
security-review
โ 25,837by mastra-ai ยท part of mastra-ai/mastra
Security-focused code review checklist for identifying vulnerabilities
๐งฐ Not standalone. This skill ships with mastra-ai/mastra and only works together with that tool โ install the tool first, then add this skill.
This is the playbook your agent receives when the skill activates โ you don't need to read it to use the skill, but it's here to audit before installing.
Security Review
When reviewing code for security issues, check each category below. Reference the detailed checklist in references/security-checklist.md.
Injection Vulnerabilities
- SQL injection: Look for string concatenation in database queries
- Command injection: Check for unsanitized input passed to shell commands (
exec,spawn) - XSS: Look for unsanitized user input rendered in HTML/templates
- Path traversal: Check for user input in file paths without sanitization
Authentication & Authorization
- Verify authentication checks on protected routes/endpoints
- Ensure authorization checks match the required access level
- Look for privilege escalation paths (e.g., user can modify other users' data)
- Check that password/token comparison uses constant-time comparison
Secrets & Credentials
- Hardcoded API keys, passwords, tokens, or connection strings
- Secrets in configuration files that might be committed
- Sensitive data in logs or error messages
- Credentials passed via URL query parameters
Input Validation
- Validate and sanitize all external input (user input, API responses, file contents)
- Check for missing or weak input validation on API endpoints
- Verify type coercion doesn't bypass validation
- Look for overly permissive CORS or CSP configurations
Data Exposure
- Sensitive data returned in API responses unnecessarily
- PII or secrets in application logs
- Information leakage in error messages (stack traces, internal paths)
- Missing data encryption for sensitive fields
Severity Levels
- ๐ด CRITICAL: Exploitable vulnerability (injection, auth bypass, exposed secrets)
- ๐ HIGH: Potential vulnerability that needs investigation
- ๐ก MEDIUM: Security weakness or missing best practice
- ๐ต LOW: Minor security improvement suggestion
Copy & paste โ that's it
npx skills add https://github.com/mastra-ai/mastra --skill security-reviewRun this in your project โ your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.