zaxbysauce/reviewing-security
.claude/skills/reviewing-security/SKILL.md
Inspect trust boundaries, validation, authn/authz, deserialization, command execution, path handling, secrets, and failure handling with an evidence-first security review.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add zaxbysauce/ragappv3 reviewing-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 12:45 PM27.6s1 file scanned
SKILL.md
- name:
- reviewing-security
- description:
- Inspect trust boundaries, validation, authn/authz, deserialization, command execution, path handling, secrets, and failure handling with an evidence-first security review.
Reviewing Security
Trust boundaries
Enumerate and inspect:
- HTTP inputs
- CLI args
- env vars
- file reads and writes
- subprocess invocations
- deserializers and parsers
- SQL and ORM boundaries
- IPC and queue inputs
- authn and authz checks
- template and rendering sinks
Mandatory questions
- Is input validated at the actual boundary?
- Can user input reach filesystem, shell, SQL, template, or render sinks?
- Are privileged operations guarded where they execute?
- Are secrets or tokens logged, hardcoded, or exposed in examples?
- Are errors swallowed instead of handled?
- Are there security-relevant defaults that fail open?
Hard fail conditions
- missing auth or authz on privileged path
- injection or path traversal risk
- unsafe deserialization or arbitrary code execution pattern
- secret exposure
- trust boundary with no meaningful validation
Related Skills
zaxbysauce/unswarm
development
VerifiedTrustedCommunity
Disable swarm mode for the current Claude Code session and return to normal behavior.
SKILL.mdUpdated Apr 16, 2026
zaxbysauce/swarm
development
VerifiedTrustedCommunity
Enable a high-quality swarm-like Claude Code workflow for the current session, and optionally execute a task immediately using that mode. Uses parallel subagents for breadth, independent reviewer validation for precision, and critic challenge for final confidence. Use when the user wants swarm-like behavior, higher review rigor, or maximum quality without sacrificing Claude Code speed.
SKILL.mdUpdated Apr 16, 2026
zaxbysauce/swarm-pr-review
tools
VerifiedTrustedCommunity
Run a swarm-like PR review using parallel exploration, independent reviewer validation, and critic challenge. Use for deep pull request review with low false-positive tolerance.
SKILL.mdUpdated Apr 16, 2026
zaxbysauce/.claude/skills/swarm-implement
development
VerifiedTrustedCommunity
--- name: swarm-implement description: Execute complex implementation work with a swarm-like Claude Code workflow: parallel exploration, scoped planning, selective deep validation, and independent reviewer/critic checks where risk justifies them. Use for feature work, bug fixes, refactors, and multi-file changes. disable-model-invocation: true --- # /swarm-implement Use this skill for implementation work when you want Claude Code to behave like a fast, high-quality swarm rather than a single-t
SKILL.mdUpdated Apr 16, 2026