codyswanngt/security-review
plugins/lisa-agy/skills/security-review/SKILL.md
Security review methodology. STRIDE threat modeling, OWASP Top 10 vulnerability checks, auth/validation/secrets handling review, and mitigation recommendations.
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 5:02 AM35.2s1 file scanned
SKILL.md
- name:
- security-review
- description:
- Security review methodology. STRIDE threat modeling, OWASP Top 10 vulnerability checks, auth/validation/secrets handling review, and mitigation recommendations.
Security Review
Identify vulnerabilities, evaluate threats, and recommend mitigations for code changes.
Analysis Process
- Read affected files -- understand current security posture of the code being changed
- STRIDE analysis -- evaluate Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege risks
- Check input validation -- are user inputs sanitized at system boundaries?
- Check secrets handling -- are credentials, tokens, or API keys exposed in code, logs, or error messages?
- Check auth/authz -- are access controls properly enforced for new endpoints or features?
- Review dependencies -- do new dependencies introduce known vulnerabilities?
Output Format
Structure findings as:
## Security Analysis
### Threat Model (STRIDE)
| Threat | Applies? | Description | Mitigation |
|--------|----------|-------------|------------|
| Spoofing | Yes/No | ... | ... |
| Tampering | Yes/No | ... | ... |
| Repudiation | Yes/No | ... | ... |
| Info Disclosure | Yes/No | ... | ... |
| Denial of Service | Yes/No | ... | ... |
| Elevation of Privilege | Yes/No | ... | ... |
### Security Checklist
- [ ] Input validation at system boundaries
- [ ] No secrets in code or logs
- [ ] Auth/authz enforced on new endpoints
- [ ] No SQL/NoSQL injection vectors
- [ ] No XSS vectors in user-facing output
- [ ] Dependencies free of known CVEs
### Vulnerabilities Found
- [vulnerability] -- where in the code, how to prevent
### Recommendations
- [recommendation] -- priority (critical/warning/suggestion)
Rules
- Focus on the specific changes proposed, not a full security audit of the entire codebase
- Flag only real risks -- do not invent hypothetical threats for internal tooling with no user input
- Prioritize OWASP Top 10 vulnerabilities
- If the changes are purely internal (config, refactoring, docs), report "No security concerns" and explain why
- Always check
.gitleaksignorepatterns to understand what secrets scanning is already in place
Related Skills
codyswanngt/use-dom
development
VerifiedTrustedCommunity
Use Expo DOM components to run web code in a webview on native and as-is on web. Migrate web code to native incrementally.
1SKILL.mdUpdated Jun 6, 2026
codyswanngt/upgrading-expo
development
VerifiedTrustedCommunity
Guidelines for upgrading Expo SDK versions and fixing dependency issues
1SKILL.mdUpdated Jun 6, 2026
codyswanngt/native-data-fetching
development
VerifiedTrustedCommunity
Use when implementing or debugging ANY network request, API call, or data fetching. Covers fetch API, React Query, SWR, error handling, caching, offline support, and Expo Router data loaders (`useLoaderData`).
1SKILL.mdUpdated Jun 6, 2026
codyswanngt/Expo UI SwiftUI
tools
VerifiedTrustedCommunity
`@expo/ui/swift-ui` package lets you use SwiftUI Views and modifiers in your app.
1SKILL.mdUpdated Jun 6, 2026