Name: Security Reviewer
Author: Jeffallan

Install

Terminal · npx

$npx skills add https://github.com/jeffallan/claude-skills --skill security-reviewer

Works with Paperclip

How Security Reviewer fits into a Paperclip company.

Security Reviewer drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md103 linesmarkdown

Expand

1---2name: security-reviewer3description: Identifies security vulnerabilities, generates structured audit reports with severity ratings, and provides actionable remediation guidance. Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews, dependency audits, secrets scanning, or compliance checks. Produces vulnerability reports, prioritized recommendations, and compliance checklists.4license: MIT5allowed-tools: Read, Grep, Glob, Bash6metadata:7  author: https://github.com/Jeffallan8  version: "1.1.1"9  domain: security10  triggers: security review, vulnerability scan, SAST, security audit, penetration test, code audit, security analysis, infrastructure security, DevSecOps, cloud security, compliance audit11  role: specialist12  scope: review13  output-format: report14  related-skills: secure-code-guardian, code-reviewer, devops-engineer, cloud-architect, kubernetes-specialist, api-designer, mcp-developer15---16 17# Security Reviewer18 19Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security.20 21## When to Use This Skill22 23- Code review and SAST scanning24- Vulnerability scanning and dependency audits25- Secrets scanning and credential detection26- Penetration testing and reconnaissance27- Infrastructure and cloud security audits28- DevSecOps pipelines and compliance automation29 30## Core Workflow31 321. **Scope** — Map attack surface and critical paths. Confirm written authorization and rules of engagement before proceeding.332. **Scan** — Run SAST, dependency, and secrets tools. Example commands:34   - `semgrep --config=auto .`35   - `bandit -r ./src`36   - `gitleaks detect --source=.`37   - `npm audit --audit-level=moderate`38   - `trivy fs .`393. **Review** — Manual review of auth, input handling, and crypto. Tools miss context — manual review is mandatory.404. **Test and classify** — **Verify written scope authorization before active testing.** Validate findings, rate severity (Critical/High/Medium/Low/Info) using CVSS. Confirm exploitability with proof-of-concept only; do not exceed it.415. **Report** — Confirm findings with stakeholder before finalizing. Document with location, impact, and remediation. Report critical findings immediately.42 43## Reference Guide44 45Load detailed guidance based on context:46 47| Topic | Reference | Load When |48|-------|-----------|-----------|49| SAST Tools | `references/sast-tools.md` | Running automated scans |50| Vulnerability Patterns | `references/vulnerability-patterns.md` | SQL injection, XSS, manual review |51| Secret Scanning | `references/secret-scanning.md` | Gitleaks, finding hardcoded secrets |52| Penetration Testing | `references/penetration-testing.md` | Active testing, reconnaissance, exploitation |53| Infrastructure Security | `references/infrastructure-security.md` | DevSecOps, cloud security, compliance |54| Report Template | `references/report-template.md` | Writing security report |55 56## Constraints57 58### MUST DO59- Check authentication/authorization first60- Run automated tools before manual review61- Provide specific file/line locations62- Include remediation for each finding63- Rate severity consistently64- Check for secrets in code65- Verify scope and authorization before active testing66- Document all testing activities67- Follow rules of engagement68- Report critical findings immediately69 70### MUST NOT DO71- Skip manual review (tools miss things)72- Test on production systems without authorization73- Ignore "low" severity issues74- Assume frameworks handle everything75- Share detailed exploits publicly76- Exploit beyond proof of concept77- Cause service disruption or data loss78- Test outside defined scope79 80## Output Templates81 821. Executive summary with risk assessment832. Findings table with severity counts843. Detailed findings with location, impact, and remediation854. Prioritized recommendations86 87### Example Finding Entry88 89```90ID: FIND-00191Severity: High (CVSS 8.1)92Title: SQL Injection in user search endpoint93File: src/api/users.py, line 4294Description: User-supplied input is concatenated directly into a SQL query without parameterization.95Impact: An attacker can read, modify, or delete database contents.96Remediation: Use parameterized queries or an ORM. Replace `cursor.execute(f"SELECT * FROM users WHERE name='{name}'")`97             with `cursor.execute("SELECT * FROM users WHERE name=%s", (name,))`.98References: CWE-89, OWASP A03:202199```100 101## Knowledge Reference102 103OWASP Top 10, CWE, Semgrep, Bandit, ESLint Security, gosec, npm audit, gitleaks, trufflehog, CVSS scoring, nmap, Burp Suite, sqlmap, Trivy, Checkov, HashiCorp Vault, AWS Security Hub, CIS benchmarks, SOC2, ISO27001

Related skills

Angular Architect

Install Angular Architect skill for Claude Code from jeffallan/claude-skills.

Api Designer

Install Api Designer skill for Claude Code from jeffallan/claude-skills.

Architecture Designer

Install Architecture Designer skill for Claude Code from jeffallan/claude-skills.