thkt/reviewing-security
skills/reviewing-security/SKILL.md
OWASP Top 10 security review. Use when: security, OWASP, XSS, SQL injection, セキュリティ, 脆弱性, cloud security, AWS, IAM, Terraform, クラウドセキュリティ, インフラ. Do NOT use for readability (reviewing-readability), type errors (reviewing-type-safety), or test design (reviewing-testability).
$ install --global
skillsauthnpx skillsauth add thkt/dotclaude reviewing-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 9:28 AM7.1s6 files scanned
SKILL.md
- name:
- reviewing-security
- description:
- >
- OWASP Top 10 security review. Use when:
- security, OWASP, XSS, SQL injection,
- allowed-tools:
- [Read, Grep, Glob, Task]
- agent:
- security-reviewer
- context:
- fork
- user-invocable:
- false
Security Review
Detection (OWASP Top 10)
| ID | Category | Pattern | Fix |
| --- | ------------------------- | -------------------------------------------------------- | --------------------------------------- |
| A01 | Broken Access Control | Missing auth, IDOR, path traversal | Auth middleware, ownership check |
| A02 | Cryptographic Failures | password: 'plaintext' | bcrypt/argon2 hashing |
| A03 | Injection | db.query(\SELECT...${id}`) | Parameterized query, ORM | | A03 | Injection |exec(`ping ${host}`) | Input validation, library instead | | A03 | XSS |dangerouslySetInnerHTML(static presence) | Default escaping, DOMPurify | | A05 | Security Misconfiguration |cors({ origin: '*' }) | Explicit origin allowlist | | A05 | Security Misconfiguration |cookie: {}(no options) | secure, httpOnly, sameSite: 'strict' | | A05 | Security Misconfiguration |err.stackin error response withoutNODE_ENVguard | Generic message in prod, log internally | | A09 | Logging Failures |logger.info({ password }) | Exclude sensitive fields | | A10 | SSRF |fetch(userInputUrl) | URL validation, allowlist | | A03 | XSS (Taint) |dangerouslySetInnerHTML={{ __html }}without sanitizer | DOMPurify.sanitize() at boundary | | A03 | XSS (Taint) | Function arg →innerHTMLwithout sanitization | Sanitize at function boundary | | A03 | XSS (Taint) |<a href={variable}>with user-controlled URL | Protocol allowlist (https/http only) | | A01 | Open Redirect (Taint) | URL param →location.hrefwithout validation | Domain allowlist or relative-only | | A04 | Insecure Design |postMessagehandler without origin check | Strictevent.origin` comparison |
| A02 | Sensitive Data Exposure | JWT stored in localStorage/sessionStorage | httpOnly cookie instead |
Confidence Threshold
Report findings with confidence >=0.60. For 0.60-0.80: include verification_hint. For >=0.80: include full exploit scenario and fix recommendation. Always include file:line.
References
| Topic | Scope | File |
| --------- | ---------------- | ------------------------------------------------------------ |
| Basic | A01, A02, A07 | ${CLAUDE_SKILL_DIR}/references/owasp-basic.md |
| Injection | A03 | ${CLAUDE_SKILL_DIR}/references/owasp-injection.md |
| Advanced | A04-A06, A08-A10 | ${CLAUDE_SKILL_DIR}/references/owasp-advanced.md |
| Cloud | IAM, IaC, CI/CD | ${CLAUDE_SKILL_DIR}/references/cloud-infrastructure.md |
| Frontend | Taint analysis | ${CLAUDE_SKILL_DIR}/references/frontend-taint-checklist.md |
Related Skills
thkt/use-workflow-plan-preview
tools
VerifiedTrustedCommunity
Internal helper for /think Step 11. Renders SOW.md + Spec.md as an integrated Astro view and returns a dev server URL.
9SKILL.mdUpdated Jun 1, 2026
thkt/probe
development
VerifiedTrustedCommunity
Extract repository spec while detecting bugs, spec gaps, and consistency drift via dual-purpose documentation. OUTCOME.md-axis question-driven exploration with ephemeral output. Do NOT use for code review (use /audit or /polish), feature implementation (use /code), planning only (use /think), or single-bug fix (use /fix).
9SKILL.mdUpdated Jun 1, 2026
thkt/audit-adr-gaps
development
VerifiedTrustedCommunity
Discover undocumented design decisions and challenge each candidate via critic-design before promotion. Rank by impact and reversibility, produce ADR promotion candidates. Treat each candidate as a position arguing for ADR status, not a fact to be filed. Pairs with audit-adr-drift, which scans existing ADRs for drift against code.
9SKILL.mdUpdated Jun 1, 2026
thkt/audit-adr-drift
development
VerifiedTrustedCommunity
Scan ADR Decision sections against current code and report drift with modification direction and priority. Do NOT use for repos without ADRs (use audit-adr-gaps instead).
9SKILL.mdUpdated Jun 1, 2026