security-reviewer_skill

This skill proactively detects and remediates security vulnerabilities in code, dependencies, and configurations to prevent OWASP risks before production.
  • JavaScript

0

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill itou-daiki/easy_stat_edu --skill security-reviewer

  • SKILL.md14.0 KB

Overview

This skill is a security vulnerability detection and remediation specialist for JavaScript web applications. It proactively analyzes code, configs, and dependencies to find OWASP Top 10 issues, hardcoded secrets, SSRF, injection flaws, unsafe crypto, and insecure auth/authorization. Use it to prevent security regressions before code reaches production.

How this skill works

The skill runs an initial automated scan using tools like npm audit, eslint-plugin-security, semgrep, and secret scanners, then performs focused reviews of high-risk areas (auth, API endpoints, DB queries, uploads, payments). It flags findings with severity, example exploit patterns, and concrete remediation snippets. For PRs it produces blocking vs non-blocking recommendations and a checklist for follow-up.

When to use it

  • After adding or changing API endpoints
  • When implementing or modifying authentication/authorization
  • When handling user input, file uploads, or external URLs
  • Before releasing features that touch sensitive data or payments
  • After dependency updates or when a CVE is disclosed
  • Immediately after a security incident or user report

Best practices

  • Run automated scans as part of CI (npm audit, eslint security, semgrep)
  • Treat secrets as high-priority: block commits with hardcoded keys and rotate exposed credentials
  • Validate and whitelist all external input; prefer parameterized queries and prepared statements
  • Ensure strong auth: hashed passwords (bcrypt/argon2), JWT validation, session protections, and MFA where appropriate
  • Apply rate limiting for sensitive endpoints and enforce security headers and HTTPS
  • Log security events without sensitive data and monitor alerts continuously

Example use cases

  • Review a pull request that adds a new /api/upload endpoint to detect SSRF, file validation, and path traversal issues
  • Scan a codebase after dependency upgrades to catch vulnerable npm packages and suggest fixes
  • Audit authentication flows for insecure password handling, missing authorization checks, or JWT misuse
  • Inspect code that interacts with external APIs to ensure API keys aren’t leaked and requests are validated
  • Produce a security review report for a payments feature with remediation steps, POC examples, and a blocking checklist

FAQ

I recommend npm audit, eslint-plugin-security, semgrep, trufflehog/git-secrets for secret scans, and targeted grep searches; include them in CI for repeatable checks.

How do you prioritize findings?

Findings are ranked by severity (Critical, High, Medium, Low) based on exploitability and impact. Critical issues (secrets, SQL/command injection, broken auth) are blocked until fixed.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational