performing-security-code-review
Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin. it analyzes code for potential vulnerabilities like sql injection, xss, authentication flaws, and insecure dependencies. AI assistant uses this skill wh... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
Install
mkdir -p .claude/skills/performing-security-code-review && curl -L -o skill.zip "https://mcp.directory/api/skills/download/5401" && unzip -o skill.zip -d .claude/skills/performing-security-code-review && rm skill.zipInstalls to .claude/skills/performing-security-code-review
About this skill
Performing Security Code Review
Overview
Conducts security-focused code reviews by scanning source files for common vulnerability patterns including SQL injection, XSS, authentication flaws, insecure dependencies, and secret exposure. Produces structured severity-rated reports with specific remediation guidance.
Prerequisites
- Read access to all source files in the target project
grepavailable on PATH for pattern matching- Access to
package.jsonor equivalent dependency manifest for dependency auditing - Familiarity with OWASP Top 10 vulnerability categories
Instructions
- Identify the scope of the review: specific files, directories, or the entire codebase. Confirm the primary language(s) and framework(s) in use.
- Scan for hardcoded secrets and credentials:
- Search for patterns matching API keys, tokens, passwords, AWS access keys (
AKIA...), and private key headers (BEGIN PRIVATE KEY). - Flag any
.envfiles or configuration files containing plaintext secrets.
- Search for patterns matching API keys, tokens, passwords, AWS access keys (
- Analyze code for injection vulnerabilities:
- Identify raw SQL string concatenation (SQL injection risk).
- Locate unsanitized user input rendered in HTML (XSS risk).
- Check for
eval(),exec(), orFunction()calls with dynamic input (code injection risk).
- Review authentication and authorization logic:
- Verify password hashing uses strong algorithms (bcrypt, argon2) rather than MD5/SHA1.
- Check for missing authentication on sensitive endpoints.
- Identify overly permissive CORS configurations.
- Audit dependencies for known vulnerabilities:
- Run
npm auditor equivalent package manager audit command. - Cross-reference dependency versions against known CVE databases.
- Run
- Check for insecure communication patterns:
- Flag HTTP URLs where HTTPS is expected.
- Identify disabled TLS certificate verification.
- Compile findings into a structured report sorted by severity (Critical, High, Medium, Low), including the vulnerable code location, explanation, and remediation steps.
Output
A structured security review report containing:
- Summary with total findings count by severity level
- Per-finding entries with: file path, line number, vulnerability type, severity, code snippet, explanation, and recommended fix
- Dependency audit results with CVE identifiers where applicable
- Overall risk assessment (Critical / High / Medium / Low / Clean)
Error Handling
| Error | Cause | Solution |
|---|---|---|
| No source files found | Incorrect scope path or empty directory | Verify the target directory path and confirm it contains source files |
| Binary files in scan | Non-text files matched by search patterns | Exclude binary extensions and node_modules/ from scans |
| Dependency manifest missing | No package.json, requirements.txt, or equivalent | Skip dependency audit; note in report that dependency analysis was not possible |
| Permission denied on files | Restricted file access | Request read permissions or narrow the review scope to accessible files |
| False positive on secret pattern | Benign string matching secret regex | Verify context before reporting; mark as potential false positive if the match appears in test fixtures or documentation |
Examples
SQL injection review:
Trigger: "Review this database query code for SQL injection vulnerabilities."
Process: Scan all files containing SQL query construction. Identify string concatenation with user input ("SELECT * FROM users WHERE id = " + userId). Report as High severity with remediation: use parameterized queries or prepared statements.
Dependency vulnerability scan:
Trigger: "Check this project's dependencies for known security vulnerabilities."
Process: Run npm audit on the project. Parse output for vulnerabilities. Report each finding with CVE identifier, affected package, installed version, and patched version. Recommend npm audit fix or manual version pinning.
Full codebase security audit: Trigger: "Run a security scan on this codebase." Process: Execute all seven scan categories (secrets, injection, auth, dependencies, communication, dangerous commands, obfuscation). Produce a comprehensive report with findings grouped by category and sorted by severity.
Resources
- OWASP Top 10 -- industry-standard vulnerability classification
- Node.js Security Checklist -- Node-specific security guidance
- CWE/SANS Top 25 -- most dangerous software weaknesses
${CLAUDE_SKILL_DIR}/references/README.md-- bundled reference materials
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
REMnux MCP ServerREMnux MCP Server: Run REMnux malware analysis via Docker, SSH or locally with automated file-type analysis, sandbox too
Alfred MCP ServerAlfred MCP Server: create, manage & run Alfred workflow automation skills, manage MCP connections, view execution histor
Chrome DevTools MCPAI-driven control of live Chrome via Chrome DevTools: browser automation, debugging, performance analysis and network mo
BlenderConnect Blender to Claude AI for seamless 3D modeling. Use AI 3D model generator tools for faster, intuitive, interactiv
GhidraMCPMCP server for Ghidra reverse engineering. Enables AI assistants to decompile binaries, analyze functions, rename variab
Desktop Commander MCPTerminal control, file system search, and diff-based file editing for Claude and other AI assistants. Execute shell comm
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.