Security Review Agent

Agent

Reviews code for OWASP, auth, secrets, and AI-agent security risks.

4.9(412)132k installs6.2k likesUpdated 18 days ago

Low riskMITSecurity reviewedOpen Source

Security Review Agent

A read-only security reviewer for code and AI agents. It audits diffs and full repositories against the OWASP Top 10 and a catalog of AI-agent-specific risks, then reports findings ranked by severity with concrete remediation.

What it checks

Injection — SQL, command, template, and prompt injection
Broken auth & access control — missing checks, IDOR, JWT misuse
Secrets — hardcoded keys, tokens, and credentials in code or history
SSRF & unsafe fetch — user-controlled URLs, metadata endpoints
AI-agent risks — over-broad tool permissions, untrusted tool output, prompt-injection surface

Why it's safe to run

This agent requests only readFiles and gitHistory. It cannot write to your files, run commands, or reach the network.

Install

bash

npx nuclexa install security-review --target claude-code

Example output

Severity	Finding	Location
High	Command injection via `exec(userInput)`	`src/api/run.ts:42`
Medium	JWT verified without expiry check	`src/auth/verify.ts:18`
Low	Verbose error leaks stack trace	`src/server.ts:120`

Demo

security-review — preview

Interactive demo coming soon

A short walkthrough of Security Review Agent in action will appear here.

Supported platforms

CCClaude CodeCuCursorOAOpenAI Agents

Installation

Install or export Security Review Agent for any platform it supports.

Claude Code

$ npx nuclexa install security-review --target claude-code

Cursor

$ npx nuclexa install security-review --target cursor

OpenAI Agents

$ npx nuclexa export security-review --target openai-agents

Example usage

Review the current branch

bash

npx nuclexa install security-review --target claude-code

Then in Claude Code:

Run a security review on the pending changes.

The agent reads the diff, classifies findings by severity, and proposes fixes — without writing to your files.

Required permissions

Low risk

Read files
Read files in the workspace.
Write files
Create or modify files in the workspace.
Run shell commands
Execute commands in your shell.
Network access
Make outbound network requests.
Access environment variables
Read process environment variables.
Access browser
Control a browser session.
Access git history
Read commit history and diffs.
Access secrets
Read configured secrets and tokens.

Compatibility

How Security Review Agent behaves across supported runtimes.

Platform	Status	Install method
CCClaude Code	Supported	CLI install
CuCursor	Supported	Cursor rule
OAOpenAI Agents	Exportable	agent.json exportExported as an Agents SDK definition.
MMCP-compatible	Not supported	Planned for v2.2.

License & safety

License

MITOpen source — free for commercial use.

Safety note

Every install shows its full permission scope before it runs. This package has been security reviewed by Nuclexa.

What it checks

Injection — SQL, command, template, and prompt injection

Broken auth & access control — missing checks, IDOR, JWT misuse

Secrets — hardcoded keys, tokens, and credentials in code or history

SSRF & unsafe fetch — user-controlled URLs, metadata endpoints

AI-agent risks — over-broad tool permissions, untrusted tool output, prompt-injection surface

Severity

Finding

Location

High

Command injection via exec(userInput)

src/api/run.ts:42

Medium

JWT verified without expiry check

src/auth/verify.ts:18

Low

Verbose error leaks stack trace

src/server.ts:120

Platform

Status

Install method

CCClaude Code

Supported

CLI install

CuCursor

Supported

Cursor rule

OAOpenAI Agents

Exportable

agent.json exportExported as an Agents SDK definition.

MMCP-compatible

Not supported

Planned for v2.2.