Installation

Open Claude Code and run this command:

/plugin install security-agent@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

Skills (1)

performing-security-code-review SKILL.md View full skill →

Execute this skill enables AI assistant to conduct a security-focused code review using the security-agent plugin.

ReadWriteEditGrepGlobBash(cmd:*)

Performing Security Code Review

Overview

Conducts security-focused code reviews by scanning source files for common vulnerability patterns including SQL injection, XSS, authentication flaws, insecure dependencies, and secret exposure. Produces structured severity-rated reports with specific remediation guidance.

Prerequisites

Read access to all source files in the target project
grep available on PATH for pattern matching
Access to package.json or equivalent dependency manifest for dependency auditing
Familiarity with OWASP Top 10 vulnerability categories

Instructions

Identify the scope of the review: specific files, directories, or the entire codebase. Confirm the primary language(s) and framework(s) in use.
Scan for hardcoded secrets and credentials:

Search for patterns matching API keys, tokens, passwords, AWS access keys (AKIA...), and private key headers (BEGIN PRIVATE KEY).
Flag any .env files or configuration files containing plaintext secrets.

Analyze code for injection vulnerabilities:

Identify raw SQL string concatenation (SQL injection risk).
Locate unsanitized user input rendered in HTML (XSS risk).
Check for eval(), exec(), or Function() calls with dynamic input (code injection risk).

Review authentication and authorization logic:

Verify password hashing uses strong algorithms (bcrypt, argon2) rather than MD5/SHA1.
Check for missing authentication on sensitive endpoints.
Identify overly permissive CORS configurations.

Audit dependencies for known vulnerabilities:

Run npm audit or equivalent package manager audit command.
Cross-reference dependency versions against known CVE databases.

Check for insecure communication patterns:

Flag HTTP URLs where HTTPS is expected.
Identify disabled TLS certificate verification.

Compile findings into a structured report sorted by severity (Critical, High, Medium, Low), including the vulnerable code location, explanation, and remediation steps.

Output

A structured security review report containing:

Summary with total findings count by severity level
Per-finding entries with: file path, line number, vulnerability type, severity, code snippet, explanation, and recommended fix
Dependency audit results with CVE identifiers where applicable
Overall risk assessment (Critical / High / Medium / Low / Clean)

Error Handling

Error	Cause	Solution
No source files found	Ready to use security-agent? Related Plugins access-control-auditor Audit access control implementations authentication-validator Validate authentication implementations compliance-report-generator Generate compliance reports cors-policy-validator Validate CORS policies csrf-protection-validator Validate CSRF protection data-privacy-scanner Scan for data privacy issues Tags securityagentcode-review Stay in the Loop No spam. Unsubscribe anytime. Product Explore Skills Cowork Compare Tools Resources Docs Changelog Collections Playbooks Research Learning Company Community Spotlight GitHub Legal Privacy Terms Acceptable Use Tons of Skills by Intent Solutions. Marine. Citadel Grad. 20 years ops → self-taught dev → AI architect. © 2026 Tons of Skills \| Intent Solutions

security-agent

Installation

Skills (1)

Performing Security Code Review

Overview

Prerequisites

Instructions

Output

Error Handling

Ready to use security-agent?

Related Plugins

access-control-auditor

authentication-validator

compliance-report-generator

cors-policy-validator

csrf-protection-validator

data-privacy-scanner