Security Review
Run a consistent security pass while adding auth, APIs, uploads, payments, or third-party integrations so secrets and user input are handled safely.
Overview
security-review is an agent skill most often used in Ship—security (also Build—backend, Ship—review) that enforces security best practices and surfaces common vulnerabilities during implementation.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill security-reviewWhat is this skill?
- Trigger list covers auth, user input, file uploads, new API endpoints, secrets, payments, and third-party APIs
- Secrets management section with hardcoded-vs-env anti-patterns and configuration verification steps
- Input validation guidance with schema-style validation examples
- Checkbox-style verification steps across secrets and related controls
- Community cc-skill-security-review package aligned with secure-by-default implementation
- Security checklist organized into numbered sections starting with Secrets Management and Input Validation
Adoption & trust: 1.8k installs on skills.sh; 40.1k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping features fast and worry that API keys, validation gaps, or new endpoints introduce preventable security holes.
Who is it for?
Indie developers implementing auth, uploads, payments, or third-party integrations who want a repeatable secure-coding review in the agent session.
Skip if: Organizations that need formal penetration-test reports, compliance attestations, or fully automated SAST/DAST pipelines without human review.
When should I use this skill?
Implementing authentication or authorization, handling user input or file uploads, creating new API endpoints, working with secrets, payments, sensitive data, or third-party APIs.
What do I get? / Deliverables
Your agent applies a structured security checklist to the changed code so secrets, input handling, and sensitive flows meet stated best practices before release.
- Security checklist findings for the touched code
- Remediation guidance for secrets and validation gaps
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Pre-release hardening and vulnerability prevention belong on the Ship phase security shelf even though you invoke it while still writing code in Build. The skill is explicitly a security review checklist for implementation choices, not generic code style or perf tuning.
Where it fits
Adding a new REST endpoint and running the skill so env-based secrets and validation are checked in the same session.
Wiring a third-party API client and verifying no tokens are committed to the repo.
Pre-deploy pass on payment and PII handling sections of the checklist.
Treat the checklist as a security slice of PR review before merge to main.
How it compares
Use as a skill-led implementation checklist rather than assuming an MCP scanner or hosting dashboard alone covers secure coding habits.
Common Questions / FAQ
Who is security-review for?
Solo and small-team builders using AI coding agents who implement real user-facing features and need guardrails against common appsec mistakes.
When should I use security-review?
While building new API routes or auth in Build, before merging in Ship review, and whenever you handle secrets, uploads, payments, or third-party APIs.
Is security-review safe to install?
It instructs the agent to review code and environment-variable patterns; confirm community risk labels and review the Security Audits panel on this page before install.
SKILL.md
READMESKILL.md - Security Review
# Security Review Skill This skill ensures all code follows security best practices and identifies potential vulnerabilities. ## When to Use - Implementing authentication or authorization - Handling user input or file uploads - Creating new API endpoints - Working with secrets or credentials - Implementing payment features - Storing or transmitting sensitive data - Integrating third-party APIs ## Security Checklist ### 1. Secrets Management #### ❌ NEVER Do This ```typescript const apiKey = "sk-proj-xxxxx" // Hardcoded secret const dbPassword = "password123" // In source code ``` #### ✅ ALWAYS Do This ```typescript const apiKey = process.env.OPENAI_API_KEY const dbUrl = process.env.DATABASE_URL // Verify secrets exist if (!apiKey) { throw new Error('OPENAI_API_KEY not configured') } ``` #### Verification Steps - [ ] No hardcoded API keys, tokens, or passwords - [ ] All secrets in environment variables - [ ] `.env.local` in .gitignore - [ ] No secrets in git history - [ ] Production secrets in hosting platform (Vercel, Railway) ### 2. Input Validation #### Always Validate User Input ```typescript import { z } from 'zod' // Define validation schema const CreateUserSchema = z.object({ email: z.string().email(), name: z.string().min(1).max(100), age: z.number().int().min(0).max(150) }) // Validate before processing export async function createUser(input: unknown) { try { const validated = CreateUserSchema.parse(input) return await db.users.create(validated) } catch (error) { if (error instanceof z.ZodError) { return { success: false, errors: error.errors } } throw error } } ``` #### File Upload Validation ```typescript function validateFileUpload(file: File) { // Size check (5MB max) const maxSize = 5 * 1024 * 1024 if (file.size > maxSize) { throw new Error('File too large (max 5MB)') } // Type check const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] if (!allowedTypes.includes(file.type)) { throw new Error('Invalid file type') } // Extension check const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] if (!extension || !allowedExtensions.includes(extension)) { throw new Error('Invalid file extension') } return true } ``` #### Verification Steps - [ ] All user inputs validated with schemas - [ ] File uploads restricted (size, type, extension) - [ ] No direct use of user input in queries - [ ] Whitelist validation (not blacklist) - [ ] Error messages don't leak sensitive info ### 3. SQL Injection Prevention #### ❌ NEVER Concatenate SQL ```typescript // DANGEROUS - SQL Injection vulnerability const query = `SELECT * FROM users WHERE email = '${userEmail}'` await db.query(query) ``` #### ✅ ALWAYS Use Parameterized Queries ```typescript // Safe - parameterized query const { data } = await supabase .from('users') .select('*') .eq('email', userEmail) // Or with raw SQL await db.query( 'SELECT * FROM users WHERE email = $1', [userEmail] ) ``` #### Verification Steps - [ ] All database queries use parameterized queries - [ ] No string concatenation in SQL - [ ] ORM/query builder used correctly - [ ] Supabase queries properly sanitized ### 4. Authentication & Authorization #### JWT Token Handling ```typescript // ❌ WRONG: localStorage (vulnerable to XSS) localStorage.setItem('token', token) // ✅ CORRECT: httpOnly cookies res.setHeader('Set-Cookie', `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) ``` #### Authorization Checks ```typescript export async function deleteUser(userId: string, requester