iamkaf/security-review
skills/security-review/SKILL.md
Review a git diff, branch, or pull request for newly introduced, high-confidence security vulnerabilities. Use when the user asks for a security review, PR security pass, AppSec triage, exploitability check, or a low-noise audit of changed code, workflows, auth, input handling, secrets, or trust-boundary changes.
development
Updated May 28, 2026
$ install --global
skillsauthnpx skillsauth add iamkaf/skills security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 28, 2026, 7:47 AM252.7s6 files scanned
SKILL.md
- name:
- security-review
- description:
- Review a git diff, branch, or pull request for newly introduced, high-confidence security vulnerabilities. Use when the user asks for a security review, PR security pass, AppSec triage, exploitability check, or a low-noise audit of changed code, workflows, auth, input handling, secrets, or trust-boundary changes.
- license:
- MIT
- version:
- 1.0.0
Security Review
Review only newly introduced risk in the requested change set. Favor signal over coverage.
Start
- Confirm the review target: current branch diff, staged changes, a commit range, or a PR merge-base diff.
- Gather git context first. If command execution is available, use
scripts/git_review_context.pyto collect a structured snapshot. Otherwise gather the equivalent context manually: changed files, commit list, base ref, and diffstat. - Inspect the changed files, not just the diff summary. Trace data flow from untrusted input to sensitive sinks and across trust boundaries.
- Consult only the reference files that match the changed surface area.
- Report only findings that are new in this change set and have a concrete attack path.
Reference Map
- Read
references/review-checklist.mdfor the core workflow. - Read
references/web-and-api-findings.mdwhen the diff touches request handling, templates, auth, storage, serializers, file operations, shell execution, or outbound network calls. - Read
references/workflow-and-supply-chain.mdwhen the diff touches.github/workflows/, CI scripts, release automation, containers, package publishing, or build tooling. - Read
references/reporting-and-triage.mdbefore finalizing findings.
Evidence Bar
Require all of the following before reporting a finding:
- A plausible attacker-controlled source or trust-boundary crossing.
- A reachable vulnerable sink, privilege boundary, or sensitive side effect.
- Missing, bypassed, or broken mitigation in the current code path.
- Evidence that the issue is introduced or materially worsened by the reviewed change.
Prefer changed lines plus the minimum surrounding code needed to prove exploitability.
Focus Areas
Prioritize these categories:
- Injection with real attacker-controlled input: SQL, NoSQL, command, template, path traversal, XXE, unsafe deserialization.
- Broken authentication or authorization: missing permission checks, BOLA or IDOR, tenant-boundary leaks, privilege escalation, token or session flaws.
- Sensitive data exposure: secrets or PII newly logged, returned, persisted, or sent to third parties.
- Cryptographic trust failures: verification bypasses, weak randomness for secrets or tokens, insecure key handling.
- CI/CD and supply chain issues: untrusted workflow interpolation, dangerous
pull_request_targetflows, excessive token permissions with untrusted triggers, privileged third-party action risk. - SSRF only when attacker input can influence host, scheme, or a sensitive internal target.
- XSS only when the change introduces an unsafe sink or disables framework protections.
Noise Filters
Do not report:
- Pre-existing issues unless the change makes them exploitable or materially worse.
- Generic hardening advice without a concrete exploit path.
- Dependency age or upgrade advice by itself.
- Pure client-side missing auth checks with no server impact.
- Tests or docs unless they change live execution behavior.
Output
Return only high-signal findings. If nothing clears the bar, say so plainly.
Use the report format in references/reporting-and-triage.md.
Related Skills
iamkaf/imagegen-ui-match
testing
VerifiedTrustedCommunity
Use when implementing a UI from a visual mock and the user wants an imagegen-based compare-and-iterate workflow until the current page closely matches the target screenshot or mock. Covers browser screenshots, explicit side-by-side comparisons, imagegen visual audits, bitmap asset generation, and avoiding stale-reference mistakes.
SKILL.mdUpdated May 20, 2026
iamkaf/readme-improver
documentation
VerifiedTrustedCommunity
Transform boring, flat README files into polished, visually compelling project pages. Use when the user asks to improve, redesign, or make a README more interesting. Covers structure, copy, badges, banner images, and overall presentation. Produces GitHub-flavored Markdown that renders well on GitHub, npm, and similar platforms.
SKILL.mdUpdated Apr 21, 2026
iamkaf/vhs
tools
VerifiedTrustedCommunity
Create, edit, debug, or review Charmbracelet VHS terminal demo recordings and .tape files. Use when the task involves terminal GIFs/videos, VHS scripts, demo cassettes, CLI screencasts, reproducible terminal recordings, or converting terminal interactions into renderable tape files.
SKILL.mdUpdated Apr 20, 2026
iamkaf/effective-questioning
tools
VerifiedTrustedCommunity
Use when the user asks you to gather requirements, or when the request is vague and needs clarity before acting.
SKILL.mdUpdated Apr 20, 2026