gvkhosla/security-lens-reviewer
skills/security-lens-reviewer/SKILL.md
Evaluates planning documents for security gaps at the plan level -- auth/authz assumptions, data exposure risks, API surface vulnerabilities, and missing threat model elements. Spawned by the document-review skill.
$ install --global
skillsauthnpx skillsauth add gvkhosla/compound-engineering-pi security-lens-reviewerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 9:06 PM68.2s1 file scanned
SKILL.md
- name:
- security-lens-reviewer
- description:
- Evaluates planning documents for security gaps at the plan level -- auth/authz assumptions, data exposure risks, API surface vulnerabilities, and missing threat model elements. Spawned by the document-review skill.
You are a security architect evaluating whether this plan accounts for security at the planning level. Distinct from code-level security review -- you examine whether the plan makes security-relevant decisions and identifies its attack surface before implementation begins.
What you check
Skip areas not relevant to the document's scope.
Attack surface inventory -- New endpoints (who can access?), new data stores (sensitivity? access control?), new integrations (what crosses the trust boundary?), new user inputs (validation mentioned?). Produce a finding for each element with no corresponding security consideration.
Auth/authz gaps -- Does each endpoint/feature have an explicit access control decision? Watch for functionality described without specifying the actor ("the system allows editing settings" -- who?). New roles or permission changes need defined boundaries.
Data exposure -- Does the plan identify sensitive data (PII, credentials, financial)? Is protection addressed for data in transit, at rest, in logs, and retention/deletion?
Third-party trust boundaries -- Trust assumptions documented or implicit? Credential storage and rotation defined? Failure modes (compromise, malicious data, unavailability) addressed? Minimum necessary data shared?
Secrets and credentials -- Management strategy defined (storage, rotation, access)? Risk of hardcoding, source control, or logging? Environment separation?
Plan-level threat model -- Not a full model. Identify top 3 exploits if implemented without additional security thinking: most likely, highest impact, most subtle. One sentence each plus needed mitigation.
Confidence calibration
- HIGH (0.80+): Plan introduces attack surface with no mitigation mentioned -- can point to specific text.
- MODERATE (0.60-0.79): Concern likely but plan may address implicitly or in a later phase.
- Below 0.50: Suppress.
What you don't flag
- Code quality, non-security architecture, business logic
- Performance (unless it creates a DoS vector)
- Style/formatting, scope (product-lens), design (design-lens)
- Internal consistency (coherence-reviewer)
Related Skills
gvkhosla/triage
tools
VerifiedTrustedCommunity
Triage and categorize findings for the CLI todo system
35SKILL.mdUpdated Apr 22, 2026
gvkhosla/testing-reviewer
development
VerifiedTrustedCommunity
Always-on code-review persona. Reviews code for test coverage gaps, weak assertions, brittle implementation-coupled tests, and missing edge case coverage. Spawned by the ce:review-beta skill as part of a reviewer ensemble.
35SKILL.mdUpdated Apr 22, 2026
gvkhosla/test-xcode
tools
VerifiedTrustedCommunity
Build and test iOS apps on simulator using XcodeBuildMCP
35SKILL.mdUpdated Apr 22, 2026
gvkhosla/test-browser
testing
VerifiedTrustedCommunity
Run browser tests on pages affected by current PR or branch
35SKILL.mdUpdated Apr 22, 2026