AgentSkillsCN

security-audit

当用户提出“安全审计”“漏洞检测”“身份认证审查”“防止 IDOR”“客户数据保护”“Webhook 核实”“HMAC 校验”,或任何与安全相关的审查工作时,可运用此技能。它将提供身份认证、授权、IDOR 防护、PII 保护,以及 Webhook 核实等方面的安全模式与最佳实践。

SKILL.md
--- frontmatter
name: security-audit
description: Use this skill when the user asks to "audit security", "check for vulnerabilities", "review authentication", "prevent IDOR", "protect customer data", "verify webhooks", "check HMAC", or any security-related review work. Provides security patterns for authentication, authorization, IDOR prevention, PII protection, and webhook verification.

Security Patterns (packages/functions)

For API design patterns, see api-design skill

Quick Reference

TopicReference File
Ownership Checks, Audit Commandsreferences/idor-prevention.md
Webhook HMAC, Popup Signaturesreferences/hmac-verification.md
Endpoint Types, Session Handlingreferences/authentication.md

Critical Vulnerabilities

VulnerabilityRiskExample
IDORHighUser A accesses User B's data via /api/customer/123
Unauthenticated PIICriticalReturning email in public API response
Missing AuthCritical/popup/* endpoints without authentication
Shop IsolationCriticalShop A accessing Shop B's data

PII Protection

Classification

Data TypeClassificationPublic Endpoint?
Email, Phone, AddressPIINever
Date of BirthPIINever
Payment InfoSensitive PIINever
First NameLow RiskWith signature
Points, TierNon-PIIWith signature

Secure Response

javascript
// Only return non-sensitive data
ctx.body = {
  firstName: customer.firstName,
  points: customer.points,
  tier: customer.tier
  // Never: email, phone, address
};

Input Validation

javascript
async function updateCustomer(ctx) {
  const shopId = getCurrentShop(ctx);
  const {customerId} = ctx.params;
  const {firstName, lastName} = ctx.request.body;  // Whitelist fields

  const customer = await customerRepo.getById(customerId);
  if (customer.shopId !== shopId) {
    ctx.status = 403;
    return;
  }

  await customerRepo.update(customerId, {
    firstName: firstName?.trim().slice(0, 50),
    lastName: lastName?.trim().slice(0, 50)
  });
}

Best Practices

DoDon't
Get shopId from getCurrentShop(ctx)Use ctx.params.shopId
Scope all queries by shopIdQuery without shop filter
Whitelist response fieldsReturn full objects
Verify HMAC on webhooksTrust headers blindly
Validate and sanitize inputsUse ctx.request.body directly
Use crypto.timingSafeEqualCompare strings with ===

Security Checklist

code
Authentication:
- Sensitive endpoints require auth
- Shop ID from session, not params
- Customer ID verified against token

Authorization:
- Users access only their data
- Shop isolation verified
- No IDOR vulnerabilities

Data Protection:
- No PII in unauthenticated responses
- Response fields whitelisted
- Inputs validated and sanitized

Webhooks:
- HMAC verification on all webhooks
- Timestamp validation
- No bypass headers