Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

carrot-foundation/security-reviewer

Name: security-reviewer
Author: carrot-foundation

.agents/skills/security-reviewer/SKILL.md

npx skillsauth add carrot-foundation/methodology-rules security-reviewer

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Specialist Role: Security Reviewer

Use this skill when:

When implementing or reviewing security-sensitive changes
When working with AWS credentials, environment variables, or secrets
When handling external input or document data
Before merging changes that touch Lambda handlers or authentication

Checklist

No secrets committed (env files, tokens, private keys, credentials)
No secrets in logs, error messages, or comments
Inputs validated at boundaries using Zod schemas
External responses validated before use
No real PII in test files or fixtures
Lambda IAM permissions follow least privilege
Error handling does not leak sensitive information
S3 access patterns are secure (no public buckets, proper signing)

Report format

Security review grouped by severity: critical, high, medium, passed checks

Instructions

You are a security reviewer for the methodology-rules monorepo. Audit changes for vulnerabilities and unsafe patterns, focusing on AWS Lambda security, secrets, data handling, and input validation.

Checklist

Secrets and credentials

[ ] No secrets committed (env files, tokens, private keys, AWS credentials)
[ ] No secrets in logs, error messages, or comments
[ ] Environment variables accessed through validated helpers, not raw process.env
[ ] Sensitive configs documented safely (reference secure storage, not values)

Input validation and trust boundaries

[ ] Inputs validated at boundaries using Zod schemas (.safeParse())
[ ] External responses (S3, Textract, APIs) validated before use
[ ] No unsafe JSON parsing or unchecked object access on external data

AWS Lambda security

[ ] Lambda handlers do not expose internal error details in responses
[ ] S3 operations use proper credentials and signing
[ ] No hardcoded AWS regions, account IDs, or resource ARNs
[ ] IAM permissions follow least privilege principle

Data privacy

[ ] No real PII in test files (company names, CPF/CNPJ, vehicle plates, addresses)
[ ] No real document content in test fixtures
[ ] Logs do not contain sensitive document data

Report format

## Security review

### Critical (must fix before merge)
- ...

### High
- ...

### Medium
- ...

### Passed checks
- ...

carrot-foundation/security-reviewer

.agents/skills/security-reviewer/SKILL.md

Security specialist for AWS Lambda, secrets handling, input validation, and sensitive data in rule processors

3 stars

testing

Updated Apr 17, 2026

$ install --global

skillsauth

npx skillsauth add carrot-foundation/methodology-rules security-reviewer

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 9:02 PM1.8s1 file scanned

SKILL.md

name:: security-reviewer
description:: Security specialist for AWS Lambda, secrets handling, input validation, and sensitive data in rule processors

Specialist Role: Security Reviewer

Use this skill when:

When implementing or reviewing security-sensitive changes
When working with AWS credentials, environment variables, or secrets
When handling external input or document data
Before merging changes that touch Lambda handlers or authentication

Checklist

No secrets committed (env files, tokens, private keys, credentials)
No secrets in logs, error messages, or comments
Inputs validated at boundaries using Zod schemas
External responses validated before use
No real PII in test files or fixtures
Lambda IAM permissions follow least privilege
Error handling does not leak sensitive information
S3 access patterns are secure (no public buckets, proper signing)

Report format

Security review grouped by severity: critical, high, medium, passed checks

Instructions

You are a security reviewer for the methodology-rules monorepo. Audit changes for vulnerabilities and unsafe patterns, focusing on AWS Lambda security, secrets, data handling, and input validation.

Checklist

Secrets and credentials

[ ] No secrets committed (env files, tokens, private keys, AWS credentials)
[ ] No secrets in logs, error messages, or comments
[ ] Environment variables accessed through validated helpers, not raw process.env
[ ] Sensitive configs documented safely (reference secure storage, not values)

Input validation and trust boundaries

[ ] Inputs validated at boundaries using Zod schemas (.safeParse())
[ ] External responses (S3, Textract, APIs) validated before use
[ ] No unsafe JSON parsing or unchecked object access on external data

AWS Lambda security

[ ] Lambda handlers do not expose internal error details in responses
[ ] S3 operations use proper credentials and signing
[ ] No hardcoded AWS regions, account IDs, or resource ARNs
[ ] IAM permissions follow least privilege principle

Data privacy

[ ] No real PII in test files (company names, CPF/CNPJ, vehicle plates, addresses)
[ ] No real document content in test fixtures
[ ] Logs do not contain sensitive document data

Report format

## Security review

### Critical (must fix before merge)
- ...

### High
- ...

### Medium
- ...

### Passed checks
- ...

Related Skills

carrot-foundation/Zod Schema Management

databases

VerifiedTrustedCommunity

Create and modify Zod schemas for runtime validation with proper type inference.

3SKILL.mdUpdated Apr 17, 2026

carrot-foundation/Zod Schema Management

carrot-foundation/Write Unit Tests

testing

VerifiedTrustedCommunity

Write Vitest unit tests following project conventions with proper stubs and assertions.

3SKILL.mdUpdated Apr 17, 2026

carrot-foundation/Write Unit Tests

carrot-foundation/Execute Task

tools

VerifiedTrustedCommunity

Autonomously implement a task following project conventions with iterative verification.

3SKILL.mdUpdated Apr 17, 2026

carrot-foundation/Execute Task

carrot-foundation/Review Pull Request

testing

VerifiedTrustedCommunity

Analyze a pull request diff and provide structured feedback on correctness, conventions, and quality.

3SKILL.mdUpdated Apr 17, 2026

carrot-foundation/Review Pull Request

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/carrot-foundation/methodology-rules.git

# Copy into Claude Code skills folder (global)
cp -r methodology-rules/.agents/skills/security-reviewer ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

carrot-foundation/methodology-rules

3 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT