sd0xdev/security-review
skills/security-review/SKILL.md
Security review via Codex MCP. Use when: OWASP Top 10 audit, dependency vulnerability check, security-sensitive changes. Not for: code review (use codex-code-review), test review (use test-review). Output: security findings + audit report.
$ install --global
skillsauthnpx skillsauth add sd0xdev/sd0x-dev-flow security-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:14 AM30.0s3 files scanned
SKILL.md
- name:
- security-review
- description:
- Security review via Codex MCP. Use when: OWASP Top 10 audit, dependency vulnerability check, security-sensitive changes. Not for: code review (use codex-code-review), test review (use test-review). Output: security findings + audit report.
- allowed-tools:
- mcp__codex__codex, mcp__codex__codex-reply, Bash(git:*), Read, Grep, Glob
- context:
- fork
- agent:
- Explore
Security Review Skill
Trigger
- Keywords: security review, OWASP, vulnerability, dep-audit, npm audit, dependency security
When NOT to Use
- General code review (use
codex-code-review) - Functional testing (use
test-review) - Performance issues (not security-related)
Commands
| Command | Purpose | When |
| ----------------- | ------------------------ | ----------------------- |
| /codex-security | OWASP Top 10 audit | Security-sensitive code |
| /dep-audit | Dependency security audit | Periodic / PR |
Workflow: /codex-security
Determine scope → Collect changes → Codex OWASP review → Findings + Gate → Loop if Must fix
Step 1: Determine Scope
Parse --scope from arguments, default to src/.
Step 2: Collect Code Changes
Priority order:
- Uncommitted changes:
git diff HEAD -- <scope> | head -1500 - Recent commits:
git diff HEAD~5..HEAD -- <scope> | head -1500 - Key security files:
Glob("**/*{auth,login,password,token,secret,key,credential}*")
Step 3: Codex Security Review
First review: mcp__codex__codex with OWASP prompt. See references/codex-prompt-security.md.
Config: sandbox: 'read-only', approval-policy: 'never'
Save the returned threadId.
Loop review: mcp__codex__codex-reply with re-review template. See references/codex-prompt-security.md.
Step 4: Consolidate Output
Organize results into findings summary table + detailed findings + gate.
OWASP Top 10
| Code | Category | Check Focus | | ---- | ------------------ | ------------------------------------ | | A01 | Broken Access Ctrl | IDOR, permission bypass, CORS | | A02 | Crypto Failures | Sensitive data encryption, weak crypto | | A03 | Injection | SQL/NoSQL/Cmd Injection | | A04 | Insecure Design | Rate Limiting, business logic | | A05 | Misconfiguration | Debug mode, default passwords | | A06 | Vulnerable Comp | Known vulnerable dependencies | | A07 | Auth Failures | Brute force, session, weak passwords | | A08 | Integrity Failures | Deserialization, CI/CD | | A09 | Logging Failures | Sensitive data in logs, auditing | | A10 | SSRF | URL validation, internal network access |
Review Loop
⚠️ @CLAUDE.md auto-loop: fix → re-review → ... → ✅ PASS ⚠️
⛔ Must fix → fix P0 issues → /codex-security --continue <threadId> → repeat until ✅ Mergeable.
Max 3 rounds. Still failing → report blocker.
Verification
- [ ] Each issue tagged with severity (P0/P1/P2)
- [ ] Gate is explicit (✅ Mergeable / ⛔ Must fix)
- [ ] Fix recommendations are specific and actionable
- [ ] Includes verification test method
- [ ] Codex independently researched auth/input/sensitive code
References
- OWASP prompt:
references/codex-prompt-security.md - Examples:
references/examples.md - Standards: @rules/security.md
Examples
Input: /codex-security --scope src/controller/
Action: OWASP Top 10 check → output issues + Gate
Input: /dep-audit --level high
Action: npm audit → filter high/critical → output report
Related Skills
sd0xdev/zh-tw
documentation
VerifiedTrustedCommunity
Rewrite the previous reply in Traditional Chinese
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/watch-ci
development
VerifiedTrustedCommunity
Monitor GitHub Actions CI runs until completion. Use when: watching CI after push, checking build status, monitoring PR checks, waiting for CI completion, user says 'watch CI', 'check CI', 'CI status', 'monitor build', or /watch-ci. Not for: pushing code (use push-ci), creating PRs (use create-pr). Output: per-run verdict (pass/fail/timeout).
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/verify
development
VerifiedTrustedCommunity
Verification loop — lint -> typecheck -> unit -> integration -> e2e
147SKILL.mdUpdated Apr 28, 2026
sd0xdev/update-docs
development
VerifiedTrustedCommunity
Research current code state then update corresponding docs, ensuring docs stay in sync with code.
147SKILL.mdUpdated Apr 28, 2026