Guide
Security review skills for AI coding agents
Security prompts need to be strict. The agent should prioritize concrete findings, affected files, exploit paths, and practical fixes.
Start with the riskiest paths
Ask the agent to inspect authentication, authorization, secrets, external APIs, webhooks, file uploads, admin routes, payment paths, and deployment settings first.
A security skill should not produce a generic checklist. It should find actual code paths and explain why they matter.
AI features need their own checks
If a product uses AI prompts, tools, browser access, file edits, or user-provided instructions, use prompt injection lab and AI agent red team. These skills look for tool misuse, data exposure, and instruction hijacking.
Keep remediation small
The best security fixes are usually narrow: validate input, restrict origins, protect secrets, rate limit public endpoints, harden cookies, and remove exposed debug paths.