security-fix-review
Security Fix Review
When to Use
- Reviewing a proposed patch for a security vulnerability
- Verifying a fix addresses the root cause, not just a symptom
- Checking for variant vulnerabilities the fix might miss
- Ensuring regression tests adequately cover the vulnerability
- Validating that a fix doesn't introduce new attack surface
When NOT to Use
- Initial vulnerability discovery (use audit or static analysis skills)
- General code review without security context
- Performance optimization reviews
Review Checklist
1. Root Cause Analysis
- Does the fix address the root cause or just block one exploit path?
- Could an attacker reach the same vulnerable code via a different path?
- Are there other instances of the same bug pattern in the codebase?
2. Fix Completeness
- Does the fix handle all input variations (encoding, normalization, edge cases)?
- Are error paths also patched?
- Does the fix work across all supported platforms/configurations?
3. Bypass Analysis
- Can the fix be circumvented with different input encoding?
- Does the fix rely on client-side validation that can be skipped?
- Are there TOCTOU (time-of-check-time-of-use) windows?
4. Regression Testing
- Do tests exercise the exact vulnerability trigger?
- Do tests cover bypass attempts?
- Are negative tests included (ensure safe inputs still work)?
5. Side Effects
- Does the fix change any public API behavior?
- Could the fix cause denial of service (overly strict validation)?
- Does the fix introduce new dependencies with their own attack surface?
Common Fix Anti-Patterns
| Anti-Pattern | Problem |
|---|---|
| Blocklist approach | Attacker finds unlisted variant |
| Input length check only | Doesn't prevent malicious short inputs |
| Error suppression | Hides the symptom, not the cause |
| Single-layer defense | One bypass defeats entire mitigation |
| Fix in wrong layer | Vulnerability remains reachable via other callers |
Workflow
- Read the vulnerability report / advisory
- Understand the root cause and attack vector
- Review the diff with security lens
- Search for variant instances (
grep, CodeQL, Semgrep) - Verify test coverage of the vulnerability
- Check for bypass opportunities
- Document findings with severity assessment
More from elizaos/eliza
wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24coding-agent
Run Codex CLI, Claude Code, OpenCode, or Pi Coding Agent via background process for programmatic control. Use when the agent needs to spawn, monitor, or orchestrate coding agents in a terminal session, delegate programming tasks to a sub-agent, review pull requests with an external CLI tool, or run parallel background coding workflows across git worktrees.
22openai-image-gen
Batch-generate images via the OpenAI Images API using DALL-E 2, DALL-E 3, or GPT image models. Produces random-but-structured prompts, renders them, and outputs a browsable `index.html` gallery. Use when the user asks to generate AI images, create pictures with DALL-E, batch-produce image assets, render AI art, or build an image gallery from text prompts.
21skill-creator
Creates, updates, and packages AgentSkills with proper SKILL.md frontmatter, bundled scripts, references, and assets. Provides guidance on skill naming, progressive disclosure, and context-efficient design. Use when building a new skill from scratch, restructuring an existing skill, writing or improving SKILL.md files, organizing skill resources into scripts/references/assets folders, packaging skills for distribution, or iterating on skill quality after testing.
21