pekral/security-review
skills/security-review/SKILL.md
Use when performing a focused security review for Laravel/PHP projects. Prioritize real exploitability, business logic flaws, and high-risk vulnerabilities.
$ install --global
skillsauthnpx skillsauth add pekral/cursor-rules security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 23, 2026, 6:36 AM82.7s2 files scanned
SKILL.md
- name:
- security-review
- description:
- Use when performing a focused security review for Laravel/PHP projects. Prioritize real exploitability, business logic flaws, and high-risk vulnerabilities.
- license:
- MIT
- author:
- Petr Král (pekral.cz)
Constraints
- Apply
@rules/php/core-standards.mdc - Apply
@rules/php/dependency-selection.mdc— when the audit recommends replacing a vulnerable package with a hardened alternative, run the Activity gate + Compatibility gate on the proposed replacement before recommending the swap. Never trade a vulnerable-but-maintained package for an archived / abandoned / branch-pinned one in the name of security. - Apply
@rules/code-review/general.mdc - Apply
@rules/security/backend.mdc - Apply
@rules/code-review/frontend.mdc - Apply
@rules/code-review/mobile.mdc - If the current project uses Laravel, also apply
@rules/laravel/laravel.mdc,@rules/laravel/architecture.mdc,@rules/laravel/filament.mdc, and@rules/laravel/livewire.mdc - Apply @rules/reports/general.mdc. When the audit findings are folded into the GitHub PR comment by a CR wrapper, they stay in canonical English per the rule's Exception — technical CR findings on the GitHub PR. When a non-technical summary is published on a linked issue / JIRA ticket via
@skills/pr-summary/SKILL.md, it follows the language of the source assignment. CVE / CWE / OWASP identifiers and code identifiers stay verbatim regardless of the surrounding prose language. - Focus on realistic, exploitable issues
- Never reveal secrets
- Read-only skill — never modify code, never stage / commit / push changes, and never run any git write operation (
git add,git commit,git push,git reset,git checkout -- …, etc.). Switching to the relevant branch andgit pullto read the latest diff are allowed; mutating the working tree or pushing to the remote is not. Output is the audit report only.
Scope
Perform a focused security review with emphasis on:
- real exploitability
- business logic flaws
- missing authorization
- unsafe data flows
Avoid generic best-practice noise.
Core Checks
Input & Injection
- SQL / command injection
- XSS (stored, reflected, DOM)
- unsafe deserialization
Authentication & Access Control
- missing authorization (IDOR / BOLA)
- privilege escalation
- broken access control
Data Exposure
- sensitive data leaks (API, logs, errors)
- unsafe error messages (stack traces, paths, DB details)
External Interaction (APIs & SSRF)
- outbound requests with user-controlled input
- missing domain allowlists
- access to internal/private IPs
- dangerous protocols (
file://,gopher://, etc.) - missing validation after redirects
- missing rate limiting or abuse protection
- third-party API contract — when the diff integrates with a third-party API or service, verify the security-critical aspects of the implementation against the public API documentation: authentication and scope handling, signature/webhook verification, idempotency and retry semantics, error envelopes, and rate-limit handling. Functional alignment with the issue assignment is owned by
@skills/code-review/SKILL.md— do not duplicate it here.
File Handling
- unsafe uploads (extension, MIME, signature)
- path traversal
- execution risk (files in webroot)
Dependencies & Configuration
- vulnerable packages (
composer.lock,composer audit) - unsafe configuration (uploads, execution, credentials)
Queues & Background Jobs
- retry abuse
- non-idempotent operations
- unsafe external calls
Prioritization
- Focus on issues that are:
- exploitable in real scenarios
- impactful (data access, privilege escalation, RCE)
- Deprioritize theoretical or low-impact findings
Report
Severity
- Critical
- High
- Medium
- Low
Each finding must include
- severity
- category (OWASP)
- location (file + line)
- description
- exploit scenario
- recommended fix
Reproducer fields (mandatory for Critical and High)
- Faulty Example — minimal code snippet or attacker payload that reproduces the vulnerability (redact secrets, tokens, and PII)
- Expected Behavior — single assertable security guarantee (rejection, authorization denial, escaped output, no side effect)
- Test Hint — one sentence pointing at the test layer (unit, feature, HTTP) and entry point
- Suggested Fix — minimal corrected code snippet that closes the vulnerability (parameterized query, authorization check, output escaping, signature verification, safer SDK call, etc.). Must comply with
@rules/php/core-standards.mdc,@rules/security/backend.mdc, and, for Laravel projects,@rules/laravel/architecture.mdc. Usen/a — <reason>only when the fix is purely configurational (env var, web-server header) and is described in the Recommended Fix narrative.
These fields exist so @skills/process-code-review/SKILL.md can turn each finding into a regression test and apply the fix without re-deriving the attack vector. Medium and Low findings may omit them when no behavior change is implied.
Output format
Use the template defined in templates/audit-report.md.
Related Skills
pekral/autoresolve-oldest-github-issue
development
VerifiedTrustedCommunity
Use when autonomously resolving the oldest open GitHub issue end-to-end. Picks the oldest open issue (optionally filtered by label, default `Resolve_by_AI`), delegates resolution to `resolve-issue`, then runs `code-review-github`, `process-code-review`, and `merge-github-pr` on the resulting pull request. Stops and reports any blocker (merge conflict, failing CI, unresolved Critical/Moderate findings) instead of force-merging.
2SKILL.mdUpdated May 23, 2026
pekral/security-threat-analysis
testing
VerifiedTrustedCommunity
Use when analyzing a specific security threat from a referenced source (CVE, GHSA, security advisory, blog post, or write-up). Produces a human-readable remediation report with step-by-step instructions an AI agent can follow to eliminate the threat in the current project.
2SKILL.mdUpdated May 19, 2026
pekral/prepare-issue-context
development
VerifiedTrustedCommunity
Use when preparing data and context before /resolve-issue, TDD, or CR runs. Loads the assignment, extracts every concrete user scenario from the task description and acceptance criteria, maps each scenario to the codebase, seeds the development database with the records needed to reproduce the bug or feature end-to-end, and reports any gap that would force the implementing agent to hallucinate.
2SKILL.mdUpdated May 19, 2026
pekral/tester-cookbook
development
VerifiedTrustedCommunity
Use when preparing a concise QA report for an internal tester from a JIRA task and its linked pull requests — focused on what the tester should report back to the dev team — and posting it as a JIRA comment.
2SKILL.mdUpdated May 16, 2026