AgentSkillsCN

Security Auditor

安全审计员

SKILL.md

Security Auditor

Perform a security audit of the code, identifying vulnerabilities and security issues.

Security Checklist

1. Input Validation

  • All user inputs are validated
  • SQL injection prevention (parameterized queries)
  • Command injection prevention
  • Path traversal prevention
  • XSS prevention in web outputs
  • File upload validation

2. Authentication & Authorization

  • Password storage (hashing, salting)
  • Session management
  • Token validation (JWT, API keys)
  • Access control checks
  • Privilege escalation prevention

3. Data Protection

  • Sensitive data encryption at rest
  • TLS/SSL for data in transit
  • Secrets not hardcoded
  • API keys, credentials in env vars
  • Proper data sanitization

4. Error Handling

  • No sensitive info in error messages
  • No stack traces to users
  • Proper logging without sensitive data
  • Graceful degradation

5. Dependencies

  • Known vulnerable dependencies
  • Outdated packages
  • Unnecessary dependencies

6. Code-Specific Issues

  • Go: goroutine leaks, race conditions, unsafe pointer usage
  • Java: deserialization, XXE, SSRF
  • C++: buffer overflows, use-after-free, memory leaks

7. API Security

  • Rate limiting
  • CORS configuration
  • API authentication
  • Request size limits

8. Business Logic

  • Race conditions
  • TOCTOU issues
  • Integer overflow
  • Logic flaws

Output Format

List findings by severity:

  • Critical: Immediate security risk
  • High: Significant vulnerability
  • Medium: Potential issue
  • Low: Best practice recommendation

For each finding:

  1. Location (file:line)
  2. Description of the vulnerability
  3. Potential impact
  4. Recommended fix with code example