Explore skills

Perform a defensive review of authentication and authorization flows in an authorized codebase. Use for login, session, MFA, OAuth, password reset, cookie security, JWT validation, impersonation, privilege checks, and object-level access control.

Perform a defensive review of authentication and authorization flows in an authorized codebase. Use for login, session, MFA, OAuth, password reset, cookie security, JWT validation, impersonation, privilege checks, and object-level access control.

Audits the game for security vulnerabilities like save tampering, cheat vectors, network exploits, data exposure, and input validation gaps. It produces a prioritized security report with remediation guidance, recommended before any public release or multiplayer launch.

Review an authorized application for business-logic vulnerabilities, workflow abuse, approval bypasses, replay conditions, quota circumvention, plan enforcement bugs, and state-transition errors. Use for billing, invites, approvals, refunds, admin actions, and multi-step workflows.

Review an authorized codebase for ORM misuse, N+1 query patterns, authorization-after-fetch bugs, raw SQL risks, cache key collisions, and missing tenant scopes. Use for data-access layers and security-adjacent performance pitfalls.

Review an authorized codebase for ORM misuse, N+1 query patterns, authorization-after-fetch bugs, raw SQL risks, cache key collisions, and missing tenant scopes. Use for data-access layers and security-adjacent performance pitfalls.

Review an authorized API surface for access control, mass assignment, schema validation, rate limiting, SSRF, error leakage, webhook verification, and unsafe defaults. Use for REST, GraphQL, RPC, and webhook handlers.

Perform a rapid defensive triage on an authorized code area when time is limited. Use to find the most plausible high-impact issues fast, then recommend the next best review target.

Review an authorized pull request diff for security regressions. Use when changes modify trust boundaries, auth logic, data-access scope, file handling, logging, headers, or secrets.

Perform a rapid defensive triage on an authorized code area when time is limited. Use to find the most plausible high-impact issues fast, then recommend the next best review target.

Review an authorized pull request diff for security regressions. Use when changes modify trust boundaries, auth logic, data-access scope, file handling, logging, headers, or secrets.

Review an authorized API surface for access control, mass assignment, schema validation, rate limiting, SSRF, error leakage, webhook verification, and unsafe defaults. Use for REST, GraphQL, RPC, and webhook handlers.