AgentSkillsCN

Security

安全

SKILL.md

Security Domain Analysis

Analyze the codebase for security vulnerabilities, authentication flaws, and sensitive data exposure.

Checks

  • Authentication: Can users access endpoints or data without logging in?
  • Authorization: Can users access other users' data (IDOR)? Check for ownership checks on resources.
  • Data Protection: Are there hardcoded secrets (API keys, passwords, database URLs) in the code? Are user passwords hashed?
  • Input Validation: Are user-supplied inputs validated on the server side before use?
  • Injection Attacks: Look for SQL injection, XSS, and command injection patterns.
  • Rate Limiting: Is there protection against brute force or DoS attacks?
  • CORS: Are cross-origin requests properly restricted?
  • Supabase Specific: Are RLS (Row Level Security) policies enabled and correctly configured for all tables?

Finding Examples

  • SEC-001: API endpoint lacks authentication.
  • SEC-002: Hardcoded API key in config file.
  • SEC-003: Missing Row Level Security (RLS) on public table.