a2mus/security-review
skills/security-review/SKILL.md
Security audit checklist and workflow. Run before commits, PRs, or deploying. Covers secrets detection, input validation, OWASP Top 10, and dependency scanning.
testing
Updated Apr 25, 2026
$ install --global
skillsauthnpx skillsauth add a2mus/ecc-antigravity security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 9:11 PM198.5s1 file scanned
SKILL.md
- name:
- security-review
- description:
- Security audit checklist and workflow. Run before commits, PRs, or deploying. Covers secrets detection, input validation, OWASP Top 10, and dependency scanning.
- tags:
- security, audit, owasp, secrets, vulnerability
- origin:
- ECC (adapted for Antigravity)
When to Use
- Before ANY commit that touches auth, data handling, or API endpoints
- Before creating a pull request
- Before deploying to production
- When adding new dependencies
- Anytime something feels "off" about how data flows
Pre-Commit Security Checklist
Secrets & Credentials
- [ ] No API keys, passwords, or tokens in source code
- [ ] No credentials in config files committed to version control
- [ ]
.envfiles are listed in.gitignore - [ ] Required secrets validated at startup (not silently ignored)
Input Validation
- [ ] All user inputs validated before processing
- [ ] File paths validated and sanitized (no path traversal)
- [ ] Integer/type bounds checked
- [ ] Schema validation used where applicable (pydantic, etc.)
Data Handling
- [ ] SQL queries use parameterized statements (no f-string SQL)
- [ ] HTML output is sanitized (no raw user content injected)
- [ ] File uploads validated (type, size, content)
- [ ] Sensitive data not logged
Authentication & Authorization
- [ ] Protected routes/functions check permissions
- [ ] No authorization logic on the client side only
- [ ] Session/token handling is server-side
Error Handling
- [ ] Error messages don't expose stack traces to users
- [ ] Error messages don't leak internal paths or DB structure
- [ ] Errors are logged with context (server-side only)
Secret Management Rules
# WRONG — never do this
API_KEY = "sk-abc123..."
database_url = "postgresql://user:password@host/db"
# CORRECT — always use environment variables
import os
API_KEY = os.environ["API_KEY"] # raises KeyError if missing — intentional
DATABASE_URL = os.environ["DATABASE_URL"]
For QGIS plugins, use the QGIS settings API for user configuration:
from qgis.core import QgsSettings
settings = QgsSettings()
api_key = settings.value("my_plugin/api_key", "")
SQL Injection Prevention
# WRONG
cursor.execute(f"SELECT * FROM layers WHERE name = '{user_input}'")
# CORRECT — always use parameterized queries
cursor.execute("SELECT * FROM layers WHERE name = ?", (user_input,))
# or with psycopg2/SQLAlchemy:
cursor.execute("SELECT * FROM layers WHERE name = %s", (user_input,))
Path Traversal Prevention
import os
from pathlib import Path
# WRONG
file_path = base_dir + user_provided_path
# CORRECT — validate the path stays within bounds
def safe_path(base: Path, user_input: str) -> Path:
target = (base / user_input).resolve()
if not str(target).startswith(str(base.resolve())):
raise ValueError("Path traversal detected")
return target
Dependency Scanning
# Python — check for known vulnerabilities
pip install safety
safety check
# Or use pip-audit
pip install pip-audit
pip-audit
Incident Response Protocol
If a security issue is discovered:
- STOP — do not make further commits
- Assess the severity (CRITICAL / HIGH / MEDIUM / LOW)
- Create a private fix branch
- CRITICAL issues — fix and rotate affected secrets before ANY other work
- Document what was exposed and for how long
- Review the entire codebase for similar patterns
OWASP Top 10 Quick Reference
| Risk | Check |
|------|-------|
| Injection | Parameterized queries, input validation |
| Broken Auth | Server-side session, strong token validation |
| Sensitive Data Exposure | No secrets in code, encrypted storage |
| Security Misconfiguration | No debug mode in prod, remove defaults |
| XSS | Sanitize all user-controlled HTML output |
| CSRF | Validate origin, use CSRF tokens |
| Using Vulnerable Components | pip-audit, npm audit |
| Insufficient Logging | Log auth failures, suspicious patterns |
Related Skills
a2mus/tdd-workflow
development
VerifiedTrustedCommunity
Test-Driven Development workflow. Enforces RED → GREEN → REFACTOR cycle with 80% coverage gate. Use for all new features and bug fixes.
SKILL.mdUpdated Apr 25, 2026
a2mus/search-first
tools
VerifiedTrustedCommunity
Research-before-coding workflow. Search for existing tools, libraries, and patterns before writing custom code. Use whenever adding new functionality.
SKILL.mdUpdated Apr 25, 2026
a2mus/python-patterns
development
VerifiedTrustedCommunity
Comprehensive Python idioms, best practices, and patterns. Covers dataclasses, type hints, async, error handling, testing, and QGIS-specific patterns.
SKILL.mdUpdated Apr 25, 2026
a2mus/frontend-patterns
development
VerifiedTrustedCommunity
React and Next.js patterns — component architecture, state management, data fetching, performance optimization, accessibility, and TypeScript conventions for web apps.
SKILL.mdUpdated Apr 25, 2026