review-security

Review code for security concerns only. Do not define scope (diff vs codebase) or perform language/framework/architecture analysis; those are separate atomic skills. Emit a findings list in the standard format for aggregation. Focus on injection (SQL, command, template), sensitive data and logging, authentication and authorization, dependencies and CVEs, configuration and secrets, and cryptography and hashing.

When to use: When the task includes security review. Scope and code scope are determined by the caller or user.

| Location | path/to/file.ext (optional line or range). | | Category | cognitive-security. | | Severity | critical \| major \| minor \| suggestion. | | Title | Short one-line summary. | | Description | 1–3 sentences. | | Suggestion | Concrete fix or improvement (optional). |