SECSecure

Whole-project security review skill

Secure

A production security reviewer for Codex, AI-generated codebases, and vibe-coded apps: scan the repo, confirm real exploit paths, fix by invariant, verify the result, and report coverage in a format teams can trust.

Install and useSee benchmark proof

Built for normal human requests and fast vibe-coding workflows. Users can say "review this project" or "make it production ready"; Secure maps that to the right workflow.

Command surface

One core skill. Search-friendly aliases.

Secure works from normal requests, while `security-review`, `vibe-security`, and `secure-code-review` aliases make it easier to discover from the searches developers actually run.

review

Pre-commit security review

Read-only findings with evidence, impact, fixes, verification limits, and residual risk.

audit

Production readiness

Broader pass across routes, auth, config, secrets, logs, CORS, CSRF, rate limits, storage, webhooks, and fail-open behavior.

scrape

Low-token repo map

Local scanner emits risky files, entry points, possible secrets, capability clusters, and inspection order.

inventory

Capability index

Lists sensitive surfaces, user-controlled inputs, sinks, expected guards, and review priorities.

harden

Focused remediation

Fixes confirmed findings by restoring the broken invariant, then runs focused verification.

harden-all

Full fix loop

Scan, confirm, patch, verify, rescan, and iterate until confirmed Critical and High issues are fixed or blocked.

secure

Ship-ready alias

Natural hardening mode for requests like "make this production ready" or "fix the security issues".

threat-model

Design-time security

Maps actors, assets, trust boundaries, inputs, sinks, abuse cases, and required controls before coding.

compare

Review calibration

Checks missed findings, severity drift, naming bias, weak evidence, skipped surfaces, and fix quality.

Direct command
Use secure. Audit this app before production:
C:\path\to\project
Natural language
ChatGPT, review this project before commit.
Focus on production and security issues.
Skills.sh aliases
npx skills add usesecure/secure --skill security-review
npx skills add usesecure/secure --skill vibe-security
npx skills add usesecure/secure --skill secure-code-review

Benchmark result

21/21 detected.

Secure was tuned against an intentionally vulnerable fixture with authentication bypass, tenant leaks, route exposure, public side effects, signed URL abuse, AI/PDF cost paths, payment tampering, webhook forgery, malformed input, and naming bias.

Case coverage21/21

Detected, 0 partial, 0 missed, 0 out of scope.

Findings
Critical: Authentication Trust. Evidence: src/security.mjs:4. Impact: forged admin sessions. Fix: signed sessions only.
...

Verification
- npm test: passed 7/7.

Coverage
Reviewed scoped routes, auth, tenant scope, storage, AI/PDF, payments, webhooks, input, logs, naming bias.

Case Coverage
Summary: 21/21 Detected, 0 Partial, 0 Missed, 0 Out of scope.
- Partial/Missed/Out of scope: None

Blind comparison

Model-only reviews catch the loud bugs. Secure closes the map.

The fixture was copied into a neutral project named Admin Studio, with tests, answer keys, benchmark wording, and `secure` hints removed. Then the same normal pre-commit prompt was run twice: once with the skill forbidden, once with skill selection allowed.

Without secure12/21

Detected. 5 partial, 4 missed, 0 out of scope.

With secure21/21

Detected. 0 partial, 0 missed, 0 out of scope.

What the baseline missed

  • Mass assignment into policy fields.
  • Upload and storage trust boundaries.
  • CORS, CSRF, rate limits, malformed input, and fail-open behavior.
  • AI/PDF cost paths, preview side effects, and checkout amount tampering.

Natural test prompt

ChatGPT, review this project before commit. Focus on production and security issues.

Project:
C:\Users\danie\Escritorio\Proyectos\presentacion\review-target

Operational loop

From full scan to verified fixes.

  1. 01

    Scrape compactly

    Read thousands of local files and emit a bounded review pack with routes, risky files, secrets, and capability clusters.

  2. 02

    Confirm from source

    Follow input to sink. A keyword hit is only a lead until the guard, object scope, and side effect are verified in code.

  3. 03

    Patch by invariant

    Fix the broken rule, not the local symptom: auth trust, tenant scope, mass assignment, signed URLs, rate limits, logs.

  4. 04

    Verify and rescan

    Run tests, typechecks, focused searches, and the scraper again. Report confirmed coverage and remaining risk.

Intent router

Every user request maps to a concrete flow.

Secure does not wait for users to know command names. It reads intent from natural language, chooses the right workflow, and reports what it did with evidence.

Review"review this project", "check this repo", "before I commit"View details

Read-only security review for a whole project, PR, diff, or specific path. Secure runs the compact scraper, inspects high-risk source files, confirms issues from code, and returns findings first.

  • Uses: pre-commit checks, code review, production risk triage.
  • Output: Critical/High/Medium findings with file evidence, impact, fix guidance, verification limits.
  • No edits: review mode reports issues but does not modify files.
Audit"audit the app", "is this safe to deploy?", "production readiness"View details

Broader production-readiness pass. It includes review findings, plus deployment-sensitive checks: secrets, environment defaults, CORS, CSRF, logs, rate limits, external calls, webhooks, and fail-open behavior.

  • Uses: release gates, deployment reviews, vendor or client handoff.
  • Output: production blockers, operational risks, coverage, unreviewed areas, remediation order.
  • Depth: more infrastructure-aware than standard review.
Scrape"scan everything fast", "give me the map", large reposView details

Token-efficient project scan. The local scraper reads many files, ranks risky surfaces, redacts likely secrets, and emits a bounded review pack instead of dumping the repository into context.

  • Uses: large monorepos, first-pass orientation, low-token security mapping.
  • Output: top risky files, route/action entry points, possible secrets, capability index, review plan.
  • Important: scraper leads are not findings until source code confirms them.
Secure"fix the security issues", "make it production ready", "dejalo listo para subir"View details

Full hardening loop. Secure scans, confirms real findings, patches by invariant, verifies, rescans, and iterates until confirmed Critical and High issues are fixed or explicitly blocked.

  • Uses: active remediation, final hardening, production preparation.
  • Output: changed files, fixed findings, remaining findings, blockers, verification, fix coverage.
  • Claim: never says "100% secure"; reports scoped coverage such as 8/8 confirmed Critical/High fixed.
Threat model"before building this feature", "what can go wrong?"View details

Design-time security planning. It maps actors, assets, trust boundaries, user-controlled inputs, sensitive sinks, abuse cases, and controls before code is written.

  • Uses: uploads, payments, AI workflows, admin tools, multi-tenant features.
  • Output: threat map, required guards, validation rules, test targets, rollout risks.
  • Result: fewer late-stage fixes because invariants are known up front.
Compare"compare these reviews", "did this miss anything?", benchmark workView details

Review-quality evaluation. Secure compares outputs, checks missed findings, severity drift, naming bias, weak evidence, and whether fixes restore the invariant or only patch one symptom.

  • Uses: benchmark evaluation, PR review quality, skill testing, reviewer calibration.
  • Output: missed bugs, severity differences, skipped surfaces, evidence quality, fix quality.
  • Signal: catches reviews that look complete but ignore dangerous capability paths.

Algorithms, cases, tests

How Secure decides what matters.

Secure combines fast repository mapping with source-confirmed review. The scanner can produce leads quickly, but the review only reports a finding after the relevant guard, input, object scope, and sink are checked.

A1

Review algorithms

  • Route and action graph: collects handlers, server actions, controllers, jobs, webhooks, and public forms.
  • Capability clustering: groups code by auth, tenant scope, uploads, storage, billing, AI, exports, and admin operations.
  • Risk ranking: scores unauthenticated reachability, state mutation, sensitive sinks, external cost, and missing ownership checks.
  • Flow tracing: follows user-controlled input into database writes, file keys, signed URLs, queues, emails, logs, and provider calls.
  • Semantic confirmation: treats names like public, demo, preview, helper, lead, and asset as untrusted until source proves the invariant.
C1

Cases covered

  • Auth bypass: demo headers, trusted client identity, optional sessions, weak middleware order.
  • IDOR and tenant leaks: direct object reads, updates, deletes, exports, jobs, and signed URL access without owner scope.
  • Mass assignment: role, plan, status, tenantId, ownerId, price, quota, and policy fields accepted from payloads.
  • Public abuse: contact forms, lead capture, quote builders, AI calls, PDF rendering, email, queues, and webhooks.
  • Production leaks: real secrets, unsafe examples, verbose errors, sensitive logs, fail-open Redis, CORS, and CSRF gaps.
T1

Proof and tests

  • Evidence first: every finding points to file evidence and explains the exact input, guard, sink, and impact.
  • Focused tests: add or run tests for rejected cross-tenant access, blocked role changes, rate limits, webhook signatures, and upload constraints.
  • Static checks: run typecheck, lint, build, dependency audit, secret scan, and targeted searches for dangerous patterns.
  • Rescan loop: rerun the scraper after fixes to confirm removed leads and detect new risks introduced by patches.
  • Coverage report: state fixed findings, remaining findings, untested areas, blockers, and scoped fix coverage.
View all 21 review cases

Security surface

Designed around real failure modes.

The skill looks for capability, not names. A route called preview, helper, public, lead, quote, template, or asset can still mutate state, expose files, or spend resources.

Auth and role trust

Detects demo headers, client-provided identity, weak session boundaries, and role confusion.

Tenant and owner scope

Checks direct object reads, updates, deletes, exports, jobs, and signed URLs for cross-tenant leakage.

Mass assignment

Finds policy fields flowing from payloads into models, DTOs, ORMs, mappers, and update calls.

Storage boundaries

Reviews uploads, object keys, public files, private buckets, signed URLs, previews, and delete paths.

Public abuse paths

Prioritizes forms, webhooks, AI calls, PDF rendering, email, queues, quotas, and missing rate limits.

Release readiness

Flags secrets, fail-open defaults, noisy logs, provider errors, CORS, CSRF, and verification blockers.

Multi-language by invariant

One review model, many stacks.

Controllers, handlers, views, routes, middleware, filters, guards, policies, voters, decorators, and permission classes all answer the same question: does the guard dominate the sink?

Secure mode

A practical target: fix confirmed Critical and High findings.

The skill never claims a project is 100 percent secure. It reports what matters: confirmed findings, fixed findings, verification results, blockers, and remaining risk.

$secure C:\path\to\project
Fix coverage8/8 Critical and High

Example report after scan, confirm, patch, verify, and rescan.

Ready to use

Drop it into Codex skills.

The skill ships as a self-contained folder with instructions, references, local scanners, and UI metadata. It is built for large projects without dumping the whole repo into context.

01

Install

npx skills add usesecure/secure
02

Review prompt

Use secure. Review this project before commit, focused on production and security issues:
C:\path\to\project
03

Hardening prompt

Use secure. Make this project production ready. Fix confirmed Critical and High findings, verify, rescan, and report fix coverage:
C:\path\to\project