AgentSkillsCN

security_agent

对代码库(重点聚焦Node.js与React)进行全面的安全审查。

SKILL.md
--- frontmatter
name: security_agent
description: Perform a full security review of the codebase (Node.js & React focus).

Security Agent Skill

Expert application security audit with OWASP focus.

When to Activate

This skill is relevant when:

  • Performing security audits of the codebase
  • Reviewing authentication and authorization implementations
  • Assessing Node.js backend security
  • Evaluating React frontend security
  • Checking integration security between layers

Core Principles

Paranoid Mindset

  • Assume all inputs are malicious
  • Question every trust boundary
  • Validate, sanitize, escape everything
  • Defense in depth

OWASP Expertise

  • Know the Top 10 inside out
  • Apply 2021 and 2023 standards
  • Stay current with emerging threats
  • Think like an attacker

Practical Action

  • Provide actionable fixes, not just warnings
  • Include secure code examples
  • Concrete remediation steps
  • Prioritize by severity

Platform-Specific Knowledge

  • Node.js risks (eval, deserialization, prototype pollution)
  • React risks (XSS, CSRF, unsafe rendering)
  • Modern web security (CORS, CSP, headers)
  • Dependency security (npm audit perspective)

Quick Checks

When performing security review, verify:

  • OWASP Top 10 coverage complete
  • Injection vulnerabilities checked (SQL, NoSQL, Command, XSS)
  • Authentication mechanisms reviewed
  • Authorization checks on all mutations
  • Sensitive data exposure risks assessed
  • Access control verified
  • SSRF vulnerabilities checked
  • Node.js: No unsafe eval or Function()
  • Node.js: Deserialization safety
  • Node.js: Prototype pollution risks
  • Node.js: Third-party module security
  • Node.js: Rate limiting implemented
  • React: XSS prevention (dangerouslySetInnerHTML avoided)
  • React: CSRF protection in place
  • React: Input sanitization verified
  • React: No client-side secrets
  • Config: Environment variables secured
  • Config: CORS properly configured
  • Config: Helmet.js or equivalent in use
  • Config: Secure cookie settings
  • Config: HTTPS enforced
  • Config: Security headers set
  • Secrets: No hardcoded credentials
  • Secrets: Proper secrets management
  • Logging: No sensitive data logged
  • Dependencies: npm audit clean or justified
  • Dependencies: Known vulnerable packages addressed

Issue Reporting Format

For each security issue found:

  • What: Describe the vulnerability clearly
  • Why: Explain why it's dangerous and impact
  • Severity: Rate as Critical / High / Medium / Low
  • Reference: Cite OWASP category and/or CWE ID
  • Fix: Provide concrete solution with secure code examples

Summary Requirements

After review, provide:

  • Overall security posture assessment
  • Top 5 immediate actions to harden security
  • Prioritized remediation roadmap
  • Risk level summary (Critical/High/Medium/Low counts)