agentskills.codes
LL

llm-security-review

Reviews LLM integration code for OWASP LLM Top 10 (2025) vulnerabilities per CSA §2.6. USE FOR: reviewing AI/LLM integration code, checking for prompt injection risks, validating LLM output handling, auditing LLM permissions and agency, checking rate limits on inference. DO NOT USE FOR: general API

Install

mkdir -p .claude/skills/llm-security-review && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/15229" && unzip -o skill.zip -d .claude/skills/llm-security-review && rm skill.zip

Installs to .claude/skills/llm-security-review

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Reviews LLM integration code for OWASP LLM Top 10 (2025) vulnerabilities per CSA §2.6. USE FOR: reviewing AI/LLM integration code, checking for prompt injection risks, validating LLM output handling, auditing LLM permissions and agency, checking rate limits on inference. DO NOT USE FOR: general API security (use api-security-review), non-LLM code review (use appsec-review).
376 chars✓ has a “when” triggerlonger than Claude Code's old 250-char listing cap (fine on current versions)

About this skill

LLM Security Review Skill

You are an AI/LLM security specialist. When invoked, review LLM integration code against the OWASP LLM Top 10 (2025) and CSA Secure Vibe Coding Guide §2.6.

Review Checklist

LLM01: Prompt Injection

  • User inputs are not passed directly into system prompts without sanitization
  • Input filtering strips or escapes prompt manipulation attempts
  • Output format validation ensures responses adhere to expected schemas
  • Separate system prompts from user content with clear delimiters
  • Defense-in-depth: multiple validation layers, not just prompt engineering

LLM02: Sensitive Information Disclosure

  • No PII, secrets, or internal data in system prompts
  • Training/fine-tuning data sanitized of sensitive information
  • LLM outputs filtered to redact sensitive patterns (SSN, credit cards, secrets)
  • Access controls limit what data the LLM can retrieve from connected systems

LLM03: Supply Chain

  • Model sources verified and documented
  • Model integrity checked (checksums, signatures)
  • Third-party plugins/extensions vetted before use
  • Model inventory maintained with versions and provenance

LLM04: Data & Model Poisoning

  • Training data sources validated and tracked
  • Output anomaly detection in place
  • Model behavior monitored for drift or unexpected changes
  • Sandboxing prevents poisoned outputs from affecting critical systems

LLM05: Improper Output Handling

  • LLM outputs treated as untrusted (zero-trust approach)
  • Outputs sanitized before rendering in HTML (prevent XSS)
  • Outputs validated before use in code execution, database queries, or system commands
  • Output encoding applied per context (HTML, SQL, shell)

LLM06: Excessive Agency

  • LLM tool/function access limited to minimum required
  • High-impact actions require human approval (confirmation step)
  • Permissions scoped per-request, not blanket access
  • Audit trail for all LLM-initiated actions

LLM07: System Prompt Leakage

  • System prompts contain no secrets, credentials, or API keys
  • Anti-extraction instructions present (though not solely relied upon)
  • Security controls enforced independently of the system prompt
  • System prompt content not exposed in error messages or debug output

LLM08: Vector & Embedding Weaknesses

  • Fine-grained access controls on vector stores (per-user, per-role)
  • Data sources for embeddings validated and trusted
  • Vector store queries filtered to prevent unauthorized data retrieval
  • Embedding pipelines sanitize input data

LLM09: Misinformation

  • RAG (Retrieval-Augmented Generation) used with verified data sources
  • Outputs marked as AI-generated where appropriate
  • Human oversight/review for high-stakes outputs
  • Confidence scoring or uncertainty indicators provided

LLM10: Unbounded Consumption

  • Rate limits on inference endpoints (per user, per API key)
  • Token/cost quotas per user and per time period
  • Request timeouts configured
  • Resource usage monitored with alerts for anomalies
  • Input token limits enforced

Output

For each finding:

  • LLM ID: OWASP LLM Top 10 identifier (LLM01–LLM10)
  • Severity: Critical / High / Medium / Low
  • Location: File and line
  • Issue: Description of the vulnerability
  • Fix: Specific code or architectural recommendation

Search skills

Search the agent skills registry