Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-review" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/security-review/SKILL.md 2. Save it as ~/.claude/skills/security-review/SKILL.md 3. Reload skills and tell me it's ready
Please perform a security review of my upcoming login and signup feature. Focus on authentication flow, password storage, session management, brute-force protection, email verification, and password reset flow, then provide a remediation checklist.
A security risk checklist for the auth flow, with common vulnerabilities and prioritized fixes.
I am building an API that accepts user form data and writes it to a database. Review it for input validation, injection risks, authorization, error message exposure, rate limiting, and log redaction, and suggest recommended implementation patterns.
A security review for APIs and input handling, including risks, best practices, and implementable protections.
Please review the security design of my payment feature. Focus on secret management, amount tampering, webhook signature verification, replay attacks, permission isolation, audit logs, and suspicious transaction handling, and produce a pre-release security checklist.
A pre-release security assessment and checklist tailored to payment or other sensitive workflows.
This skill ensures all code follows security best practices and identifies potential vulnerabilities.
const apiKey = "sk-proj-xxxxx" // Hardcoded secret
const dbPassword = "password123" // In source code
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
// Verify secrets exist
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
.env.local in .gitignoreimport { z } from 'zod'
// Define validation schema
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
// Validate before processing
export async function createUser(input: unknown) {
try {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
} catch (error) {
if (error instanceof z.ZodError) {
return { success: false, errors: error.errors }
}
throw error
}
}
function validateFileUpload(file: File) {
// Size check (5MB max)
const maxSize = 5 * 1024 * 1024
if (file.size > maxSize) {
throw new Error('File too large (max 5MB)')
}
// Type check
const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type')
}
// Extension check
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
if (!extension || !allowedExtensions.includes(extension)) {
throw new Error('Invalid file extension')
}
return true
}
// DANGEROUS - SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
// Safe - parameterized query
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
// Or with raw SQL
await db.query(
'SELECT * FROM users WHERE email = $1',
[userEmail]
)
// FAIL: WRONG: localStorage (vulnerable to XSS)
localStorage.setItem('token', token)
// PASS: CORRECT: httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
export async function deleteUser(userId: string, requesterId: string) {
// ALWAYS verify authorization first
const requester = await db.users.findUnique({
where: { id: requesterId }
})
if (requester.role !== 'admin') {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 403 }
)
}
// Proceed with deletion
…
Handle returns, refunds, fraud checks, and warranty claim decisions efficiently.
Use Bun for runtime, bundling, testing, packages, and Node migration decisions.
Use the correct Ethereum Keccak-256 hashing in Node.js and TypeScript.
Apply Nuxt 4 patterns for SSR safety, performance, and data fetching.
Generate images, videos, and audio with one unified AI media workflow.
Design Quarkus 3 backend patterns for messaging, APIs, data, and async workflows.
Review code deeply across correctness, tests, security, performance, and product quality.
Review Python, JS/TS, and Go code for security best practices.
Run an end-to-end Power Pages security review with a consolidated HTML report.
Detect prompt injection, look up CVEs, and assess version impact.
Review architecture or code for security risks, vulnerabilities, and compliance issues.
Scan code and text for leaked secrets and exposed API credentials.