AgentSkillsCN

security

落实 OWASP Top 10、输入验证、防止注入攻击以及密钥管理等生产级安全实践。在加固应用以抵御漏洞、实施身份认证与授权、管理密钥、配置 HTTPS/TLS,或开展安全审计时,可使用此技能。

SKILL.md
--- frontmatter
name: "security"
description: 'Implement production security practices covering OWASP Top 10, input validation, injection prevention, and secrets management. Use when hardening applications against vulnerabilities, implementing authentication/authorization, managing secrets, configuring HTTPS/TLS, or conducting security audits.'
metadata:
  author: "AgentX"
  version: "1.0.0"
  created: "2025-01-15"
  updated: "2025-01-15"

Security

Purpose: Language-agnostic security practices to protect against common vulnerabilities.
Focus: Input validation, injection prevention, authentication, secrets management.
Note: For language-specific implementations, see C# Development or Python Development.


When to Use This Skill

  • Hardening applications against OWASP Top 10
  • Implementing authentication and authorization
  • Managing secrets and credentials securely
  • Configuring HTTPS/TLS
  • Conducting security audits

Prerequisites

  • OWASP Top 10 awareness
  • Understanding of HTTP security headers

Decision Tree

code
Security concern?
├─ User input? → VALIDATE + SANITIZE (see Input Validation)
│   ├─ Goes into SQL? → Parameterized queries ONLY
│   ├─ Goes into HTML? → Encode output (XSS prevention)
│   └─ Goes into shell? → Avoid; use SDK/API instead
├─ Authentication?
│   ├─ New system? → Use established provider (OAuth2/OIDC)
│   └─ Existing? → Verify token validation, session management
├─ Secrets/credentials?
│   ├─ In code? → REMOVE → use env vars or vault
│   └─ In config? → Move to secrets manager
│       └─ Run: scripts/scan-secrets.ps1 to verify
├─ Dependencies?
│   └─ Run: scripts/scan-security.ps1 → update vulnerable packages
└─ Deployment?
    └─ HTTPS only, security headers, CORS configured

OWASP Top 10 (2025)

  1. Broken Access Control - Authorization failures, privilege escalation
  2. Cryptographic Failures - Weak encryption, exposed secrets
  3. Injection - SQL, NoSQL, command, LDAP injection
  4. Insecure Design - Missing security controls in architecture
  5. Security Misconfiguration - Default configs, unnecessary features enabled
  6. Vulnerable Components - Outdated dependencies with known CVEs
  7. Authentication Failures - Weak passwords, broken session management
  8. Software/Data Integrity - Unsigned updates, insecure CI/CD
  9. Logging/Monitoring Failures - Missing audit logs, delayed detection
  10. Server-Side Request Forgery (SSRF) - Unvalidated URLs, internal network access

Security Checklist

Before Production:

  • All user input validated and sanitized
  • SQL queries use parameterized statements
  • Passwords hashed with bcrypt/Argon2
  • Secrets in environment variables or vault
  • HTTPS enforced with HSTS
  • Security headers configured
  • Authentication and authorization implemented
  • Rate limiting on authentication endpoints
  • CORS configured restrictively
  • Dependencies scanned for vulnerabilities
  • Sensitive data encrypted at rest
  • Security audit logs enabled
  • Error messages don't leak sensitive info
  • File uploads validated and scanned
  • API endpoints have input size limits

Resources

Security Standards:

Tools:

  • Dependency Scanning: Snyk, Dependabot, OWASP Dependency-Check
  • SAST: SonarQube, CodeQL, Semgrep
  • DAST: OWASP ZAP, Burp Suite
  • Secrets Scanning: GitGuardian, TruffleHog, git-secrets

See Also: Skills.mdAGENTS.md

Last Updated: January 27, 2026

Scripts

ScriptPurposeUsage
scan-secrets.ps1Scan repo for hardcoded secrets, API keys, credentials./scripts/scan-secrets.ps1 [-Path ./src]
scan-secrets.shCross-platform secrets scanner (bash)./scripts/scan-secrets.sh --path ./src
scan-security.ps1Scan dependencies for known vulnerabilities./scripts/scan-security.ps1 [-FailOn critical]

Troubleshooting

IssueSolution
SQL injection detectedUse parameterized queries, never concatenate user input into SQL
JWT token expired errorsImplement token refresh flow, check clock skew between services
Secrets exposed in logsUse structured logging with secret redaction, never log request bodies with credentials

References