Confirm successful installation by checking the skill directory location:
.cursor/skills/code-review-security
Restart Cursor to activate code-review-security. Access via /code-review-security in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
General code quality review without security focus (use pre-merge-checklist)
Writing implementation code (use python-backend-expert or react-frontend-expert)
Instructions
OWASP Top 10 Checklist
Review every PR against the OWASP Top 10 (2021 edition). Each category below includes specific checks for Python/FastAPI and React codebases.
A01: Broken Access Control
What to look for:
Missing authorization checks on endpoints
Direct object reference without ownership verification
Endpoints that expose data without role-based filtering
Missing Depends() for auth on new routes
Python/FastAPI checks:
# BAD: No authorization check -- any authenticated user can access any user@router.get("/users/{user_id}")asyncdefget_user(user_id:int, db: Session = Depends(get_db)):returnawait user_repo.get(user_id)# GOOD: Verify the requesting user owns the resource or is admin@router.get("/users/{user_id}")asyncdefget_user( user_id:int, current_user: User = Depends(get_current_user), db: Session = Depends(get_db),):if current_user.id!= user_id and current_user.role !="admin":raise HTTPException(status_code=403, detail="Forbidden")returnawait user_repo.get(user_id)
Review checklist:
Every route has authentication (Depends(get_current_user))
Resource access is verified against the requesting user
Admin-only endpoints check role == "admin"
List endpoints filter by user ownership (unless admin)
No IDOR (Insecure Direct Object Reference) vulnerabilities
A02: Cryptographic Failures
What to look for:
Passwords stored in plaintext or with weak hashing
Sensitive data in logs or error messages
Hardcoded secrets, API keys, or tokens
Weak JWT configuration
Python checks:
# BAD: Weak password hashingimport hashlib
password_hash = hashlib.md5(password.encode()).hexdigest()# GOOD: Use bcrypt via passlibfrom passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")password_hash = pwd_context.hash(password)# BAD: Secret in codeSECRET_KEY ="my-super-secret-key-123"# GOOD: Secret from environmentSECRET_KEY = os.environ["SECRET_KEY"]
Review checklist:
Passwords hashed with bcrypt (never MD5, SHA1, or plaintext)
JWT secret loaded from environment, not hardcoded
Sensitive data excluded from logs (passwords, tokens, PII)
HTTPS enforced for all external communication
No secrets in source code (check .env.example has placeholders only)
A03: Injection
What to look for:
Raw SQL queries with string interpolation
eval(), exec(), compile() with user input
subprocess calls with shell=True
Template injection
Python checks:
# BAD: SQL injection via string formattingquery =f"SELECT * FROM users WHERE email = '{email}'"db.execute(text(query))# GOOD: Parameterized querydb.execute(text("SELECT * FROM users WHERE email = :email"),{"email": email})# GOOD: SQLAlchemy ORM (always parameterized)user = db.query(User).filter(User.email == email).first()# BAD: Command injectionsubprocess.run(f"convert {filename}", shell=True)# GOOD: Pass arguments as a listsubprocess.run(["convert", filename], shell=False)# BAD: Code execution with user inputresult =eval(user_input)# GOOD: Never eval user input. Use ast.literal_eval for safe parsing.result = ast.literal_eval(user_input)# Only for literal structures
Review checklist:
No raw SQL with string interpolation (use ORM or parameterized queries)
No eval(), exec(), or compile() with external input
No subprocess.run(..., shell=True) with dynamic arguments
No pickle.loads() on untrusted data
All user input validated by Pydantic schemas before use
A04: Insecure Design
What to look for:
Missing rate limiting on authentication endpoints
No account lockout after failed login attempts
Missing CAPTCHA on public-facing forms
Business logic flaws (e.g., negative amounts, self-privilege-escalation)
Review checklist:
Rate limiting on login, registration, and password reset
Account lockout or exponential backoff after 5+ failed attempts
Business logic validates constraints (positive amounts, valid transitions)
Sensitive operations require re-authentication
A05: Security Misconfiguration
What to look for:
Debug mode enabled in production
CORS configured with wildcard * origins
Default credentials or admin accounts
Verbose error messages exposing stack traces
Python/FastAPI checks:
# BAD: Wide-open CORSapp.add_middleware(CORSMiddleware, allow_origins=["*"])# GOOD: Explicit allowed originsapp.add_middleware( CORSMiddleware, allow_origins=["https://app.example.com"], allow_methods=["GET","POST","PUT","DELETE"], allow_headers=["Authorization","Content-Type"],)# BAD: Debug mode in productionapp = FastAPI(debug=True)# GOOD: Debug only in developmentapp = FastAPI(debug=settings.DEBUG)# DEBUG=False in production
Review checklist:
CORS origins are explicit (no wildcard in production)
Debug mode disabled in production configuration
Error responses do not expose stack traces or internal details
Default admin credentials are changed or removed
Security headers set (X-Content-Type-Options, X-Frame-Options, etc.)
A06: Vulnerable and Outdated Components
Review checklist:
No known CVEs in Python dependencies (pip-audit or safety check)
No known CVEs in npm dependencies (npm audit)
Dependencies pinned to specific versions in lock files
No deprecated packages still in use
A07: Identification and Authentication Failures
What to look for:
Weak password policies
Session tokens that do not expire
Missing multi-factor authentication for admin actions
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
