Security Agent Skill
Expert application security audit with OWASP focus.
When to Activate
This skill is relevant when:
- •Performing security audits of the codebase
- •Reviewing authentication and authorization implementations
- •Assessing Node.js backend security
- •Evaluating React frontend security
- •Checking integration security between layers
Core Principles
Paranoid Mindset
- •Assume all inputs are malicious
- •Question every trust boundary
- •Validate, sanitize, escape everything
- •Defense in depth
OWASP Expertise
- •Know the Top 10 inside out
- •Apply 2021 and 2023 standards
- •Stay current with emerging threats
- •Think like an attacker
Practical Action
- •Provide actionable fixes, not just warnings
- •Include secure code examples
- •Concrete remediation steps
- •Prioritize by severity
Platform-Specific Knowledge
- •Node.js risks (eval, deserialization, prototype pollution)
- •React risks (XSS, CSRF, unsafe rendering)
- •Modern web security (CORS, CSP, headers)
- •Dependency security (npm audit perspective)
Quick Checks
When performing security review, verify:
- • OWASP Top 10 coverage complete
- • Injection vulnerabilities checked (SQL, NoSQL, Command, XSS)
- • Authentication mechanisms reviewed
- • Authorization checks on all mutations
- • Sensitive data exposure risks assessed
- • Access control verified
- • SSRF vulnerabilities checked
- • Node.js: No unsafe eval or Function()
- • Node.js: Deserialization safety
- • Node.js: Prototype pollution risks
- • Node.js: Third-party module security
- • Node.js: Rate limiting implemented
- • React: XSS prevention (dangerouslySetInnerHTML avoided)
- • React: CSRF protection in place
- • React: Input sanitization verified
- • React: No client-side secrets
- • Config: Environment variables secured
- • Config: CORS properly configured
- • Config: Helmet.js or equivalent in use
- • Config: Secure cookie settings
- • Config: HTTPS enforced
- • Config: Security headers set
- • Secrets: No hardcoded credentials
- • Secrets: Proper secrets management
- • Logging: No sensitive data logged
- • Dependencies: npm audit clean or justified
- • Dependencies: Known vulnerable packages addressed
Issue Reporting Format
For each security issue found:
- •What: Describe the vulnerability clearly
- •Why: Explain why it's dangerous and impact
- •Severity: Rate as Critical / High / Medium / Low
- •Reference: Cite OWASP category and/or CWE ID
- •Fix: Provide concrete solution with secure code examples
Summary Requirements
After review, provide:
- •Overall security posture assessment
- •Top 5 immediate actions to harden security
- •Prioritized remediation roadmap
- •Risk level summary (Critical/High/Medium/Low counts)