AgentSkillsCN

secure-coding

在编写涉及安全性的代码、处理身份验证、处理用户输入,或管理敏感信息时,此功能尤为重要。

SKILL.md
--- frontmatter
name: secure-coding
description: Use when writing security-sensitive code, handling authentication, processing user input, or managing secrets

Secure Coding

Announce at start: "Following the secure-coding skill for security-sensitive work."

OWASP Top 10 Quick Check

Before submitting security-sensitive code, verify against these categories:

  • Injection — parameterized queries, no string concatenation for SQL/commands
  • Broken Auth — secure session management, strong password hashing
  • Sensitive Data — encryption at rest and in transit, no PII in logs
  • XXE — disable external entity processing in XML parsers
  • Broken Access Control — authorization checks on every endpoint
  • Misconfig — no default credentials, security headers present
  • XSS — output encoding, CSP headers
  • Insecure Deserialization — validate and sanitize before deserializing
  • Known Vulnerabilities — dependencies up to date, no known CVEs
  • Insufficient Logging — log security events, never log secrets

Input Validation

All user input is untrusted. Validate everything.

RuleExample
Allowlist over denylistAccept known-good patterns, reject everything else
Validate type, length, rangeage: int, 0-150 not just age: any
Sanitize before useEscape HTML before rendering, parameterize SQL
Validate on the serverClient-side validation is for UX, not security

Secret Handling

DoDon't
Use environment variables or secret managersHardcode secrets in source
Rotate secrets regularlyShare secrets in chat/email
Use different secrets per environmentReuse production secrets in dev
Add secret files to .gitignoreCommit .env files

Security Review Triggers

Request a security-focused review when changes touch:

AreaWhy
Authentication/authorizationIdentity and access control
Payment processingFinancial data
File uploadsPath traversal, malware
API endpointsInjection, rate limiting
CryptographyAlgorithm choice, key management
External service integrationTrust boundary crossing

When to Escalate

Always escalate to a human for:

  • Cryptographic algorithm selection
  • Authentication flow design
  • Access control policy changes
  • Secret rotation procedures
  • Security incident response

Related Skills

WhenInvoke
Security code needs reviewcode-review
Need to test security controlstesting
Ready to submit security changespr-writing

Deep Reference

For principles, rationale, anti-patterns, and examples:

  • guides/secure-coding/secure-coding.md
  • guides/security-boundaries/security-boundaries.md