robotti-io/secure-code-review
skills/secure-code-review/SKILL.md
Repeatable process for an application security code review that produces prioritized findings and fix guidance.
$ install --global
skillsauthnpx skillsauth add robotti-io/copilot-security-instructions secure-code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 10:56 PM4.6s1 file scanned
SKILL.md
- name:
- secure-code-review
- description:
- Repeatable process for an application security code review that produces prioritized findings and fix guidance.
Secure Code Review
When to use
Use this skill when asked to review code for security, produce findings, or prepare guidance for remediation.
Inputs to collect (if available)
- What component(s) are in scope (API, UI, worker, infra scripts)
- Data sensitivity (PII, auth/session, payments)
- Deployment assumptions (internet-facing, internal, multi-tenant)
- Any known incidents, CVEs, or audit requirements
Step-by-step process
- Map entry points & trust boundaries
- Enumerate request handlers, background consumers, file parsers, template renderers, and admin endpoints.
- Identify where untrusted input crosses into privileged actions or sensitive sinks.
- Scan for high-risk classes
- Injection: SQL/NoSQL/LDAP/OS/template
- Authn/authz: missing checks, insecure defaults, confused deputy
- Deserialization & file handling: unsafe loads, path traversal, upload
- Crypto: homegrown crypto, weak randomness, token validation mistakes
- Logging: secrets/PII exposure, overly verbose errors
- SSRF: URL fetchers, webhook validation gaps
- Deep-dive the highest impact areas
- Trace data flow from input → validation → authorization → sink.
- Look for missing allow-lists, type confusion, and implicit conversions.
- Write findings in a consistent format
- Title, severity, confidence
- Where (file/function)
- Risk + prerequisites
- Repro steps
- Recommendation + verification steps
- Close with a remediation plan
- Quick wins (hours), medium fixes (days), structural guardrails (weeks).
Output template
Summary
- Scope reviewed:
- Top issues:
- Overall risk: Low / Medium / High / Critical
Findings (repeat)
- Title
- Severity / Confidence
- Where
- Risk
- Repro
- Recommendation
- Verification
Repo integration (optional)
If this repo includes prompt files under /prompts, the following are commonly relevant:
secure-code-review.prompt.mdscan-for-insecure-apis.prompt.mdvalidate-input-handling.prompt.mdreview-auth-flows.prompt.md
Related Skills
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/access-control-review
testing
VerifiedTrustedCommunity
Analyze repository-grounded identity, access control, and authorization design with evidence-first reporting and script-validated Mermaid diagrams.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/dependency-cve-triage
content-media
VerifiedTrustedCommunity
Triage a dependency CVE using local repo evidence and remediation guidance.
39SKILL.mdUpdated Apr 19, 2026