ReddRadar
Agent skill
security-review
Request a security expert assessment for code changes that touch child process spawning, file system access, configuration loading, or environment variable handling. Use when the Reviewer identifies security-sensitive changes in the MCP-LSP bridge.
Install this agent skill to your Project
npx add-skill https://github.com/ktnyt/cclsp/tree/main/.claude/skills/security-review
Metadata
Additional technical details for this skill
- author
- ktnyt
- version
- 1.0
SKILL.md
Security Review
Invoke the security-reviewer agent to assess security-sensitive changes.
When to trigger
- Child process spawning or lifecycle changes (
src/lsp-client.ts) - File system read/write operations (
src/file-editor.ts,src/file-scanner.ts) - Configuration file loading or parsing (
cclsp.json,CCLSP_CONFIG_PATH) - Environment variable handling
- New or modified LSP server adapter (
src/lsp/adapters/) - Setup wizard input handling (
src/setup.ts)
Review checklist
- Command injection: Are user-supplied values (config file paths, server
commands) sanitized before being passed to
child_processspawn? - Path traversal: Can file paths from LSP responses escape the project
root? Are
file://URIs validated before resolving? - Resource exhaustion: Are there timeouts on LSP server responses? Can a malicious LSP server cause unbounded memory growth?
- Config trust boundary: Is
cclsp.jsontreated as trusted input? What happens if it contains unexpected fields or types? - Process cleanup: Are child processes reliably terminated on shutdown? Can orphaned processes persist?
- Symlink attacks: Does file resolution follow symlinks outside the project directory?
How to invoke
Use the everything-claude-code:security-reviewer agent via the Task tool:
Task(
subagent_type: "everything-claude-code:security-reviewer",
prompt: "Review the following changes for security concerns: <describe changes>"
)
Output expectations
The security reviewer should produce:
- CRITICAL: Must fix before merge (injection, traversal, credential leak)
- HIGH: Should fix before merge (missing timeouts, incomplete cleanup)
- MEDIUM: Fix when possible (defensive checks, hardening opportunities)
- LOW: Informational (best practice suggestions)
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
ktnyt/cclsp
architecture
Guides the design of safely disposable code through contracts (traits/interfaces) and dependency inversion. Use when designing new modules, refactoring existing code, or making architectural decisions about component boundaries.
ktnyt/cclsp
hands-on-test
Performs manual hands-on testing of a web application using playwright-cli. Spawns the dev server if needed, navigates to pages, performs browser actions, captures screenshots, checks outcomes, and produces a structured test report. Use when the user wants to visually verify a web feature, perform exploratory testing, or validate UI behavior.
ktnyt/cclsp
playwright-cli
Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
davila7/claude-code-templates
verl-rl-training
Provides guidance for training LLMs with reinforcement learning using verl (Volcano Engine RL). Use when implementing RLHF, GRPO, PPO, or other RL algorithms for LLM post-training at scale with flexible infrastructure backends.
davila7/claude-code-templates
openrlhf-training
High-performance RLHF framework with Ray+vLLM acceleration. Use for PPO, GRPO, RLOO, DPO training of large models (7B-70B+). Built on Ray, vLLM, ZeRO-3. 2× faster than DeepSpeedChat with distributed architecture and GPU resource sharing.
davila7/claude-code-templates
gguf-quantization
GGUF format and llama.cpp quantization for efficient CPU/GPU inference. Use when deploying models on consumer hardware, Apple Silicon, or when needing flexible quantization from 2-8 bit without GPU requirements.
Didn't find tool you were looking for?