security-review
Run a comprehensive security review on code
npxskills add merozemory/oh-my-droid--skill security-reviewLoading…
Run a comprehensive security review on code
npxskills add merozemory/oh-my-droid--skill security-reviewLoading…
Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
This skill activates when:
Delegates to the security-reviewer agent (Opus model) for deep security analysis:
OWASP Top 10 Scan
Secrets Detection
Input Validation
Authentication/Authorization
Dependency Security
npm audit for known vulnerabilitiesTask(
subagent_type="oh-my-droid:security-reviewer",
model="claude-opus-4-5-20251101",
prompt="SECURITY REVIEW TASK
Conduct comprehensive security audit of codebase.
Scope: [specific files or entire codebase]
Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)
Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
SECURITY REVIEW REPORT
======================
Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z
CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
Finding: AWS API key hardcoded in source code
Impact: Credential exposure if code is public or leaked
Remediation: Move to environment variables, rotate key immediately
Reference: OWASP A02:2021 – Cryptographic Failures
2. src/db/query.ts:45 - SQL Injection Vulnerability
Finding: User input concatenated directly into SQL query
Impact: Attacker can execute arbitrary SQL commands
Remediation: Use parameterized queries or ORM
Reference: OWASP A03:2021 – Injection
HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
Finding: Passwords hashed with MD5 (cryptographically broken)
Impact: Passwords can be reversed via rainbow tables
Remediation: Use bcrypt or argon2 with appropriate work factor
Reference: OWASP A02:2021 – Cryptographic Failures
4. src/components/UserInput.tsx:67 - XSS Vulnerability
Finding: User input rendered with dangerouslySetInnerHTML
Impact: Cross-site scripting attack vector
Remediation: Sanitize HTML or use safe rendering
Reference: OWASP A03:2021 – Injection (XSS)
5. src/api/upload.ts:34 - Path Traversal Vulnerability
Finding: User-controlled filename used without validation
Impact: Attacker can read/write arbitrary files
Remediation: Validate and sanitize filenames, use allowlist
Reference: OWASP A01:2021 – Broken Access Control
...
MEDIUM (8)
----------
...
LOW (12)
--------
...
DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:
CRITICAL: [email protected] - Server-Side Request Forgery (CVE-2021-3749)
Installed: [email protected]
Fix: npm install [email protected]
HIGH: [email protected] - Prototype Pollution (CVE-2020-8203)
Installed: [email protected]
Fix: npm install [email protected]
...
OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies
Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
The security-reviewer agent verifies:
CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
With Pipeline:
/pipeline security "review authentication module"
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).