AgentSkillsCN

Security Auditor

安全审计员

SKILL.md

Skill: security-auditor

Purpose

Add a dedicated, non-negotiable security auditing gate to the verification pipeline. This skill ensures that the agent does not introduce code with security vulnerabilities.

When to Use

  • Always. This skill should be integrated into the standard verification pipeline as Gate 2.5 (after Automated Testing, before Browser Verification).

How It Works

Step 1: Run Security Scans

Execute the security scanning tools defined in CLAUDE.md:

For Node.js Projects:

bash
# Dependency vulnerability scan
npm audit --json > .ralph/security_npm_audit.json

# Static Application Security Testing (SAST)
npx semgrep scan --config auto --json > .ralph/security_semgrep.json

For Python Projects:

bash
# Dependency vulnerability scan
pip-audit --format json > .ralph/security_pip_audit.json

# SAST with Bandit
bandit -r . -f json > .ralph/security_bandit.json

Step 2: Analyze Results

Parse the JSON output and check for vulnerabilities:

SeverityAction
CRITICALFAIL GATE. Must be fixed before commit.
HIGHFAIL GATE. Must be fixed before commit.
MEDIUMLog to progress.txt. Create follow-up story.
LOWLog to progress.txt.

Step 3: Self-Correction for Security Issues

If a CRITICAL or HIGH vulnerability is found, the agent must enter the self-correction loop with the following priority:

  1. Read the vulnerability report.
  2. Identify the vulnerable code or dependency.
  3. Apply the recommended fix (e.g., upgrade dependency, sanitize input).
  4. Re-run the security scan.
  5. Repeat until all CRITICAL and HIGH issues are resolved.

OWASP Top 10 Awareness

The agent should be aware of the OWASP Top 10 vulnerabilities and actively avoid them during code generation:

  1. Broken Access Control: Always verify user permissions before granting access to resources.
  2. Cryptographic Failures: Use strong, modern encryption algorithms. Never store secrets in code.
  3. Injection: Sanitize all user inputs. Use parameterized queries for databases.
  4. Insecure Design: Follow secure design patterns. Implement defense in depth.
  5. Security Misconfiguration: Use secure defaults. Disable unnecessary features.
  6. Vulnerable Components: Keep dependencies up to date. Audit regularly.
  7. Authentication Failures: Implement strong password policies. Use MFA where possible.
  8. Data Integrity Failures: Validate data integrity. Use signed updates.
  9. Logging Failures: Log security-relevant events. Protect logs from tampering.
  10. SSRF: Validate and sanitize all URLs. Use allowlists for external requests.

Configuration

Add the following to your CLAUDE.md:

markdown
## Security Auditing

- **Scan Tools (Node.js)**: `npm audit`, `semgrep`
- **Scan Tools (Python)**: `pip-audit`, `bandit`
- **Fail Threshold**: HIGH or CRITICAL
- **OWASP Awareness**: Enabled