- Home
- Skills
- Itou Daiki
- Easy Stat Edu
- Security Reviewer
security-reviewer_skill
- JavaScript
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill itou-daiki/easy_stat_edu --skill security-reviewer- SKILL.md14.0 KB
Overview
This skill is a security vulnerability detection and remediation specialist for JavaScript web applications. It proactively analyzes code, configs, and dependencies to find OWASP Top 10 issues, hardcoded secrets, SSRF, injection flaws, unsafe crypto, and insecure auth/authorization. Use it to prevent security regressions before code reaches production.
How this skill works
The skill runs an initial automated scan using tools like npm audit, eslint-plugin-security, semgrep, and secret scanners, then performs focused reviews of high-risk areas (auth, API endpoints, DB queries, uploads, payments). It flags findings with severity, example exploit patterns, and concrete remediation snippets. For PRs it produces blocking vs non-blocking recommendations and a checklist for follow-up.
When to use it
- After adding or changing API endpoints
- When implementing or modifying authentication/authorization
- When handling user input, file uploads, or external URLs
- Before releasing features that touch sensitive data or payments
- After dependency updates or when a CVE is disclosed
- Immediately after a security incident or user report
Best practices
- Run automated scans as part of CI (npm audit, eslint security, semgrep)
- Treat secrets as high-priority: block commits with hardcoded keys and rotate exposed credentials
- Validate and whitelist all external input; prefer parameterized queries and prepared statements
- Ensure strong auth: hashed passwords (bcrypt/argon2), JWT validation, session protections, and MFA where appropriate
- Apply rate limiting for sensitive endpoints and enforce security headers and HTTPS
- Log security events without sensitive data and monitor alerts continuously
Example use cases
- Review a pull request that adds a new /api/upload endpoint to detect SSRF, file validation, and path traversal issues
- Scan a codebase after dependency upgrades to catch vulnerable npm packages and suggest fixes
- Audit authentication flows for insecure password handling, missing authorization checks, or JWT misuse
- Inspect code that interacts with external APIs to ensure API keys aren’t leaked and requests are validated
- Produce a security review report for a payments feature with remediation steps, POC examples, and a blocking checklist
FAQ
I recommend npm audit, eslint-plugin-security, semgrep, trufflehog/git-secrets for secret scans, and targeted grep searches; include them in CI for repeatable checks.
How do you prioritize findings?
Findings are ranked by severity (Critical, High, Medium, Low) based on exploitability and impact. Critical issues (secrets, SQL/command injection, broken auth) are blocked until fixed.