AgentSkillsCN

security-review

安全审查知识库。使用 Codex MCP 对 OWASP Top 10 进行审查,并开展依赖项安全审计。

SKILL.md
--- frontmatter
name: security-review
description: Security review knowledge base. OWASP Top 10 review using Codex MCP, dependency security audit.
allowed-tools: mcp__codex__codex, mcp__codex__codex-reply, Bash(git:*), Read, Grep, Glob
context: fork
agent: Explore

Security Review Skill

Trigger

  • Keywords: security review, OWASP, vulnerability, dep-audit, npm audit, dependency security

When NOT to Use

  • General code review (use codex-code-review)
  • Functional testing (use test-review)
  • Performance issues (not security-related)

Commands

CommandPurposeWhen
/codex-securityOWASP Top 10 auditSecurity-sensitive code
/dep-auditDependency security auditPeriodic / PR

Workflow: /codex-security

code
Determine scope → Collect changes → Codex OWASP review → Findings + Gate → Loop if Must fix

Step 1: Determine Scope

Parse --scope from arguments, default to src/.

Step 2: Collect Code Changes

Priority order:

  1. Uncommitted changes: git diff HEAD -- <scope> | head -1500
  2. Recent commits: git diff HEAD~5..HEAD -- <scope> | head -1500
  3. Key security files: Glob("**/*{auth,login,password,token,secret,key,credential}*")

Step 3: Codex Security Review

First review: mcp__codex__codex with OWASP prompt. See @references/codex-prompt-security.md.

Config: sandbox: 'read-only', approval-policy: 'never'

Save the returned threadId.

Loop review: mcp__codex__codex-reply with re-review template. See @references/codex-prompt-security.md.

Step 4: Consolidate Output

Organize results into findings summary table + detailed findings + gate.

OWASP Top 10

CodeCategoryCheck Focus
A01Broken Access CtrlIDOR, permission bypass, CORS
A02Crypto FailuresSensitive data encryption, weak crypto
A03InjectionSQL/NoSQL/Cmd Injection
A04Insecure DesignRate Limiting, business logic
A05MisconfigurationDebug mode, default passwords
A06Vulnerable CompKnown vulnerable dependencies
A07Auth FailuresBrute force, session, weak passwords
A08Integrity FailuresDeserialization, CI/CD
A09Logging FailuresSensitive data in logs, auditing
A10SSRFURL validation, internal network access

Review Loop

⚠️ @CLAUDE.md auto-loop: fix → re-review → ... → ✅ PASS ⚠️

⛔ Must fix → fix P0 issues → /codex-security --continue <threadId> → repeat until ✅ Mergeable.

Max 3 rounds. Still failing → report blocker.

Verification

  • Each issue tagged with severity (P0/P1/P2)
  • Gate is explicit (✅ Mergeable / ⛔ Must fix)
  • Fix recommendations are specific and actionable
  • Includes verification test method
  • Codex independently researched auth/input/sensitive code

References

  • OWASP prompt: references/codex-prompt-security.md
  • Examples: references/examples.md
  • Standards: @rules/security.md

Examples

code
Input: /codex-security --scope src/controller/
Action: OWASP Top 10 check → output issues + Gate

Input: /dep-audit --level high
Action: npm audit → filter high/critical → output report