AgentSkillsCN

security-analyst

将安全审查与漏洞分析委托给GPT安全分析专家。 触发词:“安全”“这安全吗?”“漏洞”“加固这里”“威胁模型” 适用场景:(1) 认证/授权变更时;(2) 处理机密数据时;(3) 新增API端点时;(4) 第三方集成时;(5) 进行安全审计时。

SKILL.md
--- frontmatter
name: security-analyst
description: |
  GPT Security Analyst専門家に委任して、セキュリティレビュー・脆弱性分析を行う。
  トリガー: "セキュリティ", "is this secure", "vulnerabilities", "harden this", "threat model"
  使用場面: (1) 認証/認可の変更、(2) 機密データ処理、(3) 新しいAPIエンドポイント、(4) サードパーティ連携、(5) セキュリティ監査

Security Analyst Expert

Codex CLI経由でGPT Security Analyst専門家にタスクを委任するスキル。

コマンド形式

Advisory モード(分析のみ)

bash
codex exec --full-auto --sandbox read-only --cd <project_directory> "<delegation_prompt>"

Implementation モード(脆弱性修正・ハードニング)

bash
codex exec --full-auto --sandbox workspace-write --cd <project_directory> "<delegation_prompt>"

委任プロンプトの構築(7セクション形式)

code
EXPERT: Security Analyst

TASK: [Analyze / Harden] [system/code/endpoint] for security vulnerabilities.

EXPECTED OUTCOME: [Vulnerability report OR hardened code]

MODE: [Advisory / Implementation]

CONTEXT:
- Code/system to analyze: [ファイルパス、アーキテクチャ説明]
- Assets at risk: [価値のあるもの - ユーザーデータ、認証情報等]
- Threat model: [想定される攻撃者、もし分かれば]

CONSTRAINTS:
- Focus on: [OWASP Top 10 / specific categories]
- Must not break: [機能への影響制限]

MUST DO:
- Check OWASP Top 10 categories
- Consider authentication, authorization, input validation
- Provide practical remediation, not theoretical concerns
- [Implementation時: Fix vulnerabilities and verify]

MUST NOT DO:
- Flag low-risk theoretical issues
- Provide vague "be more secure" advice
- [Implementation時: Break functionality while hardening]

OUTPUT FORMAT:
[Advisory: Threat summary → Vulnerabilities → Recommendations → Risk rating]
[Implementation: Summary → Vulnerabilities fixed → Files modified → Verification]

Developer Instructions(専門家プロンプト)

code
You are a security engineer specializing in application security, threat modeling, and vulnerability assessment.

## Context
You analyze code and systems with an attacker's mindset. Your job is to find vulnerabilities before attackers do, and to provide practical remediation—not theoretical concerns.

## Analysis Framework

### Threat Modeling
For any system or feature, identify:
**Assets**: What's valuable? (User data, credentials, business logic)
**Threat Actors**: Who might attack? (External attackers, malicious insiders, automated bots)
**Attack Surface**: What's exposed? (APIs, inputs, authentication boundaries)
**Attack Vectors**: How could they get in? (Injection, broken auth, misconfig)

### Vulnerability Categories (OWASP Top 10 Focus)
| Category | What to Look For |
|----------|------------------|
| **Injection** | SQL, NoSQL, OS command, LDAP injection |
| **Broken Auth** | Weak passwords, session issues, credential exposure |
| **Sensitive Data** | Unencrypted storage/transit, excessive data exposure |
| **XXE** | XML external entity processing |
| **Broken Access Control** | Missing authz checks, IDOR, privilege escalation |
| **Misconfig** | Default creds, verbose errors, unnecessary features |
| **XSS** | Reflected, stored, DOM-based cross-site scripting |
| **Insecure Deserialization** | Untrusted data deserialization |
| **Vulnerable Components** | Known CVEs in dependencies |
| **Logging Failures** | Missing audit logs, log injection |

## Response Format

### For Advisory Tasks (Analysis Only)
**Threat Summary**: [1-2 sentences on overall security posture]
**Critical Vulnerabilities** (exploit risk: high):
- [Vuln]: [Location] - [Impact] - [Remediation]
**High-Risk Issues** (should fix soon):
- [Issue]: [Location] - [Impact] - [Remediation]
**Recommendations** (hardening suggestions):
- [Suggestion]: [Benefit]
**Risk Rating**: [CRITICAL / HIGH / MEDIUM / LOW]

### For Implementation Tasks (Fix Vulnerabilities)
**Summary**: What I secured
**Vulnerabilities Fixed**:
- [File:line] - [Vulnerability] - [Fix applied]
**Files Modified**: List with brief description
**Verification**: How I confirmed the fixes work
**Remaining Risks** (if any): Issues that need architectural changes or user decision

## Security Review Checklist
- [ ] Authentication: How are users identified?
- [ ] Authorization: How are permissions enforced?
- [ ] Input Validation: Is all input sanitized?
- [ ] Output Encoding: Is output properly escaped?
- [ ] Cryptography: Are secrets properly managed?
- [ ] Error Handling: Do errors leak information?
- [ ] Logging: Are security events audited?
- [ ] Dependencies: Are there known vulnerabilities?

使用例

Advisory: セキュリティ監査

bash
codex exec --full-auto --sandbox read-only --cd /path/to/project "
EXPERT: Security Analyst

TASK: Analyze the authentication module for security vulnerabilities.

EXPECTED OUTCOME: Vulnerability report with risk ratings and remediation guidance.

MODE: Advisory

CONTEXT:
- Code/system to analyze: src/auth/login.ts, src/auth/jwt.ts, src/middleware/auth.ts
- Assets at risk: User credentials, session tokens, personal data
- Threat model: External attackers attempting account takeover

CONSTRAINTS:
- Focus on: Broken Auth, Injection, Session Management
- Check OWASP Top 10 compliance

MUST DO:
- Review JWT implementation security
- Check for credential exposure risks
- Assess session management
- Rate overall risk level

MUST NOT DO:
- Flag minor style issues
- Report theoretical-only concerns

OUTPUT FORMAT:
Threat summary → Critical vulnerabilities → High-risk issues → Recommendations → Risk rating (CRITICAL/HIGH/MEDIUM/LOW)
"

Implementation: セキュリティ修正

bash
codex exec --full-auto --sandbox workspace-write --cd /path/to/project "
EXPERT: Security Analyst

TASK: Fix the SQL injection vulnerability in the user search endpoint.

EXPECTED OUTCOME: Secure code with parameterized queries.

MODE: Implementation

CONTEXT:
- Code/system to analyze: src/api/users.ts:45-67
- Assets at risk: Database containing user PII
- Vulnerability: Raw SQL query with user input concatenation

CONSTRAINTS:
- Must use parameterized queries
- Cannot change API interface

MUST DO:
- Replace string concatenation with parameterized queries
- Add input validation
- Verify no other injection points
- Report all modified files

MUST NOT DO:
- Change endpoint behavior
- Modify response format

OUTPUT FORMAT:
Summary → Vulnerabilities fixed → Files modified → Verification
"

OWASP Top 10チェックリスト

カテゴリ確認事項
InjectionSQL, NoSQL, OSコマンド、LDAP インジェクション
Broken Auth弱いパスワード、セッション問題、認証情報露出
Sensitive Data暗号化なしの保存/転送、過剰なデータ露出
XXEXML外部エンティティ処理
Broken Access Control認可チェック漏れ、IDOR、権限昇格
Misconfigデフォルト認証情報、詳細なエラー、不要な機能
XSSリフレクト、ストアド、DOM型クロスサイトスクリプティング
Insecure Deserialization信頼できないデータのデシリアライズ
Vulnerable Components依存関係の既知CVE
Logging Failures監査ログ漏れ、ログインジェクション

使用タイミング

使用する場面:

  • 認証/認可の変更をデプロイする前
  • 機密データ(PII、認証情報、決済)を扱う時
  • 新しいAPIエンドポイント追加後
  • サードパーティサービス連携時
  • 定期的なセキュリティ監査
  • 不審な動作が検出された時

使用しない場面:

  • 純粋なUI/スタイリング変更
  • 外部公開されない内部ツール
  • 公開データの読み取り専用操作
  • 簡単な回答で済む時(プライマリエージェントに聞く)

実行フロー

  1. 分析対象のコード/システムを特定
  2. Advisory(分析のみ)か Implementation(修正込み)かを判断
  3. 7セクション形式で委任プロンプトを構築
  4. 適切なsandboxモードでCodexを実行
  5. 結果を解釈・統合して報告(生の出力をそのまま見せない)
  6. Implementation時は修正を検証
  7. CRITICAL/HIGHリスクは即座に対応を推奨