Agent skill

security-review

보안, 보안 리뷰, 보안 검토, 취약점, 보안 분석, OWASP, 인증, 인가, 취약점 점검 - Systematic security analysis based on OWASP Top 10. Reviews code for vulnerabilities, designs auth/authz systems, and produces severity-classified reports. Use when auditing security, designing authentication, or pre-deployment security checks. Do NOT use for general code quality reviews (use code-reviewer) or debugging (use debug-specialist).

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/aimskr/aims-claude-toolkit/tree/main/skills/security-review

Metadata

Additional technical details for this skill

author
jaehashin
version
1.2.0

SKILL.md

Security Review Skill

Systematic workflow for security review and vulnerability analysis.

When to Use

  • Reviewing code for security vulnerabilities
  • Designing authentication/authorization systems
  • Establishing sensitive data handling practices
  • Pre-deployment security checklist verification

The Process

Phase 1: Security Scope Assessment

Codebase Analysis:

  1. Identify authentication/authorization code
  2. Map external input handling points
  3. Trace sensitive data flow
  4. Check external API integration points

Attack Surface Definition:

  • User input: forms, URL params, headers
  • File uploads: type, size, storage location
  • API endpoints: public/private, auth requirements
  • Database: query generation methods

Phase 2: OWASP Top 10 Check

Perform systematic check against OWASP Top 10 (2021):

  • A01: Broken Access Control
  • A02: Cryptographic Failures
  • A03: Injection
  • A04: Insecure Design
  • A05: Security Misconfiguration
  • A06: Vulnerable Components
  • A07: Authentication Failures
  • A08: Data Integrity Failures
  • A09: Logging Failures
  • A10: SSRF

For detailed checklist, code patterns, and search queries: Read OWASP-CHECKLIST.md in this skill directory.

Phase 3: Vulnerability Report

Severity Classification:

Level Description Response Time
🔴 Critical Immediately exploitable, severe impact Within 24h
🟠 High Exploitable, significant impact Within 1 week
🟡 Medium Conditional exploit, limited impact Within 1 month
🟢 Low Hard to exploit, minimal impact Next release

Phase 4: Security Design Recommendations

Provide recommendations for:

  • Authentication design (JWT, session management)
  • Authorization model (RBAC, ABAC)
  • Data encryption strategies
  • Secure coding practices

Key Principles

  1. Zero Trust: Never trust any input
  2. Defense in Depth: Multi-layer defense
  3. Least Privilege: Minimum required permissions
  4. Fail Secure: Safe state on failure
  5. Security by Design: Consider security from design phase

Detailed Reference

For OWASP checklist, vulnerable code patterns, search queries, and report templates: Read OWASP-CHECKLIST.md in this skill directory.

Completion

취약점 리포트(Severity 분류 + 권고 사항)가 전달되면 완료.

Troubleshooting

Too many findings to prioritize: Focus on Critical/High first. If >20 Critical findings, the codebase likely needs a dedicated security sprint rather than a review. False positives from pattern matching: Verify each finding with actual data flow analysis. A SQL query using parameterized binding is safe even if grep finds SELECT near user input. Team pushes back on security fixes: Quantify risk with severity + exploitability. "This allows unauthenticated admin access" is more actionable than "A01 violation found."

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

aimskr/aims-claude-toolkit

build-error-resolver

빌드 에러, 빌드 오류, 컴파일 에러, 빌드 실패 해결, 의존성 에러 - Specialized in resolving build errors, compilation failures, and dependency issues. Use when build fails, compilation errors occur, or dependency conflicts arise. Do NOT use for runtime bugs or logic errors (use debug-specialist instead).

0 0
Explore
aimskr/aims-claude-toolkit

brainstorming

브레인스토밍, 아이디어, 기획, 구상, 아이디어회의, 설계, 요구사항 분석, 접근법 탐색 - Use before creating new features or significant changes to explore user intent, requirements, and design options. Collaborative brainstorming through step-by-step questioning. Do NOT use for simple bug fixes, config changes, or tasks with clear requirements already defined.

0 0
Explore
aimskr/aims-claude-toolkit

doc-coauthoring

문서 작성, 문서화, 문서, 스펙 작성, 기술 문서, 제안서, RFC, 설계 문서, 의사결정 문서 - Collaborative document co-authoring through 3 stages: context gathering, iterative refinement, and reader testing. Use when writing docs, proposals, tech specs, decision docs, or RFCs. Do NOT use for PRD/product requirements (use prd-strategist) or implementation plans (use writing-plans).

0 0
Explore
aimskr/aims-claude-toolkit

testing-strategy

테스트 전략, 테스팅 계획, QA 전략, 품질 보증, 테스트 피라미드, 테스트 시나리오, 커버리지 목표 - Designs test strategies including test pyramid ratios, scenario categories, and coverage targets. Use when planning how to test a feature, designing QA approach, or creating test plans. Do NOT use for TDD implementation (use tdd-workflow) or E2E test execution (use e2e-runner).

0 0
Explore
aimskr/aims-claude-toolkit

learning-research

학습 리서치, 학습 자료, 공부 자료, 학습, 공부, 스터디, 개념 정리, 이해 - 특정 주제를 깊이 이해하기 위한 학습 자료를 수집·정리한다. 병렬 전문가 서브에이전트로 개념, 원리, 실습, 심화 자료를 수집하고 이해도별로 체계화된 학습 노트를 생성한다. Obsidian vault에 자동 저장. 의사결정용 자료 조사는 research 스킬을, 시장조사는 market-research 스킬을 사용할 것.

0 0
Explore
aimskr/aims-claude-toolkit

devil-advocate

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results