security-reviewlisted

# Security Review ## When to use Use this skill when a bounded chunk of code is being checked systematically for security and a report is the deliverable. It is the workflow; the patterns themselves live in `secure-coding`, where phase 4 hands off. Activates on: - A request like "do a security review on <PR/branch/feature/service>", "review this code for security issues", "audit against OWASP Top 10", "is this safe to merge", "security audit before production". - A PR that touches auth, crypto, user-input handling, session management, PII storage, deserialization, file upload, or external integrations. Then reviewing is not optional. - A new service before it goes live, or an existing one touched again after an incident. - A quarterly or release-cycle audit of high-risk subsystems on an older codebase. ### When NOT to use (handoff) - Automated pre-merge gate → `security-gate` (command). That's a blocker with a policy. This skill is the substantive review behind it. - Design-level threats before code exists → `threat-modeler` (agent). STRIDE, attack trees, and trust-boundary diagrams belong there. - Offensive assessment with active exploitation → pentest skills (`web-exploit-triage`, `recon-agent`, `payload-crafter`). This skill flags; it does not exploit. - Framework-deep review → start with the framework skill (`django-security`, `spring-security`, `rails-security`, `nextjs-security`, `api-security`), then come back here for the umbrella report. - Standalone code-patte