← Back to Skills Marketplace
Security Review
by
Solomon Neas
· GitHub ↗
· v1.0.0
· MIT-0
225
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install sn-security-review
Description
Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when re...
README (SKILL.md)
Security Code Review
Review code changes for security vulnerabilities, following OWASP Top 10 and secure coding best practices.
What to Check
Injection (SQL, Command, LDAP, XSS)
- User input used in queries without parameterization
- Template literals in SQL strings
eval(),exec(),os.system()with user input- Unescaped output in HTML templates
Authentication & Session
- Hardcoded credentials or API keys
- Weak password requirements
- Missing rate limiting on auth endpoints
- Session fixation or missing regeneration
- JWT without expiration or with weak signing
Authorization
- Missing access control checks on endpoints
- IDOR (direct object reference without ownership check)
- Role checks that can be bypassed
- Privilege escalation paths
Secrets & Data Exposure
- API keys, tokens, passwords in code or configs
- Sensitive data in logs
- PII without encryption
- .env files or secrets committed to git
Configuration
- Debug mode enabled in production
- CORS set to wildcard (*)
- Missing security headers
- Default credentials unchanged
- Verbose error messages exposing internals
Output Format
For each finding:
**FINDING:** [Title]
**Severity:** CRITICAL | HIGH | MEDIUM | LOW
**File:** [path:line]
**Code:** [the problematic code]
**Issue:** [what's wrong]
**Fix:** [how to fix it, with code example]
**OWASP:** [category reference]
Rules
- Focus on HIGH and CRITICAL findings first
- Provide working fix code, not just descriptions
- If no security issues found, say so clearly
- Note any areas that need manual review (business logic, auth flows)
Usage Guidance
This skill is coherent and lightweight, but keep these practical points in mind before using it with real projects: (1) It will analyze whatever code you give it — do not supply secrets or private tokens in plain text. If findings include secrets, treat those as sensitive and rotate credentials as needed. (2) The skill produces suggested fixes and code examples but cannot safely apply changes; always review and test suggestions before merging. (3) If you plan to let the agent run autonomously on private repos, restrict its access and monitor outputs (the skill could surface sensitive snippets from code). (4) This checklist doesn't replace manual review of business-logic issues; note any areas requiring human assessment. If you want stronger guarantees, require the skill only be run interactively and avoid granting repository credentials or automated access to production systems.
Capability Analysis
Type: OpenClaw Skill
Name: sn-security-review
Version: 1.0.0
The skill bundle contains standard instructions for an AI agent to perform security code reviews based on OWASP Top 10 principles. The SKILL.md file provides a structured framework for identifying vulnerabilities such as injection, credential exposure, and authorization flaws without any evidence of malicious intent, data exfiltration, or prompt injection attacks.
Capability Assessment
Purpose & Capability
The name/description describe a security code review and the SKILL.md contains checks and output format consistent with that purpose. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope
Runtime instructions focus on reviewing code for OWASP Top 10, secrets, injections, auth/authorization, and configuration issues. The document does not instruct the agent to read unrelated system files, access environment variables, or transmit data to external endpoints. It does not give broad, open-ended permissions beyond reviewing provided code diffs/PRs.
Install Mechanism
There is no install spec and no shipped code — the skill is instruction-only, so nothing will be written to disk or downloaded during install.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for a checklist-style review tool.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/system-wide privileges or modifications to other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sn-security-review - After installation, invoke the skill by name or use
/sn-security-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish. Security-focused code review for PRs: OWASP Top 10, secrets, injection, auth, configuration issues.
Metadata
Frequently Asked Questions
What is Security Review?
Review code changes for security vulnerabilities. Checks for OWASP Top 10, secrets exposure, injection flaws, auth issues, and insecure defaults. Use when re... It is an AI Agent Skill for Claude Code / OpenClaw, with 225 downloads so far.
How do I install Security Review?
Run "/install sn-security-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Review free?
Yes, Security Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Security Review support?
Security Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Review?
It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.0.
More Skills