Labsco
mastra-ai logo

security-review

โ˜… 25,837

by mastra-ai ยท part of mastra-ai/mastra

Security-focused code review checklist for identifying vulnerabilities

๐Ÿงฐ Not standalone. This skill ships with mastra-ai/mastra and only works together with that tool โ€” install the tool first, then add this skill.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

Security Review

When reviewing code for security issues, check each category below. Reference the detailed checklist in references/security-checklist.md.

Injection Vulnerabilities

  • SQL injection: Look for string concatenation in database queries
  • Command injection: Check for unsanitized input passed to shell commands (exec, spawn)
  • XSS: Look for unsanitized user input rendered in HTML/templates
  • Path traversal: Check for user input in file paths without sanitization

Authentication & Authorization

  • Verify authentication checks on protected routes/endpoints
  • Ensure authorization checks match the required access level
  • Look for privilege escalation paths (e.g., user can modify other users' data)
  • Check that password/token comparison uses constant-time comparison

Secrets & Credentials

  • Hardcoded API keys, passwords, tokens, or connection strings
  • Secrets in configuration files that might be committed
  • Sensitive data in logs or error messages
  • Credentials passed via URL query parameters

Input Validation

  • Validate and sanitize all external input (user input, API responses, file contents)
  • Check for missing or weak input validation on API endpoints
  • Verify type coercion doesn't bypass validation
  • Look for overly permissive CORS or CSP configurations

Data Exposure

  • Sensitive data returned in API responses unnecessarily
  • PII or secrets in application logs
  • Information leakage in error messages (stack traces, internal paths)
  • Missing data encryption for sensitive fields

Severity Levels

  • ๐Ÿ”ด CRITICAL: Exploitable vulnerability (injection, auth bypass, exposed secrets)
  • ๐ŸŸ  HIGH: Potential vulnerability that needs investigation
  • ๐ŸŸก MEDIUM: Security weakness or missing best practice
  • ๐Ÿ”ต LOW: Minor security improvement suggestion