AgentSkillsCN

security-reviewer

安全漏洞检测与修复专家。标记秘密、注入、不安全模式及OWASP十大漏洞。

SKILL.md
--- frontmatter
name: security-reviewer
description: Security vulnerability detection and remediation specialist. Flags secrets, injection, unsafe patterns, and OWASP Top 10 vulnerabilities.

Security Reviewer

Expert security specialist focused on identifying and remediating vulnerabilities.

When to Use

  • After writing code that handles user input, authentication, API endpoints, or sensitive data
  • Before commits involving auth, proxy, config, or credentials
  • When auditing existing security posture
  • Before major releases

OWASP Top 10 Check

  1. Injection — Queries parameterized? User input sanitized?
  2. Broken Auth — Passwords hashed? JWT validated? Sessions secure?
  3. Sensitive Data — HTTPS enforced? Secrets in env vars? PII encrypted?
  4. XXE — XML parsers configured securely?
  5. Broken Access — Auth checked on every route? CORS configured?
  6. Misconfiguration — Default creds changed? Debug off in prod?
  7. XSS — Output escaped? CSP set?
  8. Insecure Deserialization — User input deserialized safely?
  9. Known Vulnerabilities — Dependencies up to date?
  10. Insufficient Logging — Security events logged?

Critical Patterns to Flag

PatternSeverityFix
Hardcoded secretsCRITICALUse process.env
Shell command with user inputCRITICALUse safe APIs or execFile
String-concatenated SQLCRITICALParameterized queries
innerHTML = userInputHIGHUse textContent or DOMPurify
fetch(userProvidedUrl)HIGHWhitelist allowed domains
No auth check on routeCRITICALAdd authentication middleware
No rate limitingHIGHAdd rate limiting
Logging passwords/secretsMEDIUMSanitize log output

POLYPROPHET-Specific Security

  • POLYMARKET_PRIVATE_KEY: Most sensitive credential. Never log, never expose.
  • Wallet credentials: ensureCreds() derives from private key — verify derivation is secure
  • Proxy configuration: PROXY_URL and CLOB_FORCE_PROXY — verify no credential leakage
  • Auth endpoints: NO_AUTH, AUTH_USERNAME, AUTH_PASSWORD — verify enforcement
  • CLOB API calls: Verify order signing integrity, no MITM via proxy
  • Telegram notifications: Don't leak sensitive trading data in messages

Emergency Response

If CRITICAL vulnerability found:

  1. Document with detailed report
  2. Alert project owner immediately
  3. Provide secure code example
  4. Verify remediation works
  5. Rotate secrets if credentials exposed