security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
Author
affaan-m
Category
Development ToolsInstall
Hot:76
Download and extract to your skills directory
Copy command and send to OpenClaw for auto-install:
Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-cc-skill-security-review&locale=en&source=copy
Security Review - Code Security Review and Vulnerability Detection Tool
Skill Overview
Security Review is a comprehensive code security review skill that helps developers follow security best practices while coding, automatically detects potential security vulnerabilities, and provides a complete security checklist.
Applicable Scenarios
1. Implementing authentication and authorization
When your application needs user login, registration, or permission management, Security Review ensures JWT tokens are correctly stored in httpOnly cookies, authorization checks are performed before sensitive operations, and Supabase row-level security (RLS) is properly enabled.
2. Handling user input and file uploads
User-supplied data is the most attack-prone. This skill provides Zod validation schema examples to guide you in validating all user input, and in limiting file uploads by size, type, and extension to prevent malicious file injection.
3. Creating API endpoints and sensitive features
When developing payment interfaces, API key management, or third-party integrations, Security Review offers a comprehensive security checklist covering SQL injection protection, CSRF protection, rate limiting, and sensitive data redaction.
Core Features
1. Coverage of ten major security domains
Covers key management, input validation, SQL injection protection, authentication and authorization, XSS protection, CSRF protection, rate limiting, sensitive data exposure, blockchain security, and dependency security—each domain includes concrete code examples and verification steps.
2. Comparative code demonstrations
Each security topic provides "incorrect example" and "correct approach" code comparisons, such as demonstrating why tokens should not be stored in localStorage and should instead use httpOnly cookies, helping developers quickly understand security risks.
3. Pre-deployment security checklist
Provides 17 essential security items to check before deployment, from whether there are hard-coded keys to whether row-level security is enabled, ensuring no critical security configuration is missed before production release.
4. Automated security test templates
Includes complete TypeScript test case examples covering authentication tests, authorization tests, input validation tests, and rate limiting tests, which can be directly integrated into your testing framework.
Frequently Asked Questions
Which programming languages does Security Review support?
This skill is primarily targeted at TypeScript/JavaScript development, especially suited for Next.js, React, Supabase, and Node.js projects. Code examples are written in TypeScript, but the security principles also apply to other languages like Python and Java.
Why can't sensitive information be stored in localStorage?
localStorage is vulnerable to XSS (cross-site scripting) attacks; an attacker can inject malicious JavaScript to read all data in localStorage. The correct approach is to use httpOnly cookies, which are not accessible via JavaScript and effectively prevent token theft.
What security items must be checked before deployment?
The Security Review checklist includes: no hard-coded keys, all user input validated, database queries parameterized, user content sanitized for XSS, CSRF protection enabled, authentication tokens handled correctly, authorization checks implemented, rate limiting enabled, HTTPS enforced, security headers configured, error handling that does not leak sensitive information, and other critical checks—17 items in total.