robotti-io/authn-authz-review
skills/authn-authz-review/SKILL.md
Workflow to review authentication and authorization flows (sessions, tokens, RBAC/ABAC) and produce fix guidance.
$ install --global
skillsauthnpx skillsauth add robotti-io/copilot-security-instructions authn-authz-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 10:56 PM5.9s1 file scanned
SKILL.md
- name:
- authn-authz-review
- description:
- Workflow to review authentication and authorization flows (sessions, tokens, RBAC/ABAC) and produce fix guidance.
Authn/Authz Review
When to use
Use this skill when reviewing login, session management, token validation, or authorization checks.
Inputs to collect (if available)
- Auth model (session cookie vs bearer token vs mTLS)
- Deployment assumptions (internet-facing, internal-only, multi-tenant)
- Sensitive assets (PII, admin actions, money movement)
- Known roles/scopes/claims and intended policies
Step-by-step process
- Identify identities and trust boundaries
- Who is the user/service? How is identity asserted (cookie, bearer token, mTLS)?
- Where does authorization decision happen? Where is it enforced?
- Authentication checks
- Password handling: hashing, rate limits, lockouts, MFA hooks
- Session/token: issuance, expiry, rotation, revocation, audience/issuer validation
- Transport: TLS-only, secure cookie flags, CSRF defenses for cookie auth
- Authorization checks
- Define resources + actions (e.g.,
invoice:read,admin:user:delete) - Ensure checks are server-side and close to the boundary
- Watch for IDOR: user-controlled identifiers without ownership checks
- Define resources + actions (e.g.,
- Multi-tenant & privilege boundaries
- Tenant scoping on every query
- Admin vs user code paths; "act as" features
- Abuse cases
- Replay, token substitution, privilege escalation, forced browsing
- Deliver fixes
- Centralize policy decisions (middleware/service)
- Add negative tests for bypass attempts
Output checklist
- Token/session validation requirements
- Required claims/roles/scopes
- Authorization enforcement points
- Test cases to prevent bypass
Repo integration (optional)
Related prompts:
review-auth-flows.prompt.mdcheck-access-controls.prompt.md
Output format
- Summary: scope + top 3 risks + overall risk
- Findings (repeat): issue, severity/likelihood, where, evidence, recommendation, verification
- Policy checklist: required claims/roles/scopes + enforcement points
Examples
- “Cookie session app” → verify
HttpOnly/Secure/SameSite, CSRF defenses, and session rotation on privilege change.
Related Skills
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/access-control-review
testing
VerifiedTrustedCommunity
Analyze repository-grounded identity, access control, and authorization design with evidence-first reporting and script-validated Mermaid diagrams.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/dependency-cve-triage
content-media
VerifiedTrustedCommunity
Triage a dependency CVE using local repo evidence and remediation guidance.
39SKILL.mdUpdated Apr 19, 2026