AgentSkillsCN

Security Validation

安全校验

SKILL.md

Security Validation Skill

This skill teaches the agent how to perform thorough security validation of specifications, plans, and implementations.

When to Apply

Apply this skill when:

  • Reviewing a specification for security requirements
  • Validating implementation against security rules
  • Conducting a security-focused code review
  • Assessing a feature's security posture

Security Validation Framework

Authentication & Authorization

CheckRuleSeverity
All sensitive endpoints require authenticationAUTH-001Critical
Industry-standard auth mechanism (OAuth2, OIDC, SAML)AUTH-001Critical
No credentials stored in plain textAUTH-001Critical
RBAC implemented with least privilegeAUTH-002High
Authorization on every request (not UI-only)AUTH-002High
Secure session tokens with timeoutAUTH-003High

Data Protection

CheckRuleSeverity
Sensitive data encrypted at rest (AES-256+)DATA-001Critical
Encryption keys in secure vault (HSM, Key Vault)DATA-001Critical
TLS 1.2+ for all communicationsDATA-002Critical
No sensitive data in URLsDATA-002High
Input validation on all user inputsDATA-003Critical
Output encoding (XSS prevention)DATA-003Critical
Parameterized queries (SQL injection prevention)DATA-003Critical

API Security

CheckRuleSeverity
All inputs validated (type, length, format)API-001Critical
Request size limits enforcedAPI-001Medium
Rate limiting on all endpointsAPI-002High
Brute force protection on authAPI-002Critical
No stack traces in error responsesAPI-003High
Detailed errors server-side onlyAPI-003Medium

Infrastructure

CheckRuleSeverity
Secrets in secure vaultINFRA-001Critical
No secrets in source codeINFRA-001Critical
Security events loggedINFRA-002High
No sensitive data in logsINFRA-002High
Dependencies scanned for vulnsINFRA-003High

OWASP Top 10

Check each item systematically:

  1. Injection vulnerabilities
  2. Broken authentication
  3. Sensitive data exposure
  4. XXE attacks
  5. Broken access control
  6. Security misconfiguration
  7. XSS vulnerabilities
  8. Insecure deserialization
  9. Known vulnerable components
  10. Insufficient logging

Report Format

Mark each rule:

  • Compliant - Rule fully addressed
  • ⚠️ Partial - Needs improvement
  • Non-Compliant - Blocking issue
  • N/A - Does not apply

For Specifications

Verify security requirements are:

  • Documented and specific
  • Covering all relevant categories above
  • Having testable acceptance criteria
  • Not leaking implementation details

For Implementation

Verify that code:

  • Implements documented security controls
  • Handles edge cases securely
  • Follows secure coding practices
  • Has security-focused tests