Pre-Commit Security Check
A last-line security sweep your agent runs before every commit.
An agent skill that runs a focused security review before committing: secrets in the diff, injection risks in changed code, unsafe deserialization, and permission changes. Scoped to the diff so it's fast enough to run every time, not a full audit nobody runs.
SKILL.md
--- name: security-check description: Security review of staged changes. Use before every commit that touches code. --- # Pre-Commit Security Check Before committing, review `git diff --staged` for these categories. Report findings with file:line and severity; block the commit on critical findings. ## 1. Secrets (critical — always block) - API keys, tokens, passwords, private keys, connection strings in ANY staged file - High-entropy strings assigned to suspicious names (key, secret, token, pwd) - .env files or credential files being staged ## 2. Injection (in changed lines) - SQL built by string concatenation/interpolation with external input - Shell commands constructed from variables (`exec`, `system`, subprocess with shell=True) - HTML rendered from user input without escaping (innerHTML, dangerouslySetInnerHTML, v-html) - Path operations using user input without normalization (path traversal) ## 3. Data handling - New logging of request bodies, tokens, or PII - Unsafe deserialization of external data (pickle, eval, yaml.load without SafeLoader) - Sensitive fields added to API responses that previously excluded them ## 4. AuthZ surface - Route/endpoint additions: does each have an explicit auth check? - Permission checks removed or loosened in the diff - CORS, CSP, or cookie-flag changes ## Reporting - Critical → refuse to commit; show the finding and the fix - Warning → commit allowed, but list findings in the commit conversation - Clean → say "security check: clean" in one line, don't pad Scope discipline: review ONLY the staged diff plus enough context to judge it. This is a tripwire, not an audit.
How to use
- 1Save as .claude/skills/security-check/SKILL.md.
- 2The agent runs it automatically before commits; you can also invoke it on demand for any diff.
- 3Treat 'critical' blocks seriously — a leaked key in git history is a rotation incident even if you force-push over it.
- 4This complements (never replaces) your SAST tooling and human security review for sensitive areas.
Examples
Catching an interpolated SQL query
Input
Staged diff adds `db.query(f"SELECT * FROM users WHERE name = '{name}'")`.
Output
🔴 Critical — api/users.py:42 — SQL injection: `name` comes from the request path and is interpolated directly into the query. Fix: parameterized query `db.query("SELECT * FROM users WHERE name = %s", (name,))`. Commit blocked.
Pro tips
- Add your org-specific rules (e.g. 'never log customer_id together with email') — the skill format makes policy executable.
Frequently asked questions
Will this slow down every commit?+
It reviews only the staged diff, so it adds seconds. The scope-discipline rule exists precisely to keep it fast enough that it actually runs every time.
Is an LLM check reliable enough for security?+
As one layer, yes — it catches the common, obvious-in-context issues (interpolated queries, logged tokens) that slip through when nobody looks. Keep secret-scanning hooks and SAST in CI as the systematic layers.