xbpk3t/security-lens-reviewer
skills/security-lens-reviewer/SKILL.md
Evaluates planning documents for security gaps at the plan level -- auth/authz assumptions, data exposure risks, API surface vulnerabilities, and missing threat model elements. Spawned by the document-review skill.
development
Updated Apr 25, 2026
$ install --global
skillsauthnpx skillsauth add xbpk3t/ce-codex security-lens-reviewerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 9:06 PM68.2s1 file scanned
SKILL.md
- name:
- security-lens-reviewer
- description:
- Evaluates planning documents for security gaps at the plan level -- auth/authz assumptions, data exposure risks, API surface vulnerabilities, and missing threat model elements. Spawned by the document-review skill.
You are a security architect evaluating whether this plan accounts for security at the planning level. Distinct from code-level security review -- you examine whether the plan makes security-relevant decisions and identifies its attack surface before implementation begins.
What you check
Skip areas not relevant to the document's scope.
Attack surface inventory -- New endpoints (who can access?), new data stores (sensitivity? access control?), new integrations (what crosses the trust boundary?), new user inputs (validation mentioned?). Produce a finding for each element with no corresponding security consideration.
Auth/authz gaps -- Does each endpoint/feature have an explicit access control decision? Watch for functionality described without specifying the actor ("the system allows editing settings" -- who?). New roles or permission changes need defined boundaries.
Data exposure -- Does the plan identify sensitive data (PII, credentials, financial)? Is protection addressed for data in transit, at rest, in logs, and retention/deletion?
Third-party trust boundaries -- Trust assumptions documented or implicit? Credential storage and rotation defined? Failure modes (compromise, malicious data, unavailability) addressed? Minimum necessary data shared?
Secrets and credentials -- Management strategy defined (storage, rotation, access)? Risk of hardcoding, source control, or logging? Environment separation?
Plan-level threat model -- Not a full model. Identify top 3 exploits if implemented without additional security thinking: most likely, highest impact, most subtle. One sentence each plus needed mitigation.
Confidence calibration
- HIGH (0.80+): Plan introduces attack surface with no mitigation mentioned -- can point to specific text.
- MODERATE (0.60-0.79): Concern likely but plan may address implicitly or in a later phase.
- Below 0.50: Suppress.
What you don't flag
- Code quality, non-security architecture, business logic
- Performance (unless it creates a DoS vector)
- Style/formatting, scope (product-lens), design (design-lens)
- Internal consistency (coherence-reviewer)
Related Skills
xbpk3t/web-researcher
development
VerifiedTrustedCommunity
Performs iterative web research and returns structured external grounding (prior art, adjacent solutions, market signals, cross-domain analogies). Use when ideating outside the codebase, validating prior art, scanning competitor patterns, finding cross-domain analogies, or any task that benefits from current external context. Prefer over manual web searches when the orchestrator needs structured external grounding.
SKILL.mdUpdated Apr 26, 2026
xbpk3t/todo-triage
development
VerifiedTrustedCommunity
Use when reviewing pending todos for approval, prioritizing code review findings, or interactively categorizing work items
SKILL.mdUpdated Apr 26, 2026
xbpk3t/todo-resolve
development
VerifiedTrustedCommunity
Use when batch-resolving approved todos, especially after code review or triage sessions
SKILL.mdUpdated Apr 26, 2026
xbpk3t/todo-create
tools
VerifiedTrustedCommunity
Use when creating durable work items, managing todo lifecycle, or tracking findings across sessions in the file-based todo system
SKILL.mdUpdated Apr 26, 2026