Is there a built-in security-review slash-command worth installing?

Yes — the security-review skill ships with Claude Code (run /security-review). For Magento it covers the obvious: SQL string-concatenation, echo without escaping in phtml, missing CSRF tokens on form actions, ACL gaps in admin controllers, raw user input passed to bin/magento shell calls, hardcoded API keys. It will not catch the Magento-specific gotchas: missing _isAllowed(), observers running inside the order DB transaction, ObjectManager in non-setup code. For those, copy .claude/agents/code-reviewer.md from the module generator output — it knows the EQP checklist.