Agent-Skills.md

Agent Skills: Security Review

|

UncategorizedID: htooayelwinict/claude-config/security-review

Repository

htooayelwinict/claude-config
htooayelwinict

Install this agent skill to your local

pnpm dlx add-skill https://github.com/htooayelwinict/claude-config/tree/HEAD/skills/security-review

Skill Files

Browse the full folder contents for security-review.

Download Skill

Loading file tree…

skills/security-review/SKILL.md

Skill Metadata

Name
security-review
Description
|

Security Review

Exclusive to: security-expert agent

MCP Helpers (Brain + Memory + Web)

🧠 Gemini-Bridge β€” Security Analysis

mcp_gemini-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")

πŸŒ‰ Open-Bridge β€” Alternative Security Analysis

mcp_open-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")

πŸ’» Codex-Bridge β€” Code Security Review

mcp_codex-bridge_consult_codex(query="Find security vulnerabilities in: [code]", directory=".")

πŸ“š Context7 (Memory) β€” Up-to-Date Docs

Lookup security patterns and vulnerability mitigations:

mcp_context7_resolve-library-id(libraryName="laravel", query="csrf protection")
mcp_context7_query-docs(libraryId="/laravel/docs", query="authentication security")

🌐 Web Search β€” CVE and Vulnerability Lookup

mcp_web-search-prime_search(query="[package name] CVE vulnerability 2025")

Validation Loop (MANDATORY)

Every security review MUST run these dependency checks:

composer audit            # Check PHP vulnerabilities
npm audit                 # Check JS vulnerabilities
php artisan route:list --compact  # Verify route middleware

Report any vulnerabilities found as Critical findings.

Instructions

  1. Run git diff to identify changed files
  2. Scan for security vulnerabilities using checklist below
  3. Check authentication and authorization patterns
  4. Review input validation and sanitization
  5. Report findings by severity (Critical β†’ Warning β†’ Suggestion)

OWASP Top 10 Checklist

| # | Vulnerability | Laravel Check | React Check | |---|---------------|---------------|-------------| | A01 | Broken Access Control | Policies, Gates | Route guards | | A02 | Cryptographic Failures | Hash::make, encrypt | No secrets in client | | A03 | Injection | Eloquent, query builder | No dangerouslySetInnerHTML | | A04 | Insecure Design | Business logic review | Component security | | A05 | Security Misconfiguration | .env settings | Build config | | A06 | Vulnerable Components | composer audit | npm audit | | A07 | Auth Failures | Rate limiting, sessions | Token handling | | A08 | Data Integrity | CSRF, mass assignment | Form validation | | A09 | Logging Failures | Security event logs | Error boundaries | | A10 | SSRF | URL validation | API call validation |

Laravel Security Checks

// Mass Assignment
$fillable = ['name', 'email'];  // βœ… Whitelist
$guarded = ['id', 'is_admin'];  // βœ… Blacklist

// SQL Injection Prevention
User::where('email', $email)->first();  // βœ… Safe
DB::raw("SELECT * FROM users WHERE email = '$email'");  // ❌ Dangerous

// CSRF
@csrf  // βœ… In forms

React Security Checks

// XSS Prevention
<div>{userInput}</div>  // βœ… Auto-escaped
<div dangerouslySetInnerHTML={{__html: userInput}} />  // ❌ XSS risk

// No secrets in client
const API_KEY = process.env.NEXT_PUBLIC_API_KEY;  // ⚠️ Visible to users

Audit Commands

composer audit          # PHP vulnerabilities
npm audit               # JS vulnerabilities
php artisan route:list  # Check route middleware

Examples

  • "Security review this PR"
  • "Check for OWASP vulnerabilities"
  • "Audit authentication flow"