Runs security audits for OWASP Top 10, hardcoded secrets, injections, auth issues, input validation, and npm vulnerabilities via dedicated Opus agent.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oh-my-claudecode-2076:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
This skill activates when:
Delegates to the security-reviewer agent (Opus model) for deep security analysis:
OWASP Top 10 Scan
Secrets Detection
Input Validation
Authentication/Authorization
Dependency Security
npm audit for known vulnerabilitiesTask(
subagent_type="oh-my-claudecode:security-reviewer",
model="opus",
prompt="SECURITY REVIEW TASK
Conduct comprehensive security audit of codebase.
Scope: [specific files or entire codebase]
Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)
Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
SECURITY REVIEW REPORT
======================
Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z
CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
Finding: AWS API key hardcoded in source code
Impact: Credential exposure if code is public or leaked
Remediation: Move to environment variables, rotate key immediately
Reference: OWASP A02:2021 – Cryptographic Failures
2. src/db/query.ts:45 - SQL Injection Vulnerability
Finding: User input concatenated directly into SQL query
Impact: Attacker can execute arbitrary SQL commands
Remediation: Use parameterized queries or ORM
Reference: OWASP A03:2021 – Injection
HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
Finding: Passwords hashed with MD5 (cryptographically broken)
Impact: Passwords can be reversed via rainbow tables
Remediation: Use bcrypt or argon2 with appropriate work factor
Reference: OWASP A02:2021 – Cryptographic Failures
4. src/components/UserInput.tsx:67 - XSS Vulnerability
Finding: User input rendered with dangerouslySetInnerHTML
Impact: Cross-site scripting attack vector
Remediation: Sanitize HTML or use safe rendering
Reference: OWASP A03:2021 – Injection (XSS)
5. src/api/upload.ts:34 - Path Traversal Vulnerability
Finding: User-controlled filename used without validation
Impact: Attacker can read/write arbitrary files
Remediation: Validate and sanitize filenames, use allowlist
Reference: OWASP A01:2021 – Broken Access Control
...
MEDIUM (8)
----------
...
LOW (12)
--------
...
DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:
CRITICAL: [email protected] - Server-Side Request Forgery (CVE-2021-3749)
Installed: [email protected]
Fix: npm install [email protected]
HIGH: [email protected] - Prototype Pollution (CVE-2020-8203)
Installed: [email protected]
Fix: npm install [email protected]
...
OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies
Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
The security-reviewer agent verifies:
CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
With Pipeline:
/pipeline security "review authentication module"
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.
npx claudepluginhub kyongsik-yoon/oh-my-claudecode-20763plugins reuse this skill
First indexed Jul 8, 2026
Review code systematically for security vulnerabilities using OWASP Top 10, secure coding patterns, and static analysis best practices. Use when reviewing pull requests, conducting security code reviews, or implementing secure development practices.
Performs OWASP-based security review for code changes touching auth, APIs, databases, credentials, and user input. Required before PR for security-sensitive paths.
Performs OWASP-aligned security audits of code, checking for injection, authentication flaws, sensitive data exposure, and more. Invoke via /sdd-security-check.