paulund/dev-security-review
dev-security-review/SKILL.md
Use when reviewing code that handles auth, payments, user input, or sensitive data. Trigger phrases - "/dev-security-review", "security check".
$ install --global
skillsauthnpx skillsauth add paulund/skills dev-security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 6:44 AM242.8s1 file scanned
SKILL.md
- name:
- dev-security-review
- description:
- Use when reviewing code that handles auth, payments, user input, or sensitive data. Trigger phrases - "/dev-security-review", "security check".
- category:
- dev
Core Workflow
- Read the PR diff — load all changed files and understand the scope
- Research repository context — identify existing security frameworks, sanitization patterns, and the project's threat model
- Comparative analysis — compare new changes against existing secure patterns; flag deviations and new attack surfaces
- Vulnerability assessment — examine each modified file for security implications, tracing data flow from user inputs to sensitive operations
- Filter false positives — apply the exclusion list below; only report findings with confidence ≥ 0.8
- Output markdown report — file, line number, severity, category, description, exploit scenario, and fix recommendation
Security Categories to Examine
- Input Validation — SQL injection, command injection, XXE, template injection, NoSQL injection, path traversal
- Authentication & Authorization — auth bypass, privilege escalation, session flaws, JWT vulnerabilities, authorization bypasses
- Crypto & Secrets — hardcoded keys, weak algorithms, improper key storage, randomness issues, certificate validation bypasses
- Injection & Code Execution — RCE via deserialization, pickle injection, YAML deserialization, eval injection, XSS
- Data Exposure — sensitive data logging, PII violations, API endpoint leakage, debug information exposure
Severity Guidelines
- HIGH — Directly exploitable: RCE, data breach, authentication bypass
- MEDIUM — Requires specific conditions but with significant impact
- LOW — Defense-in-depth or lower-impact issues (report sparingly)
Constraints
MUST DO
- Minimize false positives: only flag issues where you are >80% confident of actual exploitability
- Focus on impact: prioritize unauthorized access, data breaches, or system compromise
- Report in markdown with: file, line, severity, category, description, exploit scenario, and fix recommendation
MUST NOT DO
- Do NOT flag Denial of Service (DoS) vulnerabilities
- Do NOT flag secrets stored on disk if handled by other processes
- Do NOT flag rate limiting or resource exhaustion issues
- Do NOT flag memory safety issues in memory-safe languages (e.g., Rust)
- Do NOT flag XSS in React or Angular unless using
dangerouslySetInnerHTMLor similar bypasses - Do NOT flag regex injection or regex DoS
- Do NOT flag missing audit logs
- Do NOT flag issues in documentation or unit-test-only files
- Do NOT flag vulnerabilities requiring control of environment variables or CLI flags
- Do NOT run commands to reproduce vulnerabilities; read code only
- Do NOT use the bash tool or write to any files
Related Skills
paulund/writing-humanizer
testing
VerifiedTrustedCommunity
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.
3SKILL.mdUpdated Jun 12, 2026
paulund/standards-typescript
development
VerifiedTrustedCommunity
TypeScript project conventions. Auto-load when editing *.ts or *.tsx files.
3SKILL.mdUpdated Jun 12, 2026
paulund/standards-php
development
VerifiedTrustedCommunity
Use when writing or fixing PHP code, implementing classes, traits, or interfaces, applying PSR standards, or working with PHP 8.3+ patterns like readonly properties, enums, named arguments, match expressions, and union types.
3SKILL.mdUpdated Jun 12, 2026
paulund/standards-nextjs
tools
VerifiedTrustedCommunity
Next.js 15 App Router project conventions. Auto-load when working in app/, src/app/, components/, server actions, or route handlers.
3SKILL.mdUpdated Jun 12, 2026