Security Review Skill

Required Context

Trace Context

Before starting, read trace files for the modules containing files under security review. Treat trace data as advisory -- verify critical assumptions (file existence, export availability) against source before irreversible decisions.

How to resolve relevant traces:

Identify the file paths under review from git diff --name-only or the spec's Implementation Evidence
Load .claude/traces/trace.config.json and match each file path against module fileGlobs to find the owning module ID
For each matched module, read .claude/traces/low-level/<module-id>.json
Check freshness: compare the trace file's mtime against the staleness threshold (use isTraceStale(moduleId, config) from .claude/scripts/lib/trace-utils.mjs if available). Stale traces are still useful but verify critical assumptions against source
If no .claude/traces/ directory, trace.config.json, or matching modules exist, skip this section entirely and proceed without traces -- no error or warning needed

Token budget: Keep total trace reads under 5K tokens in dispatch context.

Pre-Flight Challenge

Before beginning work, address these operational feasibility questions:

What authentication/authorization surfaces does this change touch?
Are there secret handling paths (env vars, tokens, keys) in scope?
Which input validation boundaries exist at the entry points?
What data exposure risks (PII, credentials, internal state) are present?

If any question cannot be answered from available context, surface it as a finding -- do not skip.

Purpose

Review implementation for security vulnerabilities before approval. Produce pass/fail report with findings and recommendations.

Key Input: Spec group at .claude/specs/groups/<spec-group-id>/

Usage

/security <spec-group-id>                   # Security review all changes for spec group
/security <spec-group-id> <atomic-spec-id>  # Review sp...

Security

Type

Platforms

Best for

Resources