Security reviews happen at the end of projects, when it is too late to change anything without pain. This command moves the review to whenever I am writing the code.
The command
Create .claude/commands/review-security.md:
Review the code I point to for security vulnerabilities. Check specifically for: SQL injection, XSS (cross-site scripting), CSRF, insecure direct object references, sensitive data in logs or responses, missing authentication/authorization checks, hardcoded secrets or API keys, dependency vulnerabilities. For each issue found: severity (Critical/High/Medium/Low), the CWE number, a description of the vulnerability, and the exact fix. Do not report false positives — only flag real issues. If something looks suspicious but is probably fine in context, skip it.
The key instruction is "Do not report false positives." Without it, you get a wall of theoretical warnings that train you to ignore the output.
Example output
On a recent API route:
CRITICAL — CWE-89 (SQL Injection)
Line 34: db.query(SELECT * FROM users WHERE id = + userId)
Fix: db.query(SELECT * FROM users WHERE id = ?, [userId])
HIGH — CWE-312 (Sensitive Data Exposure)
Line 67: Full user object returned including password_hash and salt.
Fix: Explicitly select only: id, email, display_name.
Two real issues. No noise.
How to install
Create .claude/commands/review-security.md with the prompt above. Run /review-security in Claude Code, then point it at the file you want checked.
Full kit (75 commands + 10 CLAUDE.md templates + 8 hooks): Claude Code Power User Kit
Top comments (0)