security_skill

This skill performs a security review of code changes, identifying vulnerabilities, omissions, and recommendations to strengthen input handling and access
  • TypeScript

0

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill matthew-plusprogramming/monorepo --skill security

  • SKILL.md12.2 KB

Overview

This skill reviews TypeScript implementations for security vulnerabilities and best practices, producing a pass/fail report with findings and concrete recommendations. It focuses on input validation, injection prevention, auth/authz, secrets handling, data protection, and dependency risks. Use it after code review and before merging changes.

How this skill works

The skill loads the spec group and implementation evidence, identifies entry points and data flows, and runs targeted checks across source files. It inspects input validation, database and shell usage, authentication and authorization logic, secret handling, logging, encryption practices, and dependency vulnerabilities, then aggregates findings into a structured security report. The process enforces prerequisites and halts if code review or implementation status is not satisfied.

When to use it

  • After code review and when all atomic specs are implemented
  • Any change that handles user input or external requests
  • Authentication or authorization logic changes
  • API endpoints, data access, or database queries
  • File system operations, shell execution, or crypto changes

Best practices

  • Run security review after passing code review to avoid noise from quality issues
  • Validate every user input with a schema (Zod/Joi) and enforce length/enum whitelists
  • Use parameterized queries or an ORM; never concatenate user input into SQL
  • Ensure endpoints enforce authentication and explicit authorization checks
  • Keep secrets out of code, use environment variables, and avoid logging sensitive values
  • Run dependency audits and keep lockfiles committed

Example use cases

  • Review a new login or registration endpoint for validation, password hashing, and token handling
  • Audit a data-access endpoint for SQL injection and proper authorization checks
  • Verify a feature that spawns processes or calls shell commands to prevent command injection
  • Check infrastructure-related code (CDKTF) for secrets in config or misconfigured access controls
  • Run a quick pass on UI-only changes to confirm no accidental data exposure

FAQ

Skip security review for pure documentation or tests that do not touch production code; otherwise run it for any change touching data flow, auth, or external interfaces.

What blocks the review from proceeding?

The review stops if the spec group is missing, code review hasn't passed, or not all atomic specs are implemented; address those first and re-run the review.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational