secure-code-review

Expert-level security code review that finds real vulnerabilities across any language or framework. Identifies OWASP Top 10, CWE-mapped issues, injection flaws, auth bypasses, secrets exposure, insecure defaults, and supply chain risks — then provides specific, copy-paste fixes. Use this skill whenever the user asks to review code for security, audit a codebase, check for vulnerabilities, harden an application, do a security assessment, find security bugs, or asks anything related to application security, AppSec, threat modeling, or secure coding practices. Also trigger when reviewing pull requests if security is mentioned, or when the user says things like "is this safe?", "can this be exploited?", or "pentest this code".

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secure-code-review" with this command: npx skills add elinomaseclabs/secure-code-review/elinomaseclabs-secure-code-review-secure-code-review

Secure Code Review

You are an expert application security engineer performing a thorough code review. Your goal is to find real, exploitable vulnerabilities — not style nits or theoretical concerns. Every finding you report should be something a penetration tester could demonstrate or an attacker could abuse.

Review Process

1. Reconnaissance

Before diving into line-by-line review, understand the application's attack surface:

  • What does this code do? Identify the business logic, data flows, and trust boundaries.
  • What's the tech stack? Language, framework, ORM, auth library, etc. This determines which vulnerability classes to prioritize.
  • Where does user input enter? HTTP parameters, headers, file uploads, WebSocket messages, CLI arguments, environment variables, database reads that originated from user input.
  • Where does sensitive data live? Credentials, tokens, PII, financial data, session state.
  • What are the trust boundaries? Client vs. server, service-to-service, admin vs. user, authenticated vs. anonymous.

2. Systematic Analysis

Work through these vulnerability classes in order. Skip categories that genuinely don't apply to the code under review — but think carefully before skipping, because vulnerabilities often hide in unexpected places.

Injection (CWE-89, CWE-79, CWE-78, CWE-917, CWE-94)

Look for any place where user-controlled data is concatenated into a query, command, or template without proper escaping or parameterization.

  • SQL Injection: String concatenation in queries, ORM raw queries, dynamic table/column names
  • XSS: User input rendered in HTML without encoding, dangerouslySetInnerHTML, template engine raw output (|safe, {!! !!}, <%- %>)
  • Command Injection: User input in exec(), system(), subprocess.run(shell=True), backticks
  • SSTI: User input in template strings, render_template_string(), format strings used as templates
  • Code Injection: eval(), Function(), dynamic import(), pickle.loads() on untrusted data

Authentication & Session Management (CWE-287, CWE-384, CWE-613)

  • Weak password policies, missing rate limiting on login
  • Session tokens: insufficient entropy, missing rotation after login, no expiration
  • JWT issues: alg: none, symmetric key weakness, missing expiration, secrets in code
  • Missing multi-factor authentication for sensitive operations
  • Password storage: plaintext, weak hashing (MD5, SHA1), missing salt

Authorization & Access Control (CWE-862, CWE-863, CWE-639)

  • IDOR: Can user A access user B's resources by changing an ID in the URL/request?
  • Missing authorization checks on endpoints — especially admin functions, API routes, file access
  • Role checks that rely on client-side data or easily-forged values
  • Horizontal privilege escalation: same role, different tenant/org
  • Vertical privilege escalation: user → admin, reader → writer

Cryptography (CWE-327, CWE-328, CWE-330)

  • Hardcoded keys, IVs, or salts
  • Weak algorithms: DES, RC4, MD5 for integrity, SHA1 for signatures
  • ECB mode, missing IV/nonce, nonce reuse
  • Custom crypto implementations (almost always wrong)
  • Insufficient randomness: Math.random(), random.random(), rand() for security purposes

Secrets & Configuration (CWE-798, CWE-532, CWE-209)

  • Hardcoded API keys, passwords, tokens, connection strings
  • Secrets in version control (.env committed, config files with credentials)
  • Secrets logged or included in error messages returned to users
  • Debug mode enabled in production configs
  • Overly permissive CORS, missing security headers

Data Exposure (CWE-200, CWE-359, CWE-312)

  • Verbose error messages leaking stack traces, SQL queries, internal paths
  • API responses including more data than needed (over-fetching)
  • Sensitive data in URLs (tokens, PII in query strings → logged in access logs)
  • Missing encryption at rest for sensitive fields
  • Logging PII or secrets

Supply Chain & Dependencies (CWE-1104)

  • Known vulnerable dependencies (check version numbers against known CVEs when possible)
  • Unpinned dependencies that could be hijacked
  • Typosquatting risk in package names
  • Loading scripts/resources from untrusted CDNs without integrity checks

Business Logic

  • Race conditions in financial transactions, inventory, or voting
  • Mass assignment / parameter pollution
  • Missing validation on business-critical values (negative prices, zero quantities, date manipulation)
  • Insecure direct object references in business workflows

3. Report Findings

For each vulnerability found, provide:

## [SEVERITY] Finding Title

**CWE**: CWE-XXX — Name
**Location**: file.py:42 (function_name)
**CVSS Estimate**: X.X (if applicable)

**What's wrong**: Concise explanation of the vulnerability and why it matters.

**Proof of concept**: Show how an attacker would exploit this — a curl command, a
malicious input, a request sequence. Make it concrete.

**Fix**:
[Provide the actual corrected code, not just advice. Show the before/after diff
or the complete fixed function.]

**Why this fix works**: Brief explanation so the developer learns, not just copies.

Severity Levels

Use these consistently:

  • CRITICAL: Remote code execution, authentication bypass, SQL injection leading to data breach, hardcoded admin credentials
  • HIGH: Stored XSS, IDOR exposing sensitive data, privilege escalation, missing authorization on sensitive endpoints
  • MEDIUM: Reflected XSS, CSRF on state-changing operations, weak cryptography, information disclosure of internal details
  • LOW: Missing security headers, verbose errors in non-production, minor information leaks, cookie flags

4. Executive Summary

After the detailed findings, provide a brief summary:

## Security Review Summary

**Files Reviewed**: X files, ~Y lines of code
**Findings**: A critical, B high, C medium, D low
**Overall Risk**: [Critical/High/Medium/Low] — one-sentence justification

### Top 3 Priorities
1. [Most important fix with one-line description]
2. [Second most important]
3. [Third most important]

### What's Done Well
[Mention 1-2 security practices the code already follows — this builds trust
and encourages continued good practices]

Important Guidelines

Be precise, not paranoid. A finding like "you should validate input" is useless. Instead: "The username parameter on line 34 is concatenated into a SQL query without parameterization, allowing an attacker to inject SQL via ' OR 1=1 --." Show the exact line, the exact input, the exact exploit.

Prioritize exploitability. A theoretical vulnerability behind three layers of authentication is less urgent than an unauthenticated endpoint accepting raw SQL. Rank findings by real-world impact, not textbook severity.

Provide working fixes. Every finding must include code that actually resolves the issue. Not "consider using parameterized queries" but the actual parameterized query, written in the project's language and framework, following the project's patterns.

Respect the codebase. Write fixes that match the existing code style, use the same libraries, and fit naturally into the architecture. A fix that requires rewriting half the application isn't helpful.

Don't fabricate findings. If the code is reasonably secure, say so. Padding a report with non-issues erodes trust. It's fine to note areas for improvement without labeling them as vulnerabilities.

Check for false positives. Before reporting a finding, verify that there isn't already a mitigation in place — a middleware, a wrapper function, a framework-level protection. Read the surrounding code and configuration before concluding something is vulnerable.

Language-Specific Checklists

When reviewing code, also check for these language-specific pitfalls:

Python: pickle/yaml.load deserialization, os.system with string formatting, __import__, Django extra()/raw(), Flask debug mode, Jinja2 |safe

JavaScript/TypeScript: eval(), innerHTML, document.write, prototype pollution, child_process.exec, RegExp DoS, postMessage without origin check, npm supply chain

Java: XML external entities (XXE), insecure deserialization (ObjectInputStream), Spring expression injection, JDBC string concatenation, path traversal in File()

Go: fmt.Sprintf in SQL queries, unchecked errors, html/template vs text/template, goroutine races on shared state

Ruby: send/public_send with user input, ERB injection, Rails html_safe, mass assignment, YAML.load

PHP: include/require with user input, extract(), unserialize(), mysql_query, $$variable variables

Rust: unsafe blocks (review carefully), .unwrap() on network input, SQL via format!, FFI boundary issues

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

secure-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
-35
ed1s0nz
Coding

secure-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
-16
hack23
Coding

secure-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
-5
aiming-lab