AgentSkillsCN

security-review

使用OWASP Top 10指南审计代码安全漏洞。适用于安全审计、部署前检查、身份验证审核,或检测XSS、SQL注入、CSRF及授权问题时使用。仅限安全专家代理使用。

SKILL.md
--- frontmatter
name: security-review
description: |
  Audit code for security vulnerabilities using OWASP Top 10 guidelines. Use for security audits, pre-deployment
  checks, authentication reviews, or when checking for XSS, SQL injection, CSRF, or authorization issues. EXCLUSIVE to security-expert agent.
allowed-tools: Read, Grep, Glob, Bash, mcp_codex-bridge, mcp_gemini-bridge, mcp_context7, mcp_playwright, mcp_zread, mcp_web-search-prime, mcp_web-reader, mcp_zai-mcp-server, mcp_open-bridge

Security Review

Exclusive to: security-expert agent

MCP Helpers (Brain + Memory + Web)

🧠 Gemini-Bridge — Security Analysis

code
mcp_gemini-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")

🌉 Open-Bridge — Alternative Security Analysis

code
mcp_open-bridge_consult_gemini(query="Security audit this code for OWASP vulnerabilities: [code snippet]", directory=".")

💻 Codex-Bridge — Code Security Review

code
mcp_codex-bridge_consult_codex(query="Find security vulnerabilities in: [code]", directory=".")

📚 Context7 (Memory) — Up-to-Date Docs

Lookup security patterns and vulnerability mitigations:

code
mcp_context7_resolve-library-id(libraryName="laravel", query="csrf protection")
mcp_context7_query-docs(libraryId="/laravel/docs", query="authentication security")

🌐 Web Search — CVE and Vulnerability Lookup

code
mcp_web-search-prime_search(query="[package name] CVE vulnerability 2025")

Validation Loop (MANDATORY)

Every security review MUST run these dependency checks:

bash
composer audit            # Check PHP vulnerabilities
npm audit                 # Check JS vulnerabilities
php artisan route:list --compact  # Verify route middleware

Report any vulnerabilities found as Critical findings.

Instructions

  1. Run git diff to identify changed files
  2. Scan for security vulnerabilities using checklist below
  3. Check authentication and authorization patterns
  4. Review input validation and sanitization
  5. Report findings by severity (Critical → Warning → Suggestion)

OWASP Top 10 Checklist

#VulnerabilityLaravel CheckReact Check
A01Broken Access ControlPolicies, GatesRoute guards
A02Cryptographic FailuresHash::make, encryptNo secrets in client
A03InjectionEloquent, query builderNo dangerouslySetInnerHTML
A04Insecure DesignBusiness logic reviewComponent security
A05Security Misconfiguration.env settingsBuild config
A06Vulnerable Componentscomposer auditnpm audit
A07Auth FailuresRate limiting, sessionsToken handling
A08Data IntegrityCSRF, mass assignmentForm validation
A09Logging FailuresSecurity event logsError boundaries
A10SSRFURL validationAPI call validation

Laravel Security Checks

php
// Mass Assignment
$fillable = ['name', 'email'];  // ✅ Whitelist
$guarded = ['id', 'is_admin'];  // ✅ Blacklist

// SQL Injection Prevention
User::where('email', $email)->first();  // ✅ Safe
DB::raw("SELECT * FROM users WHERE email = '$email'");  // ❌ Dangerous

// CSRF
@csrf  // ✅ In forms

React Security Checks

tsx
// XSS Prevention
<div>{userInput}</div>  // ✅ Auto-escaped
<div dangerouslySetInnerHTML={{__html: userInput}} />  // ❌ XSS risk

// No secrets in client
const API_KEY = process.env.NEXT_PUBLIC_API_KEY;  // ⚠️ Visible to users

Audit Commands

bash
composer audit          # PHP vulnerabilities
npm audit               # JS vulnerabilities
php artisan route:list  # Check route middleware

Examples

  • "Security review this PR"
  • "Check for OWASP vulnerabilities"
  • "Audit authentication flow"