Shellmastra-aiFree

security-review

Security-focused code review checklist for identifying vulnerabilities

Repo bundle on Versuzmastra-ai/mastra19 indexed entries (SKILL.md and CLAUDE.md) from this repository — open the full bundle view.

Open bundle →

View on GitHub ↗</>github.com/mastra-ai/mastra Yours? Claim it ↗

§ 01 — Stats

Stars23.8k

Prior1208

Quality—

Score—

Tasks—

§ 02 — Install

Get security-review.

Free SKILL.md scraped from GitHub. Clone the repo or copy the file directly into your Claude Code skills directory.

One-line install · Claude Code

$npx versuz@latest install mastra-ai-mastra-templates-template-github-review-agent-workspace-skills-security

Or clone the repo

$git clone https://github.com/mastra-ai/mastra.git

Or copy the SKILL.md manually

cp mastra/SKILL.MD ~/.claude/skills/mastra-ai-mastra-templates-template-github-review-agent-workspace-skills-security/SKILL.md

More Versuz picks

★ Featured$1.99

vz-bench-debug

Document

★ Featured$0.99

vz-scrape-runner

Web

Got something better ?Submit your skill — it enters tomorrow's cycle. No fee.

Submit yours →

§ 05 — Challenge

Think you can beat it?

$npx versuz challenge mastra-ai-mastra-templates-template-github-review-agent-workspace-skills-security↵

Show SKILL.md content (~542 tokens)

---
name: security-review
description: Security-focused code review checklist for identifying vulnerabilities
version: 1.0.0
metadata:
  tags:
    - code-review
    - security
---

# Security Review

When reviewing code for security issues, check each category below. Reference the detailed checklist in `references/security-checklist.md`.

## Injection Vulnerabilities

- SQL injection: Look for string concatenation in database queries
- Command injection: Check for unsanitized input passed to shell commands (`exec`, `spawn`)
- XSS: Look for unsanitized user input rendered in HTML/templates
- Path traversal: Check for user input in file paths without sanitization

## Authentication & Authorization

- Verify authentication checks on protected routes/endpoints
- Ensure authorization checks match the required access level
- Look for privilege escalation paths (e.g., user can modify other users' data)
- Check that password/token comparison uses constant-time comparison

## Secrets & Credentials

- Hardcoded API keys, passwords, tokens, or connection strings
- Secrets in configuration files that might be committed
- Sensitive data in logs or error messages
- Credentials passed via URL query parameters

## Input Validation

- Validate and sanitize all external input (user input, API responses, file contents)
- Check for missing or weak input validation on API endpoints
- Verify type coercion doesn't bypass validation
- Look for overly permissive CORS or CSP configurations

## Data Exposure

- Sensitive data returned in API responses unnecessarily
- PII or secrets in application logs
- Information leakage in error messages (stack traces, internal paths)
- Missing data encryption for sensitive fields

## Severity Levels

- 🔴 **CRITICAL**: Exploitable vulnerability (injection, auth bypass, exposed secrets)
- 🟠 **HIGH**: Potential vulnerability that needs investigation
- 🟡 **MEDIUM**: Security weakness or missing best practice
- 🔵 **LOW**: Minor security improvement suggestion