security-review

The security-review skill acts as a proactive guardrail for developers and AI agents working on sensitive software components. By enforcing a rigorous security checklist, it helps identify vulnerabilities during the development lifecycle rather than after deployment. This skill is designed for full-stack developers, security engineers, and AI agents tasked with implementing authentication, API development, or data-sensitive operations.

• Performs automated audits for hardcoded secrets, including API keys, database credentials, and authentication tokens.

• Validates user input handling using schema-based libraries like Zod to prevent common injection attacks and data corruption.

• Enforces parameterized query patterns for database interactions to eliminate SQL injection vulnerabilities.

• Reviews authentication and authorization logic, ensuring session management uses secure protocols like httpOnly cookies and that row-level security (RLS) is correctly enabled.

• Provides remediation patterns for cross-site scripting (XSS) via HTML sanitization using DOMPurify and Content Security Policy (CSP) implementation.

• Assists in file upload validation by checking file size, MIME types, and extensions to prevent arbitrary code execution.

• Always trigger this skill when building features that touch the database, user session, or public-facing API endpoints.

• Use it to verify that environment variables are utilized correctly instead of hardcoded strings.

• Ensure input validation is applied to every external source, including file uploads, URL parameters, and request bodies.

• Remember to verify that security headers (like CSP) are applied to your Next.js or Node.js configurations.

• Expect the skill to provide failure vs. pass code examples that can be directly applied to your current working files.

• The output will typically be a checklist verification report followed by suggested code refactoring blocks to bring your implementation up to industry security standards.