Lesson 470 of 2116
Claude Code For Code Review: The Security-Review Skill
The official security-review skill ships with Claude Code. Used right, it's a real second pair of eyes; used wrong, it's noise. Knowing the difference is the skill.
Lesson map
What this lesson covers
Learning path
The main moves in order
- 1What security-review actually does
- 2security review
- 3skill invocation
- 4false positive
Concept cluster
Terms to connect while reading
Section 1
What security-review actually does
The security-review skill walks the changed files in a session and checks for common security mistakes: input validation gaps, authentication flaws, hardcoded secrets, unsafe deserialization, SQL injection patterns, broken access control. It produces a structured report with severity ratings. It does not replace a security audit — it's a fast first pass.
What it's good at
- 1Catching the obvious — secrets in code, missing input validation, unparameterized queries
- 2Flagging changed code paths, not the whole repo (limits noise)
- 3Producing structured output you can act on (severity + location + suggested fix)
- 4Speed — runs in seconds on small diffs, not the hours a manual review takes
- 5Consistency — the same diff produces similar findings each run, unlike one-off human reviews
What it misses
- Business logic flaws: 'this auth check is correct, but it lives in the wrong place'
- Cross-component vulnerabilities that span files it didn't read
- Anything that requires understanding the runtime environment
- Race conditions, timing attacks, side-channel issues
- Anything subtle enough that human security engineers debate it
Tuning the noise
Compare the options
| If you see | Tune by |
|---|---|
| Same false positive on every run | Add an exception in CLAUDE.md or the skill body |
| Findings on autogenerated code | Exclude generated paths |
| Review fatigue across team | Cut to high-severity only for non-prod work |
| Real bugs being skipped | Tighten or expand scope; check skill version |
Apply: weave it into your workflow
- 1Run security-review on the next non-trivial PR you write
- 2Triage every finding: act, defer with note, or false-positive
- 3After three runs, tune CLAUDE.md to silence the chronic false positives
- 4For real high-stakes code: still get a human security review on top
Key terms in this lesson
The big idea: the security-review skill is a useful second pair of eyes for the obvious mistakes. It is not a replacement for human security review on real-stakes code.
End-of-lesson quiz
Check what stuck
15 questions · Score saves to your progress.
Tutor
Curious about “Claude Code For Code Review: The Security-Review Skill”?
Ask anything about this lesson. I’ll answer using just what you’re reading — short, friendly, grounded.
Progress saved locally in this browser. Sign in to sync across devices.
Related lessons
Keep going
Creators · 10 min
Skill Registries, Sharing, And Trust
Skills are code that runs in your soul's context. A registry is how you share them — and how attackers ship them. Public versus private registries, signing, permission scopes, and a security review checklist. OpenClaw maintainers and the broader local-agent community converge on a single warning: skills are the new supply-chain attack surface.
Creators · 45 min
Structured Outputs: Make the Model Return Data You Can Trust
For production apps, pretty prose is often the wrong output. Learn when to use structured outputs, function calling, and schema validation.
Creators · 9 min
Pro Search vs Default: When To Spend The Compute
Pro Search runs more queries, reads more pages, and routes to a stronger model. It is not always worth the wait — knowing when it is is the skill.