## https://sploitus.com/exploit?id=27E09A8D-4D0B-5060-B8DD-5D53BBB595C4
# Security Review Skill for Claude Code
A comprehensive security review skill that enables Claude Code to perform systematic security audits with **working proof-of-concept exploits for every finding**.
## The Iron Law
```
NO FINDING WITHOUT A WORKING EXPLOIT
```
Suspecting a vulnerability is worthless. This skill requires proving exploitation.
## What It Does
- **Automated Scanning**: Runs SAST, SCA, secret detection, and infrastructure scanning tools
- **Manual Code Review**: Systematic review for injection, auth, and data exposure vulnerabilities
- **Exploit Development**: Creates working PoC exploits for every vulnerability found
- **Severity Classification**: CVSS-aligned severity ratings with business impact
- **Structured Reporting**: Professional security reports with remediation guidance
## Installation
### Option 1: Clone to skills directory
```bash
git clone https://github.com/dilaz/security-review-skill.git ~/.claude/skills/security-review
```
### Option 2: Copy the skill file
```bash
mkdir -p ~/.claude/skills/security-review
curl -o ~/.claude/skills/security-review/SKILL.md https://raw.githubusercontent.com/dilaz/security-review-skill/main/SKILL.md
```
## Usage
The skill activates automatically when you:
- Ask Claude Code to perform a security audit
- Request vulnerability assessment or penetration testing
- Ask it to find security issues in code
- Review code that handles user input, executes commands, reads files, or makes network requests
Example prompts:
- "Review this codebase for security vulnerabilities"
- "Find security issues in the authentication system"
- "Perform a security audit of this API"
## Required Tools
The skill uses these security tools (install as needed):
### Static Analysis (SAST)
```bash
pip install opengrep bandit
npm install -g eslint eslint-plugin-security
go install github.com/securego/gosec/v2/cmd/gosec@latest
npm install -g @ast-grep/cli
```
### Dependency Scanning (SCA)
```bash
brew install trivy grype # macOS
pip install pip-audit
go install golang.org/x/vuln/cmd/govulncheck@latest
```
### Secret Detection
```bash
brew install gitleaks # macOS
# trufflehog: https://github.com/trufflesecurity/trufflehog
```
## Workflow
```
Start Review
โ
Run Automated Scanners (SAST, SCA, secrets)
โ
Manual Code Review (injection, auth, data exposure)
โ
Vulnerability Found? โ Write Exploit PoC
โ
Exploit Works? โ Document with Severity
โ
Generate Report
```
## License
MIT