Security Review
Run a structured security pass with FAIL/PASS patterns when you add auth, APIs, secrets, uploads, or payments.
Overview
Security Review is an agent skill most often used in Ship (also Build) that applies a comprehensive security checklist and FAIL/PASS code patterns for auth, secrets, APIs, and sensitive features.
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill security-reviewWhat is this skill?
- Activate on authentication, authorization, user input, uploads, new APIs, secrets, payments, and third-party integration
- Secrets Management section with hard FAIL examples vs env-based PASS patterns
- Verification checklist for .gitignore, git history, and hosting-platform secret stores
- Input validation guidance with schema-driven examples (e.g. Zod)
- Organized as a comprehensive security checklist across vulnerability classes
- Dedicated Secrets Management section with FAIL vs PASS code blocks and 5 verification checkboxes
- Seven explicit When to Activate trigger categories
Adoption & trust: 10k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping auth, APIs, or payments fast with an AI coder and need a repeatable guardrail against hardcoded secrets, missing validation, and unsafe defaults.
Who is it for?
Indie SaaS and API builders implementing login, file upload, webhooks, or payment flows with agent-generated TypeScript or similar stacks.
Skip if: Purely static sites with no user data, or teams that already run formal SAST/DAST pipelines and only need ticket triage—not agent-led checklist review.
When should I use this skill?
Adding authentication, handling user input or uploads, creating API endpoints, working with secrets, implementing payment or sensitive features, or integrating third-party APIs.
What do I get? / Deliverables
You get section-by-section review outcomes aligned to ECC checklists, with concrete remediation patterns before you merge or deploy.
- Security checklist completion notes per section
- Remediation guidance using PASS patterns (env vars, validation schemas)
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/security is the canonical shelf because the skill is framed as review and checklist validation before production exposure. security subphase matches explicit triggers: auth, input, endpoints, credentials, and sensitive data handling.
Where it fits
While adding a POST handler, run the skill to enforce env-based secrets and Zod validation on the request body.
Pre-launch pass verifying no credentials in git history and production secrets live only on the host platform.
Treat checklist items as merge gate criteria before approving an agent-generated payment integration PR.
How it compares
Agent-side procedural review skill, not an MCP vulnerability scanner or hosted SAST product.
Common Questions / FAQ
Who is security-review for?
Solo builders using Claude Code or Cursor who want a structured security ritual whenever code touches credentials, users, or money.
When should I use security-review?
In Build while implementing auth or API endpoints, and in Ship before launch when validating secrets, input schemas, and payment integrations.
Is security-review safe to install?
It is instructional content from the ECC bundle; read SKILL.md scope and review the Security Audits panel on this Prism page—do not treat checklist pass as a formal audit.
SKILL.md
READMESKILL.md - Security Review
# Security Review Skill This skill ensures all code follows security best practices and identifies potential vulnerabilities. ## When to Activate - Implementing authentication or authorization - Handling user input or file uploads - Creating new API endpoints - Working with secrets or credentials - Implementing payment features - Storing or transmitting sensitive data - Integrating third-party APIs ## Security Checklist ### 1. Secrets Management #### FAIL: NEVER Do This ```typescript const apiKey = "sk-proj-xxxxx" // Hardcoded secret const dbPassword = "password123" // In source code ``` #### PASS: ALWAYS Do This ```typescript const apiKey = process.env.OPENAI_API_KEY const dbUrl = process.env.DATABASE_URL // Verify secrets exist if (!apiKey) { throw new Error('OPENAI_API_KEY not configured') } ``` #### Verification Steps - [ ] No hardcoded API keys, tokens, or passwords - [ ] All secrets in environment variables - [ ] `.env.local` in .gitignore - [ ] No secrets in git history - [ ] Production secrets in hosting platform (Vercel, Railway) ### 2. Input Validation #### Always Validate User Input ```typescript import { z } from 'zod' // Define validation schema const CreateUserSchema = z.object({ email: z.string().email(), name: z.string().min(1).max(100), age: z.number().int().min(0).max(150) }) // Validate before processing export async function createUser(input: unknown) { try { const validated = CreateUserSchema.parse(input) return await db.users.create(validated) } catch (error) { if (error instanceof z.ZodError) { return { success: false, errors: error.errors } } throw error } } ``` #### File Upload Validation ```typescript function validateFileUpload(file: File) { // Size check (5MB max) const maxSize = 5 * 1024 * 1024 if (file.size > maxSize) { throw new Error('File too large (max 5MB)') } // Type check const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] if (!allowedTypes.includes(file.type)) { throw new Error('Invalid file type') } // Extension check const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] if (!extension || !allowedExtensions.includes(extension)) { throw new Error('Invalid file extension') } return true } ``` #### Verification Steps - [ ] All user inputs validated with schemas - [ ] File uploads restricted (size, type, extension) - [ ] No direct use of user input in queries - [ ] Whitelist validation (not blacklist) - [ ] Error messages don't leak sensitive info ### 3. SQL Injection Prevention #### FAIL: NEVER Concatenate SQL ```typescript // DANGEROUS - SQL Injection vulnerability const query = `SELECT * FROM users WHERE email = '${userEmail}'` await db.query(query) ``` #### PASS: ALWAYS Use Parameterized Queries ```typescript // Safe - parameterized query const { data } = await supabase .from('users') .select('*') .eq('email', userEmail) // Or with raw SQL await db.query( 'SELECT * FROM users WHERE email = $1', [userEmail] ) ``` #### Verification Steps - [ ] All database queries use parameterized queries - [ ] No string concatenation in SQL - [ ] ORM/query builder used correctly - [ ] Supabase queries properly sanitized ### 4. Authentication & Authorization #### JWT Token Handling ```typescript // FAIL: WRONG: localStorage (vulnerable to XSS) localStorage.setItem('token', token) // PASS: CORRECT: httpOnly cookies res.setHeader('Set-Cookie', `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) ``` #### Authorization Checks ```typescript export async function deleteUser(userId: string, requesterId: string) { // ALWAYS verify authoriz