← Back to list
security-review
by guvnr-dev
One config to govern them all. Universal AI coding assistant configuration for Claude, Cursor, Copilot, Windsurf, Aider, and 15+ tools.
⭐ 0🍴 0📅 Jan 14, 2026
Run in ManusSKILL.md
name: security-review description: Perform security-focused code review using OWASP guidelines and AI-specific security best practices. allowed-tools: Read, Grep, Glob
Security Review Skill
This skill performs comprehensive security analysis of code, with special attention to AI-generated code vulnerabilities.
When to Use
Activate this skill when:
- Reviewing AI-generated code
- Auditing authentication/authorization code
- Checking for OWASP Top 10 vulnerabilities
- Validating dependency security
- Before merging security-sensitive PRs
OWASP Top 10 Checks
1. Injection Prevention
- SQL Injection: Use parameterized queries, never concatenate user input
- Command Injection: Avoid shell execution with user input, use safe APIs
- XSS: Sanitize all HTML output, use content security policies
2. Broken Authentication
- No hardcoded credentials or API keys
- Secure password hashing (bcrypt, argon2)
- Proper session management with secure cookies
- Multi-factor authentication for sensitive operations
3. Sensitive Data Exposure
- Encrypt data at rest and in transit
- Never log passwords, tokens, or PII
- Use environment variables for secrets
- Implement proper key management
4. XML External Entities (XXE)
- Disable external entity processing
- Use less complex data formats (JSON)
- Validate and sanitize XML input
5. Broken Access Control
- Implement principle of least privilege
- Validate authorization on every request
- Use secure direct object references
- Deny by default
AI-Specific Security
Slopsquatting Prevention
Before adding any dependency:
- Verify existence on the package registry (npm, PyPI, etc.)
- Check download counts - legitimate packages have thousands of downloads
- Check maintenance status - last update, open issues
- Review for vulnerabilities -
npm audit,pip-audit - Cross-reference with official documentation
AI Code Review Checklist
- No hardcoded secrets or API keys
- Input validation present on all user inputs
- Error messages don't expose internal details
- Dependencies are verified (not hallucinated)
- Authentication/authorization properly checked
- No eval() or dynamic code execution with user input
- SQL queries use parameterized statements
- File operations validate paths
- Rate limiting on public endpoints
- Logging doesn't include sensitive data
Common AI Code Vulnerabilities
| Vulnerability | AI Pattern | Mitigation |
|---|---|---|
| Hallucinated packages | Non-existent npm/pip packages | Verify on registry |
| Insecure defaults | verify=False, secure=False | Enable security by default |
| Missing input validation | Direct user input usage | Add validation layer |
| Verbose error messages | Stack traces to users | Generic error responses |
| Hardcoded credentials | API keys in code | Use environment variables |
Security Commands
npm audit # Check for known vulnerabilities
npm audit fix # Auto-fix vulnerabilities
npx snyk test # Deep vulnerability scan
npm outdated # Check for outdated packages
Reporting Format
When reporting security issues:
## Security Finding
**Severity**: Critical/High/Medium/Low
**Category**: [OWASP category]
**Location**: [file:line]
**Description**: [What the vulnerability is]
**Impact**: [What could happen if exploited]
**Recommendation**: [How to fix it]
**References**: [OWASP/CWE links]
Score
Total Score
75/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
✓説明文
100文字以上の説明がある
+10
○人気
GitHub Stars 100以上
0/15
✓最近の活動
1ヶ月以内に更新
+10
○フォーク
10回以上フォークされている
0/5
✓Issue管理
オープンIssueが50未満
+5
✓言語
プログラミング言語が設定されている
+5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
