SR
Security Review
🔵 Stable🕐 updated 2026-07-01
🔷 SkillSpec L3
pm-security
Review a design, PR, or feature for security issues before it ships. Use when asked to do a security review, security-review a change/PR, or check a feature for vulnerabilities. Produces a structured review across the common risk areas (authn/authz, input handling, secrets, data exposure, dependencies), findings ranked by severity with concrete fixes, and a ship / fix-first verdict. For code and systems you own or are authorized to review.
What to give it
▸What's under review — the design/diff/feature, and what it does.
▸Context — the stack, where it runs, what data/permissions it touches, who can reach it (internet-facing? authenticated?).
▸Sensitivity — the assets involved (PII, credentials, money, admin capability) and the threat context.
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓Every standard risk area is considered (authz incl. IDOR, input/injection, secrets, data exposure, deps, abuse)
✓Findings are ranked by severity with a concrete, actionable fix each
✓Exploitability is explained — why it's a real issue in this context, not a generic warning
✓A clear ship / fix-first / block verdict names the gating issues
✓Existing good controls are acknowledged; deeper follow-ups (scanner/pentest) are flagged
⚠️ What it refuses to do
Do not produce a generic checklist — tie each finding to this code/design and its exploit path
Do not rank everything the same — separate critical from hardening nits
Do not report an issue without a fix — give the concrete remediation
Do not miss authorization (IDOR/privilege) — it's the most common real-world web flaw
Do not review code you don't own or aren't authorized to assess
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="security-review"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
Security Review is one of 599 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog