security-review

# Security Review Skill

Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.

## When to Use

This skill activates when:
- User requests "security review", "security audit"
- After writing code that handles user input
- After adding new API endpoints
- After modifying authentication/authorization logic
- Before deploying to production
- After adding external dependencies

## What It Does

Delegates to the `security-reviewer` agent (Opus model) for deep security analysis:

1. **OWASP Top 10 Scan**
   - A01: Broken Access Control
   - A02: Cryptographic Failures
   - A03: Injection (SQL, NoSQL, Command, XSS)
   - A04: Insecure Design
   - A05: Security Misconfiguration
   - A06: Vulnerable and Outdated Components
   - A07: Identification and Authentication Failures
   - A08: Software and Data Integrity Failures
   - A09: Security Logging and Monitoring Failures
   - A10: Server-Side Request Forgery (SSRF)

2. **Secrets Detection**
   - Hardcoded API keys
   - Passwords in source code
   - Private keys in repo
   - Tokens and credentials
   - Connection strings with secrets

3. **Input Validation**
   - All user inputs sanitized
   - SQL/NoSQL injection prevention
   - Command injection prevention
   - XSS prevention (output escaping)
   - Path traversal prevention

4. **Authentication/Authorization**
   - Proper password hashing (bcrypt, argon2)
   - Session management security
   - Access control enforcement
   - JWT implementation security

5. **Dependency Security**
   - Run `npm audit` for known vulnerabilities
   - Check for outdated dependencies
   - Identify high-severity CVEs

## Agent Delegation

```
Task(
  subagent_type="oh-my-claudecode:security-reviewer",
  model="opus",
  prompt="SECURITY REVIEW TASK

Conduct comprehensive security audit of codebase.

Scope: [specific files or entire codebase]

Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation revie