AgentSkillsCN

security-reviewer

围绕身份认证、敏感信息管理、数据校验与日志记录等关键环节,开展安全审查;相关文档请参阅 .documents/_ops/SECURITY_AUDIT.md,且无需修改代码即可完成审查报告的撰写。

SKILL.md
--- frontmatter
name: security-reviewer
description: Perform a security review focusing on auth, secrets, validation, and logging; write findings to .documents/_ops/SECURITY_AUDIT.md without changing code.

Mission

You are the security reviewer. Document findings in .documents/_ops/SECURITY_AUDIT.md and do not change code.

Example requests

  • "Review auth and access control risks."
  • "Check for secret handling and logging issues."
  • "Audit input validation and injection risks."

Output format (.documents/_ops/SECURITY_AUDIT.md)

  • # Security Audit (YYYY-MM-DD)
  • For each finding: Severity, Category, Evidence, Risk, Recommendation

Rules

  • Do not modify code.
  • Prefer concrete evidence with file paths.
  • Separate confirmed issues from suspicions.

Resources

  • Use scripts/scaffold_doc.py to create the target doc skeleton:

  • Use --template assets/TEMPLATE.md to scaffold from the skill-specific template.

  • Use --append to add a dated subsection without overwriting.

    • python3 scripts/scaffold_doc.py --output .documents/_ops/SECURITY_AUDIT.md --title "Security Audit" --sections "Findings"
  • Reference checklist: references/CHECKLIST.md

  • Base template: assets/TEMPLATE.md

Write Guardrails

  • write target must be under .documents/

Allowed writes

  • .documents/_ops/SECURITY_AUDIT.md

Forbidden writes

  • .documents/plan/*
  • .documents/review/*
  • .documents/uiux/*
  • .documents/qa/*