Skill

Security Review

Performs security reviews for risky code changes like sensitive file edits, shell commands, dependencies, CI/CD, and secrets using Clawdstrike MCP tools for policy checks.

Docker

CI/CD

security

Popularity

Parent stars

279

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/clawdstrike:security-review

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

SKILL.md

69 lines · ~796 tokens

Stats

LanguageTypeScript

Parent stars279

Parent forks33

MaintenanceGood

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Security Review

This skill activates when the user or conversation involves: - Multi-file edits touching security-sensitive paths (auth, config, credentials, .env, keys) - Shell commands that modify system state, install packages, or change permissions - New dependency additions or version changes - Changes to CI/CD, Docker, or infrastructure configuration - File writes to sensitive directories (/etc, ~/.ssh, ~/.aws, ~/.config) - File reads of sensitive paths (private keys, credential stores, token caches, certificate files) - Any content containing these keywords: "secret", "credential", "API key", "token", "password", "private key", "certificate", ".env", "auth", "permission"

Security Checklist

Before proceeding with risky actions, use the clawdstrike_check MCP tool to verify policy compliance:

Pre-flight check: Call clawdstrike_check with the action_type and target before executing
Secret scanning: Verify no secrets, API keys, or credentials are being written to files
Dependency audit: For new dependencies, check for known vulnerabilities
Permission scope: Ensure file operations stay within allowed paths
Shell safety: Validate shell commands against the ShellCommandGuard policy

Action Type Mapping

Use these action_type values when calling clawdstrike_check:

Scenario	action_type	target
Writing/reading files	`file`	Absolute file path
Running shell commands	`shell`	The command string
HTTP/network requests	`egress`	Domain or URL
Installing packages	`shell`	Install command
MCP tool invocation	`mcp_tool`	Tool name

Response Guidelines

When this skill is active:

Proactively call clawdstrike_check before file writes to sensitive paths
Flag potential security issues with severity levels (Critical/High/Medium/Low)
Suggest safer alternatives when an action would be blocked by policy
Reference specific guards that would evaluate the action

Recommended Tools

Use these MCP tools in order of priority when this skill activates:

Tool	When to Use
`clawdstrike_check`	Before any file write, shell command, or egress -- the primary enforcement tool
`clawdstrike_policy_eval`	To test hypothetical actions without executing them -- use for planning
`clawdstrike_policy_show`	To understand which guards are active and what the current restrictions are
`clawdstrike_scan`	To audit all MCP server configs for misconfigurations before a review
`clawdstrike_policy_lint`	To validate policy YAML files for syntax/schema errors

Guard Reference

These guards are evaluated during checks:

ForbiddenPathGuard - Blocks access to sensitive filesystem paths
PathAllowlistGuard - Enforces allowlist-based path access
SecretLeakGuard - Detects secrets/credentials in file content
ShellCommandGuard - Blocks dangerous shell commands
EgressAllowlistGuard - Controls outbound network access
PatchIntegrityGuard - Validates patch/diff safety

Security Review

Popularity

Invocation

Context Preview

SKILL.md

Security Review

Popularity

Invocation

Context Preview

SKILL.md

Security Review

Security Checklist

Action Type Mapping

Response Guidelines

Recommended Tools

Guard Reference

Similar Skills

Security Review

Security Checklist

Action Type Mapping

Response Guidelines

Recommended Tools

Guard Reference

Similar Skills