Security Review Skill

100 0 Updated: 2026-07-15 14:32:38

The Security Review skill is a core module within the ECC (Agent Harness Performance Optimization System), specifically designed for comprehensive security reviews of code, configurations, and system architectures. It automatically identifies potential security vulnerabilities, misconfigurations, and non-compliant coding practices, helping developers detect and fix security issues early in the development cycle. This skill supports multiple programming languages and frameworks, providing detailed review reports and remediation suggestions. It is suitable for CI/CD pipeline integration, code review processes, and daily development security checks. By automating security reviews, teams can significantly reduce security risks and improve software quality and compliance.

Install
bunx skills add https://github.com/affaan-m/ECC --skill security-review
Skill Details readonly

1. Skill Overview

This skill applies to development work involving authentication/authorization logic, user input or file upload handling, new API endpoint creation, secret/credential usage, payment integration, sensitive data storage/transmission, and third-party API integration. It delivers a systematic security review framework covering the full security lifecycle from code writing through production deployment.
Core Principle: Security is non-negotiable — a single vulnerability can compromise the entire platform. When ambiguity exists, always adopt the more conservative secure implementation.

2. Core Capabilities

2.1 Secret Management

Bad Practice ❌ Secure Practice ✅
const apiKey = "sk-proj-xxxxx" const apiKey = process.env.OPENAI_API_KEY
const dbPassword = "password123" const dbUrl = process.env.DATABASE_URL
Mandatory validation checks:
  • No hardcoded API keys, tokens, or plaintext passwords anywhere in source code
  • All secrets loaded exclusively from environment variables
  • .env.local added to .gitignore to prevent accidental commit
  • No residual secrets present within git commit history
  • Production credentials hosted on dedicated secret platforms (Vercel, Railway, etc.)

2.2 Input Validation

  • Define strict validation schemas using libraries such as Zod
  • Validate file upload attributes: file size, MIME type, and file extension
  • Use allowlist validation logic instead of blocklist filtering
  • Error messages returned to users must not leak internal sensitive details
typescript
import { z } from 'zod'
const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  age: z.number().int().min(0).max(150)
})

2.3 SQL Injection Prevention

  • Never concatenate raw SQL strings with untrusted user input
  • Always use parameterized queries, ORMs, or query builders
  • Utilize Supabase built-in methods like .eq() for automatic safe parameter binding
typescript
// ❌ Unsafe vulnerable concatenation
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
// ✅ Secure parameterized query
await db.query('SELECT * FROM users WHERE email = $1', [userEmail])

2.4 Authentication & Authorization

Bad Practice ❌ Secure Practice ✅
JWT stored in localStorage (high XSS exposure risk) JWT stored within HttpOnly, Secure, SameSite=Strict cookies
Validation rules:
  • Enforce permission checks before executing any sensitive operations
  • Enable Row Level Security (RLS) for all Supabase database tables
  • Implement role-based access control (RBAC) for user permission segregation

2.5 XSS Prevention

  • Sanitize user-submitted HTML markup using libraries such as DOMPurify
  • Configure a restrictive Content Security Policy (CSP) header
  • Leverage built-in automatic XSS escaping provided by frontend frameworks like React
typescript
import DOMPurify from 'isomorphic-dompurify'
const clean = DOMPurify.sanitize(html, {
  ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
  ALLOWED_ATTR: []
})

2.6 CSRF Protection

  • Attach CSRF tokens to all state-modifying write operations
  • Set SameSite=Strict cookie attribute for all session cookies
  • Implement the double-submit cookie security pattern

2.7 Rate Limiting

  • Apply rate limiting middleware to every API endpoint
  • Enforce stricter request quotas for resource-heavy operations such as search
  • Support dual rate limiting strategies: IP-based and authenticated user-based tracking
typescript
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minute sliding window
  max: 100, // Maximum 100 requests per window
  message: 'Too many requests'
})

2.8 Sensitive Data Exposure Mitigation

  • Never log plaintext passwords, authentication tokens, or full payment card data
  • Return generic sanitized error messages to frontend users; retain detailed stack traces only on server-side logs
  • Do not expose internal stack traces to client-side consumers
typescript
// ❌ Risky: Logging unredacted sensitive fields
console.log('User login:', { email, password })
// ✅ Secure: Redact sensitive credentials
console.log('User login:', { email, userId })

2.9 Blockchain (Solana) Security

  • Verify full wallet signature authenticity before processing transactions
  • Validate critical transaction parameters: recipient address and transfer amount
  • Check user wallet balance prior to initiating outbound transfers
  • Avoid blind, unvalidated transaction signing workflows

2.10 Dependency Security

  • Execute npm audit on a regular cadence to scan vulnerable packages
  • Commit lockfiles (package-lock.json / pnpm-lock.yaml) to source control
  • Use npm ci for deterministic dependency installation within CI/CD pipelines
  • Enable GitHub Dependabot automated vulnerability alerts
  • Schedule regular dependency security patch updates

3. Primary Use Cases

  1. Code review & security audit — Cross-reference the full checklist to detect common security vulnerabilities during pull request reviews
  2. Secure development guidance for new features — Reference standardized secure patterns when building authentication, API endpoints, and payment workflows
  3. Pre-production deployment security validation — Verify all security controls are fully implemented before shipping to production
  4. Team secure coding training — Serve as standardized secure coding specification documentation for engineering teams
  5. Vulnerability remediation reference — Quickly locate matching mitigation strategies after identifying security defects

4. Pre-Deployment Mandatory Checklist

All items must be verified and satisfied before production release:
  1. No hardcoded secrets; all credentials loaded via environment variables
  2. All untrusted user input fully validated with schema rules
  3. All database queries use safe parameterized binding
  4. User-generated HTML content sanitized against XSS
  5. CSRF protection enabled for all state-changing routes
  6. Secure token handling via HttpOnly cookies implemented
  7. Role-based authorization checks enforced for sensitive operations
  8. Rate limiting applied to every API endpoint
  9. HTTPS enforced for all production traffic
  10. Security response headers configured (CSP, X-Frame-Options, etc.)
  11. Public error messages contain no sensitive internal details
  12. Log output redacts passwords, tokens, and PII
  13. Dependencies updated with no unresolved disclosed CVEs
  14. Supabase Row Level Security enabled for all tables
  15. CORS origin policy strictly restricted to trusted domains
  16. File upload validation (size, MIME type, extension) fully functional
  17. Wallet signature validation implemented (blockchain workflows only)

5. Critical Guiding Principles

  1. Never hardcode secrets — all sensitive credentials must be injected via environment variables
  2. Always validate all user input — use schema-based allowlist validation, avoid blocklist logic
  3. Always use parameterized database queries — raw SQL string concatenation is forbidden
  4. Store tokens in HttpOnly cookies exclusively; avoid localStorage for auth state
  5. Authorize before executing any privileged operation — validate user permissions upfront
  6. Sanitize all user-submitted HTML markup via dedicated libraries such as DOMPurify
  7. Enable rate limiting for every exposed API endpoint
  8. Redact all PII, passwords, and tokens from application log output
  9. Enable Row Level Security for all Supabase tables
  10. Regularly update dependencies and remediate all audit vulnerabilities

Summary

Security Review is a comprehensive code audit and security validation skill covering ten core security domains: secret management, input validation, SQL injection defense, authentication & authorization, XSS mitigation, CSRF protection, rate limiting, sensitive data exposure controls, Solana blockchain security, and dependency vulnerability management. It provides clear side-by-side bad/good code examples and a standardized pre-deployment verification checklist. Derived from the ECC project, it serves developers conducting code audits, building new feature functionality, performing pre-production security gates, delivering team secure coding training, and remediating disclosed vulnerabilities, with the core tenet that security is mandatory, as a single flaw can compromise the entire platform.