Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
Security Analysis
medium confidenceThe skill's instructions and reference docs align with a pentest/security-reviewer role and request no unexpected credentials or installs, but it can run powerful scans and access sensitive files so validate authorization and the unknown source before using it.
Name, description, SKILL.md and the included reference files (SAST, secret scanning, penetration testing, infrastructure security, report templates) are consistent: the skill is intended to perform code/infrastructure security reviews and the materials support that purpose. There are no unrelated required binaries, environment variables, or install steps.
The runtime instructions explicitly allow using Read, Grep, Glob and Bash and contain many concrete commands that read system files, scan git history, enumerate cloud resources, query Kubernetes secrets, and run active tests (nmap, sqlmap, aws cli, kubectl, etc.). This is expected for a pentest skill, but it grants the agent the ability to access sensitive local files and perform active network/cloud interaction — ensure scope/authorization and restrict testing targets. The skill does include constraints (verify authorization, avoid production) but the instructions give broad discretion to collect sensitive data if invoked.
Instruction-only skill with no install spec and no code files. This is low-risk from an installation perspective because nothing is downloaded or written to disk by the skill package itself.
The skill does not request environment variables or credentials (primaryEnv none). References to cloud CLIs and secret scanning tools are consistent with its purpose but would require the user to supply credentials at runtime; the skill itself does not demand unrelated secrets or config paths.
always:false and no install hooks or instructions to modify other skills or system-wide agent settings. The skill can be invoked autonomously by the agent (default behavior) but that is not combined with elevated persistent privileges or credential requests.
Guidance
This skill is internally coherent for security reviews and contains useful, detailed playbooks and commands — but it is powerful: it guides reading local files, enumerating cloud resources, and performing active tests. Before installing or invoking it, do the following: - Verify the author/source (the registry entry lists an owner ID but 'Source' and 'Homepage' are missing). Treat skills from unknown origins cautiously. - Ensure you have explicit authorization and a rules-of-engagement for any target the agent will touch; do not run active scans against production or systems you don't control. - Do not provide credentials (AWS, kubectl, SSH keys, etc.) to the agent unless you intend it to use them; prefer scoped, short-lived credentials in isolated test accounts. - Consider restricting the skill's allowed-tools or disabling autonomous invocation if you want to prevent the agent from running Bash/Read/Grep without human review. - If you plan to use this in CI/CD, run it in an isolated environment or sandbox and review generated commands before execution. If you want higher assurance, ask the skill author for provenance or run the guidance manually rather than granting the agent direct execution privileges.
Latest Release
v1.0.0
Initial release of the security-reviewer skill. - Provides a comprehensive framework for security code review, penetration testing, and infrastructure security analysis. - Defines clear workflow steps: scoping, automated scans, manual review, active testing, severity rating, and reporting. - Includes strict constraints and best practices for effective and responsible security assessments. - Offers reference guides and output templates for producing actionable, detailed reports. - Integrates knowledge from leading security tools and standards (OWASP Top 10, SAST tools, CVSS, CIS benchmarks, etc.).
More by @Veeramanikandanr48
Published by @Veeramanikandanr48 on ClawHub
