security-review

Security-focused code review checklist for identifying vulnerabilities

npx skills add https://github.com/mastra-ai/template-github-review-agent --skill security-review

Security Review

When reviewing code for security issues, check each category below. Reference the detailed checklist in references/security-checklist.md.

Injection Vulnerabilities

  • SQL injection: Look for string concatenation in database queries
  • Command injection: Check for unsanitized input passed to shell commands (exec, spawn)
  • XSS: Look for unsanitized user input rendered in HTML/templates
  • Path traversal: Check for user input in file paths without sanitization

Authentication & Authorization

  • Verify authentication checks on protected routes/endpoints
  • Ensure authorization checks match the required access level
  • Look for privilege escalation paths (e.g., user can modify other users' data)
  • Check that password/token comparison uses constant-time comparison

Secrets & Credentials

  • Hardcoded API keys, passwords, tokens, or connection strings
  • Secrets in configuration files that might be committed
  • Sensitive data in logs or error messages
  • Credentials passed via URL query parameters

Input Validation

  • Validate and sanitize all external input (user input, API responses, file contents)
  • Check for missing or weak input validation on API endpoints
  • Verify type coercion doesn't bypass validation
  • Look for overly permissive CORS or CSP configurations

Data Exposure

  • Sensitive data returned in API responses unnecessarily
  • PII or secrets in application logs
  • Information leakage in error messages (stack traces, internal paths)
  • Missing data encryption for sensitive fields

Severity Levels

  • 🔴 CRITICAL: Exploitable vulnerability (injection, auth bypass, exposed secrets)
  • 🟠 HIGH: Potential vulnerability that needs investigation
  • 🟡 MEDIUM: Security weakness or missing best practice
  • 🔵 LOW: Minor security improvement suggestion

Plus de skills de mastra-ai

testing-mastracode-tui
mastra-ai
Test des fonctionnalités de l'interface TUI de mastracode de manière interactive dans Konsole. Couvre la configuration du modèle, le cycle de vie des threads, l'isolation des états de tâche et les bloqueurs courants.
official
mastra-smoke-test
mastra-ai
Test de fumée des projets Mastra en local ou déploiement en préproduction/production. Teste l'interface Studio, les agents, les outils, les workflows, les traces, la mémoire et plus encore. Prend en charge à la fois le local…
official
technical-writing
mastra-ai
Guidelines for creating clear, well-structured technical documentation
official
builder-smoke-test
mastra-ai
Smoke test the Agent Builder feature branch end-to-end against a hermetic project scaffolded by the skill (linked to the current worktree). Covers workspace…
official
debugging-difficult-bugs
mastra-ai
Utiliser tôt lors du débogage d’un bogue moyen ou difficile, surtout lorsque les tests seuls peuvent ne pas révéler la véritable défaillance d’exécution. Déclenchez ceci avant une itération TDD prolongée…
official
docs-audit
mastra-ai
Interactive documentation quality review for Mastra docs. Use when auditing, reviewing, or critiquing Mastra documentation; checking docs against source code;…
official
e2e-frontend-validation
mastra-ai
Workflow de validation E2E pour les modifications frontend dans les packages playground utilisant Playwright MCP
official
e2e-tests-studio
mastra-ai
CRITIQUE : Les tests doivent vérifier que les fonctionnalités du produit FONCTIONNENT correctement, et pas seulement que les éléments de l'interface utilisateur s'affichent.
official