security-check

Original：🇺🇸 English

Translated

Red-team security review for code changes. Use when reviewing pending git changes, branch diffs, or new features for security vulnerabilities, permission gaps, injection risks, and attack vectors. Acts as a pen-tester analyzing code.

2installs

Sourcebjesuiter/skills

Added on2026-02-24

NPX Install

npx skill4agent add bjesuiter/skills security-check

SKILL.md Content

View Translation Comparison →

Security Check

Red-team style security review for code changes. Think like an attacker.

Modes

1. Pending Changes (default)

Review uncommitted changes in the current working directory:

bash

git diff HEAD
git diff --cached  # staged changes

2. Branch vs Main

Review all commits on a branch against main:

bash

git log main..<branch> --oneline  # list commits
git diff main...<branch>          # three dots = merge-base diff

3. Specific Commit Range

bash

git diff <commit1>..<commit2>

Review Checklist

Input Validation

User input sanitized before use?
SQL injection vectors?
Command injection (shell escapes)?
Path traversal (
```
../
```
in file paths)?
XSS in HTML/JS output?
Prototype pollution (JS objects)?

Authentication & Authorization

Auth checks on all sensitive endpoints?
Permission escalation paths?
Session handling flaws?
Token exposure in logs/URLs?
Missing rate limiting?

Secrets & Configuration

Hardcoded credentials/API keys?
Secrets in logs or error messages?
Insecure defaults?
Debug mode left enabled?
```
.env
```
files committed?

Data Exposure

Sensitive data in responses?
PII leaked in logs?
Stack traces exposed to users?
Internal paths/IPs revealed?

Cryptography

Weak algorithms (MD5, SHA1 for security)?
Hardcoded IVs/salts?
Predictable random values?
Missing HTTPS enforcement?

Dependencies

Known vulnerable packages?
Unpinned versions?
Typosquatting risk?

File Operations

Arbitrary file read/write?
Unsafe deserialization?
Temp file races?
Symlink attacks?

Process & Network

SSRF vectors?
Open redirects?
Unsafe subprocess calls?
Missing timeouts?

Output Format

For each finding:

🔴 [CRITICAL|HIGH|MEDIUM|LOW] <Title>

📍 Location: <file:line>

💀 Attack Vector:
<How an attacker would exploit this>

📝 Code:
<relevant snippet>

✅ Fix:
<suggested remediation>

Workflow

Identify scope — Ask which mode (pending/branch/commit range)
Get the diff — Run appropriate git commands
Analyze systematically — Go through checklist
Prioritize findings — CRITICAL > HIGH > MEDIUM > LOW
Suggest fixes — Concrete code changes, not vague advice
Summary — Executive summary with risk assessment

Quick Commands

bash

# Pending changes
git diff HEAD

# Branch review
git diff main...feature-branch

# Check for secrets (basic)
git diff HEAD | grep -iE "(password|secret|api.?key|token|credential)"

# Check for dangerous functions
git diff HEAD | grep -iE "(eval|exec|system|shell_exec|passthru|popen)"

Risk Levels

CRITICAL: Exploitable now, high impact (RCE, auth bypass, data breach)
HIGH: Likely exploitable, significant impact
MEDIUM: Exploitable under specific conditions
LOW: Defense-in-depth issues, minor exposure

security-check

NPX Install

Tags

SKILL.md Content

Security Check

Modes

1. Pending Changes (default)

2. Branch vs Main

3. Specific Commit Range

Review Checklist

Input Validation

Authentication & Authorization

Secrets & Configuration

Data Exposure

Cryptography

Dependencies

File Operations

Process & Network

Output Format

Workflow

Quick Commands

Risk Levels