Security Review

Name: Security Review
Author: dilaz

dilaz/security-review-skill

Run a disciplined security review that combines scanners and manual analysis and only reports issues backed by working exploit proof-of-concepts.

Install

npx skills add https://github.com/dilaz/security-review-skill --skill security-review

What is this skill?

Iron Law: no finding is confirmed without a working exploit PoC
Workflow: automated scanners → manual review → exploit → severity documentation → report
Explicit branches for false positives and continued review coverage
Triggers on user input, command execution, file reads, and network-facing code paths
Outputs findings with documented severity only after successful exploitation

Adoption & trust: 1 installs on skills.sh; 7 GitHub stars; 0/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Canonical shelf is Ship security because the skill targets pre-release audits and hard gates before production exposure. Security subphase covers vulnerability assessment, exploit validation, and severity documentation—not generic code style.

Common Questions / FAQ

Is Security Review safe to install?

skills.sh reports 0 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Security Review

# Security Review & Exploit Development

## Overview

Systematic security review using automated tools AND manual analysis, with working proof-of-concept exploits for every finding. **No vulnerability is confirmed until exploited.**

## The Iron Law

```
NO FINDING WITHOUT A WORKING EXPLOIT
```

Suspecting a vulnerability is worthless. You must prove exploitation.

## Workflow

```dot
digraph security_review {
    "Start review" [shape=doublecircle];
    "Run automated scanners" [shape=box];
    "Manual code review" [shape=box];
    "Vulnerability found?" [shape=diamond];
    "Write exploit PoC" [shape=box];
    "Exploit works?" [shape=diamond];
    "Document with severity" [shape=box];
    "Mark as false positive" [shape=box];
    "More to review?" [shape=diamond];
    "Generate report" [shape=doublecircle];

    "Start review" -> "Run automated scanners";
    "Run automated scanners" -> "Manual code review";
    "Manual code review" -> "Vulnerability found?";
    "Vulnerability found?" -> "Write exploit PoC" [label="yes"];
    "Vulnerability found?" -> "More to review?" [label="no"];
    "Write exploit PoC" -> "Exploit works?";
    "Exploit works?" -> "Document with severity" [label="yes"];
    "Exploit works?" -> "Mark as false positive" [label="no"];
    "Document with severity" -> "More to review?";
    "Mark as false positive" -> "More to review?";
    "More to review?" -> "Vulnerability found?" [label="yes"];
    "More to review?" -> "Generate report" [label="no"];
}
```

## Phase 1: Automated Scanning

**Run ALL applicable tools.** Don't skip tools because "manual review is enough."

### Static Analysis (SAST)

```bash
# Opengrep - Multi-language SAST (preferred over semgrep)
opengrep scan --config=auto --config=p/security-audit --config=p/owasp-top-ten .

# Bandit - Python security linter
bandit -r . -f json -o bandit-report.json

# ast-grep - Custom pattern matching (write rules for project-specific issues)
ast-grep scan --rule security-rules/

# ESLint security plugin (JS/TS)
npx eslint --plugin security --rule 'security/detect-child-process: error' .

# Gosec - Go security checker
gosec -fmt=json -out=gosec-report.json ./...
```

### Dependency Scanning (SCA)

```bash
# Trivy - Comprehensive vulnerability scanner
trivy fs --scanners vuln,secret,misconfig .

# Grype - Fast vulnerability scanner
grype dir:. -o json > grype-report.json

# pip-audit - Python dependencies
pip-audit --format=json -o pip-audit.json

# npm audit - Node.js dependencies
npm audit --json > npm-audit.json

# govulncheck - Go dependencies
govulncheck ./...
```

### Secret Detection

```bash
# Gitleaks - Find secrets in git history
gitleaks detect --source . --report-path gitleaks-report.json

# Trufflehog - Deep secret scanning
trufflehog filesystem . --json > trufflehog-report.json
```

### Container/Infrastructure

```bash
# Trivy for containers
trivy image --severity HIGH,CRITICAL <image-name>

# Checkov for IaC
checkov -d . --framework terraform,kubernetes,dockerfile
```

## Phase 2: Manual Code Review

Focus on these vulnerability categories in order of severity:

### Critical: Injection Vulnerabilities

| Type | Pattern to Find | Grep Command |
|------|-----------------|--------------|
| Command Injection | `exec`, `spawn`, `system`, `eval` | `grep -rn "exec\|spawn\|system\|eval\|Function(" --include="*.ts" --include="*.js"` |
| SQL Injection | String concatenation in queries | `grep -rn "query.*\+" --include="*.ts"` |
| Path Traversal | `readFile`, `resolve` without validation | `grep -rn "readFileSync\|readFile\|resolve" --include="*.ts"` |
| Template Injection | User input in templates | `grep -rn "render\|template" --include="*.ts"` |

### High: Authentication/

What is this skill?

Iron Law: no finding is confirmed without a working exploit PoC

Workflow: automated scanners → manual review → exploit → severity documentation → report

Explicit branches for false positives and continued review coverage

Triggers on user input, command execution, file reads, and network-facing code paths

Outputs findings with documented severity only after successful exploitation

Adoption & trust: 1 installs on skills.sh; 7 GitHub stars; 0/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Security Review

# Security Review & Exploit Development

## Overview

Systematic security review using automated tools AND manual analysis, with working proof-of-concept exploits for every finding. **No vulnerability is confirmed until exploited.**

## The Iron Law

```
NO FINDING WITHOUT A WORKING EXPLOIT
```

Suspecting a vulnerability is worthless. You must prove exploitation.

## Workflow

```dot
digraph security_review {
    "Start review" [shape=doublecircle];
    "Run automated scanners" [shape=box];
    "Manual code review" [shape=box];
    "Vulnerability found?" [shape=diamond];
    "Write exploit PoC" [shape=box];
    "Exploit works?" [shape=diamond];
    "Document with severity" [shape=box];
    "Mark as false positive" [shape=box];
    "More to review?" [shape=diamond];
    "Generate report" [shape=doublecircle];

    "Start review" -> "Run automated scanners";
    "Run automated scanners" -> "Manual code review";
    "Manual code review" -> "Vulnerability found?";
    "Vulnerability found?" -> "Write exploit PoC" [label="yes"];
    "Vulnerability found?" -> "More to review?" [label="no"];
    "Write exploit PoC" -> "Exploit works?";
    "Exploit works?" -> "Document with severity" [label="yes"];
    "Exploit works?" -> "Mark as false positive" [label="no"];
    "Document with severity" -> "More to review?";
    "Mark as false positive" -> "More to review?";
    "More to review?" -> "Vulnerability found?" [label="yes"];
    "More to review?" -> "Generate report" [label="no"];
}
```

## Phase 1: Automated Scanning

**Run ALL applicable tools.** Don't skip tools because "manual review is enough."

### Static Analysis (SAST)

```bash
# Opengrep - Multi-language SAST (preferred over semgrep)
opengrep scan --config=auto --config=p/security-audit --config=p/owasp-top-ten .

# Bandit - Python security linter
bandit -r . -f json -o bandit-report.json

# ast-grep - Custom pattern matching (write rules for project-specific issues)
ast-grep scan --rule security-rules/

# ESLint security plugin (JS/TS)
npx eslint --plugin security --rule 'security/detect-child-process: error' .

# Gosec - Go security checker
gosec -fmt=json -out=gosec-report.json ./...
```

### Dependency Scanning (SCA)

```bash
# Trivy - Comprehensive vulnerability scanner
trivy fs --scanners vuln,secret,misconfig .

# Grype - Fast vulnerability scanner
grype dir:. -o json > grype-report.json

# pip-audit - Python dependencies
pip-audit --format=json -o pip-audit.json

# npm audit - Node.js dependencies
npm audit --json > npm-audit.json

# govulncheck - Go dependencies
govulncheck ./...
```

### Secret Detection

```bash
# Gitleaks - Find secrets in git history
gitleaks detect --source . --report-path gitleaks-report.json

# Trufflehog - Deep secret scanning
trufflehog filesystem . --json > trufflehog-report.json
```

### Container/Infrastructure

```bash
# Trivy for containers
trivy image --severity HIGH,CRITICAL <image-name>

# Checkov for IaC
checkov -d . --framework terraform,kubernetes,dockerfile
```

## Phase 2: Manual Code Review

Focus on these vulnerability categories in order of severity:

### Critical: Injection Vulnerabilities

| Type | Pattern to Find | Grep Command |
|------|-----------------|--------------|
| Command Injection | `exec`, `spawn`, `system`, `eval` | `grep -rn "exec\|spawn\|system\|eval\|Function(" --include="*.ts" --include="*.js"` |
| SQL Injection | String concatenation in queries | `grep -rn "query.*\+" --include="*.ts"` |
| Path Traversal | `readFile`, `resolve` without validation | `grep -rn "readFileSync\|readFile\|resolve" --include="*.ts"` |
| Template Injection | User input in templates | `grep -rn "render\|template" --include="*.ts"` |

### High: Authentication/

Install

What is this skill?

Recommended Skills

Journey fit

Is Security Review safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Security Review safe to install?

SKILL.md