Security Review Skill
by Anthropic
Anthropic's reference security-review skill. Walks a diff, flags real issues, ignores the noise.
Skills
Security Review Skill
Added 17 May 2026
Overview
Security Review is shipped in Anthropic's reference skills repo and is the cleanest answer for an agent-driven pre-merge check. It walks a diff in context, flags issues by severity, and writes a structured review the team can act on without security-engineer hand-holding.
Best for
Best for
Engineering teams without a dedicated security reviewer in the loop
Use cases
- Pre-merge security review on every PR
- Targeted review of a single auth or payments change
- Standalone security pass after a refactor
- Baseline check for non-security engineers shipping risky code
Notes
Why it matters
Most teams never get a second pair of eyes on a security-sensitive change. A skill the agent runs every time closes a hole most orgs would not fix.
How teams use it in production
Wire as a slash command on PR open. Output goes as a structured comment. Engineers triage flags by severity. Real security reviewers see only the high-severity flags.
What to watch
The next step is an agent that opens the follow-up PR for the flagged issues, not just writes them up.
Pros
- Reproducible structured output instead of vibes-based review
- Calibrated to flag real risk, not 'best practice' noise
- Pairs cleanly with GitHub MCP for an end-to-end PR loop
- Forks well for org-specific review checklists
Cons
- Cannot replace a real human review on greenfield auth
- Multi-file architecture issues still get missed
- Org-specific compliance needs a forked variant
Pairs with
Other entries in the index that connect to this one. Click through to see the chain.