AgentSkillsCN

security-checklist

安全模式和OWASP检查清单。在处理身份验证、用户输入、API安全或审查代码漏洞时自动加载。

SKILL.md
--- frontmatter
name: security-checklist
description: Security patterns and OWASP checklist. Auto-loads when handling auth, user input, API security, or reviewing code for vulnerabilities.

Security checklist for identifying vulnerabilities and ensuring secure coding practices.

For detailed checklists, see checklist.md. For framework-specific patterns, see patterns.md.


OWASP Top 10

VulnerabilityWhat to Look For
InjectionUnsanitized input in SQL, commands, templates
Broken AuthWeak passwords, missing MFA, session issues
Sensitive DataUnencrypted storage, exposed in logs/errors
XXEXML parsing without disabling external entities
Broken AccessMissing auth checks, IDOR vulnerabilities
MisconfigDebug mode, default creds, verbose errors
XSSUnescaped output, dangerouslySetInnerHTML
Insecure DeserialUntrusted data in deserialize functions
Vulnerable DepsOutdated packages with known CVEs
Insufficient LoggingMissing audit trails, no alerting

Quick Scan Commands

bash
# Check for secrets in code
grep -rE "(password|secret|api_key|token)\s*[:=]" --include="*.{ts,js,json,env}" .

# Find SQL injection risks
grep -rE "query\(.*\+.*\)|execute\(.*\+.*\)" --include="*.ts" .

# Check for dangerouslySetInnerHTML
grep -r "dangerouslySetInnerHTML" --include="*.tsx" .

# Audit packages
bun pm audit

Security Mindset

  • Defense in depth - Multiple layers, not single points
  • Least privilege - Minimum access needed
  • Fail secure - Errors should deny, not allow
  • Trust nothing - Validate everything from outside
  • Keep secrets secret - Never in code, logs, or errors