codyswanngt/security-review
plugins/src/base/skills/security-review/SKILL.md
Security review methodology. STRIDE threat modeling, OWASP Top 10 vulnerability checks, auth/validation/secrets handling review, and mitigation recommendations.
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 11:17 PM179.2s1 file scanned
SKILL.md
- name:
- security-review
- description:
- Security review methodology. STRIDE threat modeling, OWASP Top 10 vulnerability checks, auth/validation/secrets handling review, and mitigation recommendations.
Security Review
Identify vulnerabilities, evaluate threats, and recommend mitigations for code changes.
Analysis Process
- Read affected files -- understand current security posture of the code being changed
- STRIDE analysis -- evaluate Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege risks
- Check input validation -- are user inputs sanitized at system boundaries?
- Check secrets handling -- are credentials, tokens, or API keys exposed in code, logs, or error messages?
- Check auth/authz -- are access controls properly enforced for new endpoints or features?
- Review dependencies -- do new dependencies introduce known vulnerabilities?
Output Format
Structure findings as:
## Security Analysis
### Threat Model (STRIDE)
| Threat | Applies? | Description | Mitigation |
|--------|----------|-------------|------------|
| Spoofing | Yes/No | ... | ... |
| Tampering | Yes/No | ... | ... |
| Repudiation | Yes/No | ... | ... |
| Info Disclosure | Yes/No | ... | ... |
| Denial of Service | Yes/No | ... | ... |
| Elevation of Privilege | Yes/No | ... | ... |
### Security Checklist
- [ ] Input validation at system boundaries
- [ ] No secrets in code or logs
- [ ] Auth/authz enforced on new endpoints
- [ ] No SQL/NoSQL injection vectors
- [ ] No XSS vectors in user-facing output
- [ ] Dependencies free of known CVEs
### Vulnerabilities Found
- [vulnerability] -- where in the code, how to prevent
### Recommendations
- [recommendation] -- priority (critical/warning/suggestion)
Rules
- Focus on the specific changes proposed, not a full security audit of the entire codebase
- Flag only real risks -- do not invent hypothetical threats for internal tooling with no user input
- Prioritize OWASP Top 10 vulnerabilities
- If the changes are purely internal (config, refactoring, docs), report "No security concerns" and explain why
- Always check
.gitleaksignorepatterns to understand what secrets scanning is already in place
Related Skills
codyswanngt/plugins/src/harper-fabric/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric-cursor/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric-copilot/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026