Stats
Actions
Tags
From mcp-security-review
Performs pre-coding security assessments for development tasks, detecting technologies, assessing risk levels, identifying categories, and providing OWASP guidance before coding.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mcp-security-review:security-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Perform a pre-coding security review for the following task:
Perform a pre-coding security review for the following task:
$ARGUMENTS
Analyze the task description above and produce a structured security assessment. If no task description was provided in the arguments, ask the user to describe what they are building and optionally their tech stack before proceeding.
Detect technologies from the description:
Critical — payments/financial transactions, healthcare/PHI, authentication system, cryptographic key management, admin functionality, multi-tenant data isolation
High — PII collection/storage, file uploads, external API integrations, session management, password handling, OAuth flows, database schema changes
Medium — user-generated content, search functionality, data exports, email/notification systems, third-party SDKs, internal APIs
Low — static content, read-only public data, internal tooling with no sensitive data
Select all applicable:
authentication — login, registration, password reset, MFAauthorization — access control, roles, permissions, IDORdata_validation — input validation, sanitization, output encodingcryptography — encryption, hashing, key management, TLSapi_security — endpoints, rate limiting, CORS, versioningweb_security — XSS, CSRF, clickjacking, CSPdatabase — SQL injection, ORM, connection securitysecrets_management — credentials, env vars, vaultserror_handling — information disclosure, stack traceslogging — audit trails, sensitive data in logscloud_security — IAM, S3 permissions, VPC, security groupssupply_chain_security — dependencies, lockfilesFor each identified category, provide specific, actionable guidance:
Authentication: Use bcrypt/argon2 for passwords; implement account lockout; secure HttpOnly SameSite cookies; rotate session tokens after login; enforce MFA for high-privilege actions.
Authorization: Validate permissions server-side on every request; deny-by-default; avoid direct object references; check ownership before granting access.
Data Validation: Validate and sanitize ALL user input server-side; use allowlists not denylists; encode output based on context (HTML, JS, SQL, URL); validate file uploads by type, size, and content.
Cryptography: AES-256-GCM or ChaCha20-Poly1305 for encryption; SHA-256+ for hashing (never MD5/SHA1 for security); cryptographically secure random for tokens; never hardcode keys.
API Security: Authenticate all sensitive endpoints; rate limit per user and per IP; validate Content-Type; return generic error messages (no stack traces in production); HTTPS + HSTS.
Injection Prevention: Parameterized queries/prepared statements for SQL; avoid eval()/exec() with user input; subprocess with shell=False (Python); sanitize data in OS commands, LDAP, XML, HTML.
Secrets Management: Never commit secrets to git; use environment variables or secrets manager (Vault, AWS SSM); rotate credentials regularly; scan commits for accidental exposure.
Produce this exact structure:
Task: [task description] Risk Level: [LOW | MEDIUM | HIGH | CRITICAL] Tech Stack Detected: [list or "not specified"] Security Categories: [comma-separated list]
[2–3 sentences explaining why this risk level was assigned and what the primary security concerns are for this specific task]
For each identified category:
Copy this into your prompt when asking an AI to generate code for this task:
SECURITY REQUIREMENTS — apply throughout all generated code:
Risk Level: [RISK LEVEL]
[Bulleted list of the top 5–7 security requirements written as direct instructions to an AI code generator, specific to this task]
npx claudepluginhub srajangpt1/ai-security-crewHardens code against vulnerabilities using threat modeling (STRIDE) and security best practices. Use when handling user input, authentication, data storage, or external integrations.
Reviews code and architectures against OWASP Top 10:2025 web application security risks. Useful for vulnerability audits, codebase reviews, remediation guidance, and secure coding patterns.
Guides AI coding agents to write secure code and prevent vulnerabilities across all languages. Activates for authentication, cryptography, data handling, cloud infra, and more.