Bitwarden

Reviews CLAUDE.md, SKILL.md, or agent configs for prompt injection risk, overpermissioning, missing guardrails, and structural issues—before you ship to production.

Takes a list of flagged issues from a code review and runs each through rejection criteria and verification checks, keeping only the real problems worth fixing.

After you've left inline comments, generates a rollup comment that groups findings by severity, calls out what blocks merge, and flags what's just style.

A six-phase checklist for handing off or receiving a system, framework, or operational responsibility—covering documentation, knowledge transfer, dependency mapping, and success metrics.

Reference for all Bitwarden workflow linter rules—covers mechanical checks (naming, permissions, pinning) and style rules. Catches issues before they hit CI.

Embeds Bitwarden's trust boundaries, data-classification rules, and security vocabulary (P01–P06) so Claude understands the constraints for any code review, architecture decision, or threat model.

Launches specialized reviewers to check for auth flaws, injection, crypto misuse, and data leaks, then verifies findings with a final pass. Works on any codebase file or snippet.

Reviews your authentication, authorization, trust boundaries, and encryption setup against OWASP and industry patterns. Flags gaps and suggests fixes without requiring a pentest.

Walks an owner through writing a proposal, getting architecture feedback, and positioning it for the software initiative funnel—without politics.

Reads one or many Claude Code session logs and extracts tabular data—queries, outputs, timestamps, errors—sorted and filtered by your criteria.

Walks through security posture, blast radius, and org constraints to help you design a solution that won't conflict with the rest of the system or create downstream debt.

Takes a research recommendation, builds a spike in the actual codebase, runs it against real constraints, and drafts the architecture decision record so the team can decide.

Runs a structured checklist against your changes: test coverage, naming, documentation, error handling, and performance. Flags what's likely to fail review.

Pulls a Jira issue, its history, linked tickets, and dependent work to surface what's actually blocking you—not just the ticket title and description.

Reads scan results from Checkmarx, SonarCloud, or GitHub Advanced Security and ranks findings by severity and likelihood, flagging false positives so your team fixes what matters.

Fills in a formal tech-breakdown template with scope checklist, child specs, open questions, and status gates—so the whole team knows what ships and in what order.

Applies security fixes to GitHub Actions workflows across multiple repos — pins external actions to SHAs, updates internal actions to @main, and leaves a version comment for auditing.

Runs the Bitwarden workflow linter across your repos, flags mechanical errors (missing fields, bad syntax) and judgment calls (risky patterns), then sorts them by severity.

Scans code against OWASP Top 10 and CWE Top 25, flags injection risks, auth gaps, and data-exposure patterns, then ranks findings by severity.

Searches code and config files for hardcoded secrets, tokens, and credentials. Flags what's exposed, where it is, and which services need rotation.

Scans your codebase for outdated or risky packages, surfaces Dependabot alerts, and flags transitive dependencies that introduce supply chain risk.

Takes a list of code review notes and buckets them as CRITICAL, IMPORTANT, DEBT, SUGGESTED, or QUESTION — so you flag blockers and skip the noise.

Formats inline review feedback as GitHub PR comments with severity indicators, clear explanations, and specific fixes — following Bitwarden's engineering standards.

Reads a PR that bumps or adds libraries and surfaces breaking changes, security flags, and license conflicts before you merge—works with package.json, Cargo.toml, requirements.txt, and others.

Maps who needs to review a technical breakdown, builds the signoff table, tracks approvals, and runs the launch checklist before marking it complete.

Defines your security goals, sketches data flows, identifies where attackers could strike, and lists concrete mitigations — all in a format your eng team can hand to infosec for review.

Takes a feature's architecture and breaks it into child epics, assigns work per team, and surfaces the leadership questions needed for a go/no-go decision.

Reviews incoming strategy ideas against your current portfolio, flags conflicts and duplication, and surfaces the highest-signal bets for quarterly planning without losing track of the rest.

Guides you through a structured interview about your current tech stack, constraints, and goals—then drafts a written Architectural Assessment that captures the reasoning behind your setup.

Walks you through recognizing when a recurring team problem signals a bigger technical need, framing it for architecture review, and tracking it into roadmap planning.

Reads git commits over a date range or branch and produces a structured summary of what changed—file-by-file diffs, intent, and risk—ready for code review or a standup.

Parses git history, conversation logs, and code diffs from a dev session to surface what went well, what slowed you down, and what to change next sprint.

Enforces Bitwarden's commit conventions—scoped prefixes, linked tickets, clear intent—so your PRs sail through without "please reword your commits."

A five-phase playbook that guides you from research through launch, with checkpoints at each phase and pointers to deeper skills when you need them.

Crawls all GitHub workflow files across the org and flags actions that are unpinned, out of date, or explicitly forbidden—then reports the exact SHA and fix needed.

Phase-by-phase playbook for moving an idea from proposal through breakdown, estimation, and dependency coordination. Clarifies who owns what at each gate and when to escalate.

Guides a shepherd through the post-launch phase: coordinating teams, running weekly pulse checks, surfacing blockers, documenting retrospectives, and formally closing out the initiative.

Takes a PR comment thread and either implements the fix with justification or drafts a thoughtful push-back — respecting the reviewer's concern while keeping your judgment.

Analyzes code across architecture, security, and quality in parallel, then surfaces only the findings that matter — ranked by severity and mapped to the lines that need changing.

Takes linter findings from workflow-audit, applies safe mechanical fixes, flags judgment calls for you, re-lints to verify, and drafts a PR ready to merge.