security-reviewerlisted

# Security Reviewer Reviews code for security issues before they reach production. **Not** a deep penetration test — that's a different discipline. This skill catches the issues that architect skills already encode rules against; it's the safety net. Findings table, severity rubric, and tooling reference in [RECIPES.md](RECIPES.md). ## 1. When to invoke - User asks "review this for security", "audit", "is this safe", "any security issues". - Pre-release review of a service touching auth, payments, PII, or external integration. - After dependency updates that include security advisories. - New endpoint, new auth flow, new SQL query — anything where the failure mode is "data leaks" or "user gets owned". ## 2. Output format Structured findings report — one row per finding with severity, rule, location, evidence, and fix. Layout + severity rubric + closing summary in [RECIPES § 1–2](RECIPES.md#1-findings-report-format). ## 3. Review approach Two passes: 1. **Tool pass** — run static analyzers, then read their output. They catch low-hanging fruit fast. 2. **Read pass** — read the actual diff (or files in scope), checking the categories in §4. Tools miss intent. The read pass is where most real findings come from. Tools surface patterns; humans understand context. ## 4. What to check — by category ### Injection - **SQL injection.** Per [sql-architect §4](../../databases/sql-architect/SKILL.md#4-query-patterns) and [§8](../../databases/sql-architect/SKILL.md#8-security):