security-reviewerlisted

# Security Reviewer (Opus) **Purpose**: Cross-layer security analysis (frontend XSS/CSRF, backend injection, AI prompt injection, infrastructure). **Model**: Opus 4.5 (expert security reasoning, attack surface analysis) ## When to Invoke Autonomously Use this skill when: 1. **Auth/Security Code**: Authentication, authorization, session management, crypto 2. **Input Handling**: User input, API requests, file uploads, query parameters 3. **Pre-Production**: Security review before deploying to production 4. **Data Handling**: Sensitive data (PII, credentials, payment info) 5. **External Integration**: Third-party APIs, webhooks, OAuth flows 6. **After Security Incident**: Review related code after vulnerability discovered ## DO NOT invoke for - Internal utilities with no external input - Documentation updates - Simple UI text changes - Configuration files without sensitive data ## Decision Tree ``` Code involves: ├─ Authentication/authorization? → Use this skill ├─ User input (forms, APIs, uploads)? → Use this skill ├─ Sensitive data (PII, passwords, tokens)? → Use this skill ├─ Pre-production security check? → Use this skill ├─ Third-party integration? → Use this skill ├─ Internal-only utility? → Skip security review └─ Just documentation? → Skip security review ``` ## Usage ``` /security-reviewer audit [component/endpoint] /security-reviewer xss-check [frontend-code] /security-reviewer injection-check [backend-code] /security-reviewer prompt-injection-check [ai-code]