guards |
| A02 | Cryptographic Failures | Hash::make, encrypt |
No secrets in client |
| A03 | Injection | Eloquent, query builder | No dangerouslySetInnerHTML |
| A04 | Insecure Design | Business logic review | Component security |
| A05 | Security Misconfiguration | .env settings |
Build config |
| A06 | Vulnerable Components | composer audit |
npm audit |
| A07 | Auth Failures | Rate limiting, sessions | Token handling |
| A08 | Data Integrity | CSRF, mass assignment | Form validation |
| A09 | Logging Failures | Security event logs | Error boundaries |
| A10 | SSRF | URL validation | API call validation |
Laravel Security Checks
// Mass Assignment
$fillable = ['name', 'email']; // โ
Whitelist
$guarded = ['id', 'is_admin']; // โ
Blacklist
// SQL Injection Prevention
User::where('email', $email)->first(); // โ
Safe
DB::raw("SELECT * FROM users WHERE email = '$email'"); // โ Dangerous
// CSRF
@csrf // โ
In formsReact Security Checks
// XSS Prevention
<div>{userInput}</div> // โ
Auto-escaped
<div dangerouslySetInnerHTML={{__html: userInput}} /> // โ XSS risk
// No secrets in client
const API_KEY = process.env.NEXT_PUBLIC_API_KEY; // โ ๏ธ Visible to usersAudit Commands
composer audit # PHP vulnerabilities
npm audit # JS vulnerabilities
php artisan route:list # Check route middlewareExamples
- "Security review this PR"
- "Check for OWASP vulnerabilities"
- "Audit authentication flow"
Categories
Install
npx skillscat add htooayelwinict/claude-config/security-review Install via the SkillsCat registry.