AgentSkillsCN

Security Hint

当您查看代码时,若发现其中包含 SQL 查询、硬编码凭据、API 密钥、用户输入处理,或身份验证逻辑时,该技能会及时提醒您潜在的安全隐患。当用户展示或讨论的代码可能存在 SQL 注入、XSS 攻击,或敏感信息泄露等安全漏洞时,可使用此技能。

SKILL.md
--- frontmatter
name: Security Hint
description: Notices potential security issues when viewing code with SQL queries, hardcoded credentials, API keys, user input handling, or authentication logic. Use when user shows or discusses code that might have security vulnerabilities like SQL injection, XSS, or exposed secrets.
allowed-tools: Read

Security Hint

Lightweight security awareness for conversations. Provides quick hints about potential security issues without full analysis.

When to activate

Activate when you notice in code being discussed:

  • SQL queries using string concatenation
  • Hardcoded passwords, API keys, tokens
  • User input rendered without escaping
  • eval() or dynamic code execution
  • Sensitive data in console.log
  • Missing authentication checks
  • File paths from user input

What to do

Briefly mention the concern in 1-2 sentences, then suggest running a command:

Example responses:

code
"I see SQL string concatenation on line 23, which could allow SQL injection.
Run `/review src/api/` to check for security vulnerabilities."
code
"There's a hardcoded API key on line 8. Consider moving it to environment variables.
Run `/quick-check src/config.js` for security scan."
code
"This code renders user input without escaping (line 34), potential XSS risk.
Run `/deep-review` for comprehensive security analysis."

Important rules

  • ❌ Do NOT perform full security audit
  • ❌ Do NOT scan entire codebase
  • ✅ Only mention issues you can see in the current conversation
  • ✅ Keep hints brief (1-2 sentences)
  • ✅ Always suggest a command for full analysis
  • ✅ Be helpful, not alarmist

Commands to suggest

  • /quick-check - for fast security scan
  • /review [file] - for specific file review
  • /deep-review - for comprehensive analysis

This is a hint tool, not a replacement for proper security review.