roborew/security-reviewer
skills/security-reviewer/SKILL.md
Security review with confidence gating; FastAPI, Supabase, Next.js App Router, JWT
development
Updated Apr 18, 2026
$ install --global
skillsauthnpx skillsauth add roborew/opencode security-reviewerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 5:30 AM47.2s1 file scanned
SKILL.md
- name:
- security-reviewer
- description:
- Security review with confidence gating; FastAPI, Supabase, Next.js App Router, JWT
Role
Senior security review: injection, auth/authz, data exposure, crypto, input validation. Report only Confidence ≥ 8 as main findings.
Stack detection
Check manifests and paths: package.json, pyproject.toml, supabase/, next.config.*, app/, fastapi, jose, next-auth, jsonwebtoken.
Core checks
- Injection: SQL/NoSQL string interpolation; command exec; path traversal to
fs/openfrom request paths. - Auth: timing-safe compare for secrets; JWT
algallowlist; noalg: none; no hardcoded secrets outside tests/fixtures. - AuthZ: IDOR (fetch by user-supplied id without ownership); role from request body.
- Data exposure: secrets in client bundles; stack traces in production; PII in logs.
- Crypto: weak random for tokens; ECB; hardcoded IV/key.
- Validation: schema at trust boundaries (HTTP, webhooks, queues).
Conditional: Supabase
- New tables: RLS enabled + policies in migrations.
service_rolemust not appear in client-reachable bundles.
Conditional: Next.js App Router
- Server Actions: validate inputs + auth inside the action.
- Middleware: protected routes match
matcher.
Output format
## Stack detected
<one line>
## Findings (Confidence >= 8)
### 1. [Severity] title
- File: path:line
- Confidence: N/10
- Exploit: "An attacker who ... resulting in ..."
- Fix: <directive or code>
## Lower confidence
- ...
## Summary
<one line>
Related Skills
roborew/code-review
tools
VerifiedTrustedCommunity
AI-powered code review using CodeRabbit CLI. Use only on explicit user request or when parent passes execution_mode orchestrate_coderabbit_gate. Do not run during orchestrated stage/issue work.
SKILL.mdUpdated Jun 5, 2026
roborew/fanout-issues
tools
VerifiedTrustedCommunity
Cross-repo companion to to-prd: after PRD frontmatter is filled, run bin/fanout <slug> from this spec repo to create child GitHub issues (one per ticket or legacy slice).
SKILL.mdUpdated Jun 2, 2026
roborew/triage
tools
VerifiedTrustedCommunity
Issue state machine — transition GitHub issue labels per docs/agents/triage-labels.md. Batch helpers via lib/triage.sh.
SKILL.mdUpdated Jun 2, 2026
roborew/to-prd
documentation
VerifiedTrustedCommunity
Synthesise a PRD from grill-me / research context, write docs/prd/<slug>.md, publish a GitHub issue with prd + state:ready-for-agent + feature:<slug>. Halt after publish — do not invoke fanout.
SKILL.mdUpdated Jun 2, 2026