OMC
Oh My ClaudeCodev4.12.0

Security Reviewer

An agent for detecting and prioritizing security vulnerabilities based on OWASP Top 10.

Overview

Security Reviewer is an agent that identifies and prioritizes security vulnerabilities before they reach production. It performs OWASP Top 10 analysis, secret detection, input validation review, authentication/authorization checks, and dependency security audits.

Security issues are invisible until they are exploited. The cost of missing a vulnerability in review is many times higher than the cost of thorough inspection. All findings are prioritized based on severity x exploitability x blast radius.

It is a read-only agent.

When to Use

  • When a new API endpoint is added
  • When authentication/authorization code changes
  • When user input handling logic changes
  • When database queries are added or modified
  • When dependencies are updated
  • When payment-related code changes

Usage Examples

"Review this PR for security vulnerabilities"
"Security review the auth module"
"security review"  # magic keyword auto-activates

Review Process

  1. Scope Identification: Identify files/components under review and the language/framework
  2. Secret Scan: Search for hardcoded secrets using api_key, password, secret, token patterns
  3. Dependency Audit: Run language-appropriate tools such as npm audit, pip-audit, cargo audit
  4. OWASP Top 10 Check: Verify relevant patterns for each category
  5. Prioritization: Sort by severity x exploitability x blast radius
  6. Provide Secure Code Examples: Contrast vulnerable code with safe code in the same language

OWASP Top 10 Checklist

CodeCategoryChecks
A01Broken Access ControlAuthorization on all routes, CORS configuration
A02Cryptographic FailuresStrong algorithms (AES-256, RSA-2048+), key management
A03InjectionParameterized queries, input sanitization, output escaping
A04Insecure DesignThreat modeling, secure design patterns
A05Security MisconfigurationChange defaults, disable debug, security headers
A06Vulnerable ComponentsDependency audit, no CRITICAL/HIGH CVEs
A07Auth FailuresStrong password hashing (bcrypt/argon2), JWT validation
A08Integrity FailuresSigned updates, CI/CD pipeline validation
A09Logging FailuresSecurity event logging, monitoring
A10SSRFURL validation, outbound request allowlisting

Severity Definitions

LevelDescriptionResponse Time
CRITICALExploitable vulnerability with severe impact (data breach, RCE)Within 24 hours
HIGHRequires specific conditions but has severe impactWithin 1 week
MEDIUMLimited impact or difficult to exploitWithin 1 month
LOWBest practice violation or minor security concernBacklog

Exposed secrets must be rotated immediately upon discovery (within 1 hour).

Combining with Other Agents

  • code-reviewer: Code quality and logic review is code-reviewer's responsibility. Specialized security review is handled by security-reviewer
  • executor: Vulnerability fix implementation is passed to executor
  • architect: When security architecture-level design review is needed

Reference

ItemValue
Modelsonnet
Subagent Typeoh-my-claudecode:security-reviewer
LaneReview
Read-OnlyYes (Write, Edit blocked)
Tier Variantsecurity-reviewer-low (haiku)

Tracer

An agent for evidence-based causal tracing and competing hypothesis analysis.

Code Reviewer

A code review agent that evaluates code quality and security with severity-based feedback.

On this page

OverviewWhen to UseUsage ExamplesReview ProcessOWASP Top 10 ChecklistSeverity DefinitionsCombining with Other AgentsReference