AgentSkillsCN

security

在审查安全漏洞、注入风险、身份验证问题,或 OWASP 合规性时加载。提供安全审计模式与常见漏洞修复方案。

SKILL.md
--- frontmatter
name: security
description: Load when reviewing security vulnerabilities, injection risks, authentication issues, or OWASP compliance. Provides security audit patterns and common vulnerability fixes.

Security

Triggers

PatternAction
security vulnerability injectionLoad this skill
auth bypass brute forceLoad this skill
OWASP XSS CSRF SQLiLoad this skill
CVE exploit payloadLoad this skill

OWASP Top 10 Checklist

RiskCheckFix
A01 Broken AccessRole-based checks on all endpointsAdd @requires_auth decorator
A02 Crypto FailuresSecrets in env, not codeUse os.getenv(), never hardcode
A03 InjectionUser input sanitizedUse parameterized queries, escape output
A04 Insecure DesignThreat modeling doneReview with security lens
A05 MisconfigurationDebug mode off in prodSet DEBUG=False, check CORS
A06 Vulnerable ComponentsDependencies up to dateRun pip-audit, npm audit
A07 Auth FailuresRate limiting, MFAAdd rate limits, session expiry
A08 Data IntegrityInput validationValidate all user inputs server-side
A09 Logging FailuresSecurity events loggedLog auth, access, errors
A10 SSRFURL validationWhitelist allowed domains

Common Vulnerabilities (NOP-specific)

LocationRiskMitigation
WebSocket endpointsNo auth checkValidate token on connect
Traffic captureRaw packet accessSanitize before display
Workflow executorCode injection via variablesSandbox execution, validate input
Agent commandsRCE via shell injectionUse subprocess with shell=False
API endpointsMass assignmentUse Pydantic schemas, explicit fields
File operationsPath traversalValidate paths, use basedir checks

Security Patterns

python
# Pattern 1: Parameterized query (SQLAlchemy)
# ❌ Bad: f"SELECT * FROM users WHERE id = {user_id}"
# ✅ Good:
result = await db.execute(
    select(User).where(User.id == user_id)
)

# Pattern 2: Input validation (FastAPI)
from pydantic import validator

class UserInput(BaseModel):
    username: str
    
    @validator('username')
    def validate_username(cls, v):
        if not v.isalnum():
            raise ValueError('Alphanumeric only')
        return v

# Pattern 3: Secure subprocess
import subprocess
# ❌ Bad: subprocess.run(f"ping {host}", shell=True)
# ✅ Good:
subprocess.run(["ping", "-c", "1", host], shell=False)

# Pattern 4: Path traversal prevention
from pathlib import Path

def safe_path(base_dir: str, user_path: str) -> Path:
    base = Path(base_dir).resolve()
    target = (base / user_path).resolve()
    if not str(target).startswith(str(base)):
        raise ValueError("Path traversal detected")
    return target

Audit Checklist

CategoryCheck
AuthAll endpoints require authentication?
AuthTokens expire and can be revoked?
InputAll user input validated server-side?
OutputHTML output escaped?
SecretsNo secrets in code/logs?
DependenciesNo known CVEs in deps?
LoggingFailed auth attempts logged?
Rate LimitBrute force protection enabled?

Rules

RuleWhy
Never trust user inputAll input is malicious until validated
Defense in depthMultiple security layers
Least privilegeMinimal permissions required
Fail secureErrors deny access, not grant
Log security eventsAudit trail for incidents

References