Vibe-Skills security-reviewer
Security review wrapper for vibe review flow. Detects OWASP-style risks, secret leaks, auth flaws, and unsafe input handling.
install
source · Clone the upstream repo
git clone https://github.com/foryourhealth111-pixel/Vibe-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/foryourhealth111-pixel/Vibe-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/bundled/skills/security-reviewer" ~/.claude/skills/foryourhealth111-pixel-vibe-skills-security-reviewer && rm -rf "$T"
manifest:
bundled/skills/security-reviewer/SKILL.mdsource content
security-reviewer (Codex Compatibility)
Use this skill after code changes that touch input handling, auth, APIs, data access, uploads, payments, or external integrations.
Security Review Workflow
- Initial Scan
- Locate auth, API endpoints, DB queries, file handling, and external calls.
- Check for hardcoded secrets and unsafe config defaults.
- OWASP-Oriented Checks
- Injection: parameterized queries, sanitized inputs.
- AuthZ/AuthN: enforce authorization per route, secure session/token handling.
- Data exposure: secrets/PII protection and safe logging.
- XSS/SSRF: output encoding, URL allowlist, no blind fetch of user URLs.
- Dependency risk: audit vulnerable dependencies.
- High-Risk Pattern Audit
- Hardcoded secrets/tokens
- Command execution with user input
- SQL string concatenation
- Missing auth check
- Missing rate limiting on sensitive endpoints
- Unsafe crypto/password handling
- Remediation Output
- Severity (CRITICAL/HIGH/MEDIUM/LOW)
- Evidence (file + line + risk)
- Concrete fix proposal
- Verification steps after fix
Vibe Integration
- Security gate skill usable at any grade.
- Pair with
for language/framework-specific guidance.security-best-practices - Pair with
for combined correctness + security review.code-review