How do I install Security Review?

Install Security Review with a single command: npx mdskills install sickn33/cc-skill-security-review. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Security Review?

Security Review works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Security Review

Name: Security Review: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

API DevelopmentIntermediate

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/cc-skill-security-review

Fork & Edit

Skill Advisor8.0

Comprehensive security checklist with actionable examples covering authentication, input validation, and common vulnerabilities

+Provides extensive code examples with clear dos and don'ts for each security concern
+Covers complete security lifecycle from secrets management to deployment checklists
+Includes verification steps and automated testing examples for practical implementation
-Requests filesystem write and shell execution permissions that aren't necessary for security review
-Lacks guidance on when to skip certain checks or how to prioritize for different project types

SKILL.md

Edit in Browser

1---
2name: security-review
3description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
4author: affaan-m
5version: "1.0"
6---
7 
8# Security Review Skill
9 
10This skill ensures all code follows security best practices and identifies potential vulnerabilities.
11 
12## When to Activate
13 
14- Implementing authentication or authorization
15- Handling user input or file uploads
16- Creating new API endpoints
17- Working with secrets or credentials
18- Implementing payment features
19- Storing or transmitting sensitive data
20- Integrating third-party APIs
21 
22## Security Checklist
23 
24### 1. Secrets Management
25 
26#### ❌ NEVER Do This
27```typescript
28const apiKey = "sk-proj-xxxxx"  // Hardcoded secret
29const dbPassword = "password123" // In source code
30```
31 
32#### ✅ ALWAYS Do This
33```typescript
34const apiKey = process.env.OPENAI_API_KEY
35const dbUrl = process.env.DATABASE_URL
36 
37// Verify secrets exist
38if (!apiKey) {
39  throw new Error('OPENAI_API_KEY not configured')
40}
41```
42 
43#### Verification Steps
44- [ ] No hardcoded API keys, tokens, or passwords
45- [ ] All secrets in environment variables
46- [ ] `.env.local` in .gitignore
47- [ ] No secrets in git history
48- [ ] Production secrets in hosting platform (Vercel, Railway)
49 
50### 2. Input Validation
51 
52#### Always Validate User Input
53```typescript
54import { z } from 'zod'
55 
56// Define validation schema
57const CreateUserSchema = z.object({
58  email: z.string().email(),
59  name: z.string().min(1).max(100),
60  age: z.number().int().min(0).max(150)
61})
62 
63// Validate before processing
64export async function createUser(input: unknown) {
65  try {
66    const validated = CreateUserSchema.parse(input)
67    return await db.users.create(validated)
68  } catch (error) {
69    if (error instanceof z.ZodError) {
70      return { success: false, errors: error.errors }
71    }
72    throw error
73  }
74}
75```
76 
77#### File Upload Validation
78```typescript
79function validateFileUpload(file: File) {
80  // Size check (5MB max)
81  const maxSize = 5 * 1024 * 1024
82  if (file.size > maxSize) {
83    throw new Error('File too large (max 5MB)')
84  }
85 
86  // Type check
87  const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
88  if (!allowedTypes.includes(file.type)) {
89    throw new Error('Invalid file type')
90  }
91 
92  // Extension check
93  const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
94  const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
95  if (!extension || !allowedExtensions.includes(extension)) {
96    throw new Error('Invalid file extension')
97  }
98 
99  return true
100}
101```
102 
103#### Verification Steps
104- [ ] All user inputs validated with schemas
105- [ ] File uploads restricted (size, type, extension)
106- [ ] No direct use of user input in queries
107- [ ] Whitelist validation (not blacklist)
108- [ ] Error messages don't leak sensitive info
109 
110### 3. SQL Injection Prevention
111 
112#### ❌ NEVER Concatenate SQL
113```typescript
114// DANGEROUS - SQL Injection vulnerability
115const query = `SELECT * FROM users WHERE email = '${userEmail}'`
116await db.query(query)
117```
118 
119#### ✅ ALWAYS Use Parameterized Queries
120```typescript
121// Safe - parameterized query
122const { data } = await supabase
123  .from('users')
124  .select('*')
125  .eq('email', userEmail)
126 
127// Or with raw SQL
128await db.query(
129  'SELECT * FROM users WHERE email = $1',
130  [userEmail]
131)
132```
133 
134#### Verification Steps
135- [ ] All database queries use parameterized queries
136- [ ] No string concatenation in SQL
137- [ ] ORM/query builder used correctly
138- [ ] Supabase queries properly sanitized
139 
140### 4. Authentication & Authorization
141 
142#### JWT Token Handling
143```typescript
144// ❌ WRONG: localStorage (vulnerable to XSS)
145localStorage.setItem('token', token)
146 
147// ✅ CORRECT: httpOnly cookies
148res.setHeader('Set-Cookie',
149  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
150```
151 
152#### Authorization Checks
153```typescript
154export async function deleteUser(userId: string, requesterId: string) {
155  // ALWAYS verify authorization first
156  const requester = await db.users.findUnique({
157    where: { id: requesterId }
158  })
159 
160  if (requester.role !== 'admin') {
161    return NextResponse.json(
162      { error: 'Unauthorized' },
163      { status: 403 }
164    )
165  }
166 
167  // Proceed with deletion
168  await db.users.delete({ where: { id: userId } })
169}
170```
171 
172#### Row Level Security (Supabase)
173```sql
174-- Enable RLS on all tables
175ALTER TABLE users ENABLE ROW LEVEL SECURITY;
176 
177-- Users can only view their own data
178CREATE POLICY "Users view own data"
179  ON users FOR SELECT
180  USING (auth.uid() = id);
181 
182-- Users can only update their own data
183CREATE POLICY "Users update own data"
184  ON users FOR UPDATE
185  USING (auth.uid() = id);
186```
187 
188#### Verification Steps
189- [ ] Tokens stored in httpOnly cookies (not localStorage)
190- [ ] Authorization checks before sensitive operations
191- [ ] Row Level Security enabled in Supabase
192- [ ] Role-based access control implemented
193- [ ] Session management secure
194 
195### 5. XSS Prevention
196 
197#### Sanitize HTML
198```typescript
199import DOMPurify from 'isomorphic-dompurify'
200 
201// ALWAYS sanitize user-provided HTML
202function renderUserContent(html: string) {
203  const clean = DOMPurify.sanitize(html, {
204    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
205    ALLOWED_ATTR: []
206  })
207  return <div dangerouslySetInnerHTML={{ __html: clean }} />
208}
209```
210 
211#### Content Security Policy
212```typescript
213// next.config.js
214const securityHeaders = [
215  {
216    key: 'Content-Security-Policy',
217    value: `
218      default-src 'self';
219      script-src 'self' 'unsafe-eval' 'unsafe-inline';
220      style-src 'self' 'unsafe-inline';
221      img-src 'self' data: https:;
222      font-src 'self';
223      connect-src 'self' https://api.example.com;
224    `.replace(/\s{2,}/g, ' ').trim()
225  }
226]
227```
228 
229#### Verification Steps
230- [ ] User-provided HTML sanitized
231- [ ] CSP headers configured
232- [ ] No unvalidated dynamic content rendering
233- [ ] React's built-in XSS protection used
234 
235### 6. CSRF Protection
236 
237#### CSRF Tokens
238```typescript
239import { csrf } from '@/lib/csrf'
240 
241export async function POST(request: Request) {
242  const token = request.headers.get('X-CSRF-Token')
243 
244  if (!csrf.verify(token)) {
245    return NextResponse.json(
246      { error: 'Invalid CSRF token' },
247      { status: 403 }
248    )
249  }
250 
251  // Process request
252}
253```
254 
255#### SameSite Cookies
256```typescript
257res.setHeader('Set-Cookie',
258  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
259```
260 
261#### Verification Steps
262- [ ] CSRF tokens on state-changing operations
263- [ ] SameSite=Strict on all cookies
264- [ ] Double-submit cookie pattern implemented
265 
266### 7. Rate Limiting
267 
268#### API Rate Limiting
269```typescript
270import rateLimit from 'express-rate-limit'
271 
272const limiter = rateLimit({
273  windowMs: 15 * 60 * 1000, // 15 minutes
274  max: 100, // 100 requests per window
275  message: 'Too many requests'
276})
277 
278// Apply to routes
279app.use('/api/', limiter)
280```
281 
282#### Expensive Operations
283```typescript
284// Aggressive rate limiting for searches
285const searchLimiter = rateLimit({
286  windowMs: 60 * 1000, // 1 minute
287  max: 10, // 10 requests per minute
288  message: 'Too many search requests'
289})
290 
291app.use('/api/search', searchLimiter)
292```
293 
294#### Verification Steps
295- [ ] Rate limiting on all API endpoints
296- [ ] Stricter limits on expensive operations
297- [ ] IP-based rate limiting
298- [ ] User-based rate limiting (authenticated)
299 
300### 8. Sensitive Data Exposure
301 
302#### Logging
303```typescript
304// ❌ WRONG: Logging sensitive data
305console.log('User login:', { email, password })
306console.log('Payment:', { cardNumber, cvv })
307 
308// ✅ CORRECT: Redact sensitive data
309console.log('User login:', { email, userId })
310console.log('Payment:', { last4: card.last4, userId })
311```
312 
313#### Error Messages
314```typescript
315// ❌ WRONG: Exposing internal details
316catch (error) {
317  return NextResponse.json(
318    { error: error.message, stack: error.stack },
319    { status: 500 }
320  )
321}
322 
323// ✅ CORRECT: Generic error messages
324catch (error) {
325  console.error('Internal error:', error)
326  return NextResponse.json(
327    { error: 'An error occurred. Please try again.' },
328    { status: 500 }
329  )
330}
331```
332 
333#### Verification Steps
334- [ ] No passwords, tokens, or secrets in logs
335- [ ] Error messages generic for users
336- [ ] Detailed errors only in server logs
337- [ ] No stack traces exposed to users
338 
339### 9. Blockchain Security (Solana)
340 
341#### Wallet Verification
342```typescript
343import { verify } from '@solana/web3.js'
344 
345async function verifyWalletOwnership(
346  publicKey: string,
347  signature: string,
348  message: string
349) {
350  try {
351    const isValid = verify(
352      Buffer.from(message),
353      Buffer.from(signature, 'base64'),
354      Buffer.from(publicKey, 'base64')
355    )
356    return isValid
357  } catch (error) {
358    return false
359  }
360}
361```
362 
363#### Transaction Verification
364```typescript
365async function verifyTransaction(transaction: Transaction) {
366  // Verify recipient
367  if (transaction.to !== expectedRecipient) {
368    throw new Error('Invalid recipient')
369  }
370 
371  // Verify amount
372  if (transaction.amount > maxAmount) {
373    throw new Error('Amount exceeds limit')
374  }
375 
376  // Verify user has sufficient balance
377  const balance = await getBalance(transaction.from)
378  if (balance < transaction.amount) {
379    throw new Error('Insufficient balance')
380  }
381 
382  return true
383}
384```
385 
386#### Verification Steps
387- [ ] Wallet signatures verified
388- [ ] Transaction details validated
389- [ ] Balance checks before transactions
390- [ ] No blind transaction signing
391 
392### 10. Dependency Security
393 
394#### Regular Updates
395```bash
396# Check for vulnerabilities
397npm audit
398 
399# Fix automatically fixable issues
400npm audit fix
401 
402# Update dependencies
403npm update
404 
405# Check for outdated packages
406npm outdated
407```
408 
409#### Lock Files
410```bash
411# ALWAYS commit lock files
412git add package-lock.json
413 
414# Use in CI/CD for reproducible builds
415npm ci  # Instead of npm install
416```
417 
418#### Verification Steps
419- [ ] Dependencies up to date
420- [ ] No known vulnerabilities (npm audit clean)
421- [ ] Lock files committed
422- [ ] Dependabot enabled on GitHub
423- [ ] Regular security updates
424 
425## Security Testing
426 
427### Automated Security Tests
428```typescript
429// Test authentication
430test('requires authentication', async () => {
431  const response = await fetch('/api/protected')
432  expect(response.status).toBe(401)
433})
434 
435// Test authorization
436test('requires admin role', async () => {
437  const response = await fetch('/api/admin', {
438    headers: { Authorization: `Bearer ${userToken}` }
439  })
440  expect(response.status).toBe(403)
441})
442 
443// Test input validation
444test('rejects invalid input', async () => {
445  const response = await fetch('/api/users', {
446    method: 'POST',
447    body: JSON.stringify({ email: 'not-an-email' })
448  })
449  expect(response.status).toBe(400)
450})
451 
452// Test rate limiting
453test('enforces rate limits', async () => {
454  const requests = Array(101).fill(null).map(() =>
455    fetch('/api/endpoint')
456  )
457 
458  const responses = await Promise.all(requests)
459  const tooManyRequests = responses.filter(r => r.status === 429)
460 
461  expect(tooManyRequests.length).toBeGreaterThan(0)
462})
463```
464 
465## Pre-Deployment Security Checklist
466 
467Before ANY production deployment:
468 
469- [ ] **Secrets**: No hardcoded secrets, all in env vars
470- [ ] **Input Validation**: All user inputs validated
471- [ ] **SQL Injection**: All queries parameterized
472- [ ] **XSS**: User content sanitized
473- [ ] **CSRF**: Protection enabled
474- [ ] **Authentication**: Proper token handling
475- [ ] **Authorization**: Role checks in place
476- [ ] **Rate Limiting**: Enabled on all endpoints
477- [ ] **HTTPS**: Enforced in production
478- [ ] **Security Headers**: CSP, X-Frame-Options configured
479- [ ] **Error Handling**: No sensitive data in errors
480- [ ] **Logging**: No sensitive data logged
481- [ ] **Dependencies**: Up to date, no vulnerabilities
482- [ ] **Row Level Security**: Enabled in Supabase
483- [ ] **CORS**: Properly configured
484- [ ] **File Uploads**: Validated (size, type)
485- [ ] **Wallet Signatures**: Verified (if blockchain)
486 
487## Resources
488 
489- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
490- [Next.js Security](https://nextjs.org/docs/security)
491- [Supabase Security](https://supabase.com/docs/guides/auth)
492- [Web Security Academy](https://portswigger.net/web-security)
493 
494---
495 
496**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.

Full transparency — inspect the skill content before installing.