AgentSkillsCN

security-review

开展以安全为核心的代码审查。

SKILL.md
--- frontmatter
name: security-review
description: Perform security-focused code review

Security Review

Overview

Dispatch the security-reviewer agent to perform security-focused code review. The agent identifies vulnerabilities in authentication, input validation, data exposure, secrets management, and OWASP Top 10 categories.

When to Use

  • When reviewing authentication or authorization code
  • When handling payment or sensitive data processing
  • When implementing API endpoints
  • When reviewing user input handling
  • For security audit before release
  • With "all" for comprehensive security audit

Invocation Modes

Default: /security-review

Reviews recent code changes for security vulnerabilities.

code
Task tool with subagent_type="security-reviewer"
prompt: "Review recent code changes for security vulnerabilities.
Focus on: auth, input validation, data exposure, secrets, OWASP Top 10.
Report findings with severity, location, and remediation."

Scoped: /security-review <path>

Reviews specific files or modules for security issues.

code
Task tool with subagent_type="security-reviewer"
prompt: "Perform security review of: [path]
Focus on: auth, input validation, data exposure, secrets, OWASP Top 10.
Report findings with severity, location, and remediation."

Scope examples:

  • /security-review src/auth - review authentication module
  • /security-review api/handlers - review API endpoints
  • /security-review lib/payment.ts - review specific file
  • /security-review controllers/ - review all controllers

Comprehensive: /security-review all

Full security audit of the entire codebase.

CRITICAL: Do not skip any area. Continue until ALL code is reviewed.

Execution Flow

  1. Map attack surface - Identify all entry points and data flows
  2. Create TodoWrite plan - One todo item per security area
  3. Process sequentially - Review each area thoroughly
  4. Mark progress - Update todos as each section completes

13 Security Areas to Review

#AreaWhat to Check
1AuthenticationLogin, session, password, MFA, JWT
2Input ValidationInjection (SQL, XSS, command, path, XXE, LDAP, template)
3Data ExposurePII, logs, error messages, debug info, stack traces
4SecretsHardcoded credentials, API keys, tokens, version control
5OWASP Top 10A01-A10 (2021) with cross-references to other areas
6API SecurityRate limiting, mass assignment, GraphQL, CORS, OAuth/OIDC
7File UploadType validation, size limits, malicious content, polyglots
8CryptographyHashing, salts, key derivation, weak ciphers, TLS, timing
9Business LogicRace conditions, workflow bypass, integer overflow, replay
10Client-SidelocalStorage tokens, postMessage, clickjacking, prototype pollution
11HTTP Headers/CookiesCSP, HSTS, X-Frame-Options, Secure/HttpOnly/SameSite
12DependenciesCVEs, outdated packages, supply chain, transitive deps
13Modern AttacksPrototype pollution, ReDoS, smuggling, WebSocket, SSRF, deserialization

What the Agent Does

  • Maps entry points and data flows across 13 security focus areas
  • Identifies vulnerable code patterns (general + language-specific for Python/Go)
  • Checks expanded OWASP Top 10 with cross-references to 8 additional security areas
  • Covers modern attack vectors (prototype pollution, ReDoS, request smuggling, WebSocket, SSRF)
  • Rates severity (CRITICAL/HIGH/MEDIUM/LOW)
  • Provides specific remediation with secure code examples

Severity Levels

LevelDescription
CRITICALRCE, auth bypass, data breach potential
HIGHSignificant data exposure, privilege escalation
MEDIUMLimited impact vulnerabilities
LOWMinor issues, defense in depth

Output Format

The agent produces a security report with:

markdown
## Security Review Report

### Executive Summary
[X critical, Y high, Z medium findings]

### Findings

#### [SEVERITY] Finding Title
- **Location**: file:line
- **Type**: Vulnerability type
- **Issue**: Description
- **Remediation**: How to fix (with code)

### Summary Table
| Severity | Count |
|----------|-------|
| Critical | X |
| High | Y |
| Medium | Z |
| Low | W |

Examples

Review recent changes:

code
/security-review
→ Checks recent commits for security issues

Review specific module:

code
/security-review src/auth
→ Deep security review of authentication code

Full security audit:

code
/security-review all
→ Comprehensive audit with TodoWrite planning

OWASP Top 10 Coverage

The agent checks all OWASP 2021 categories with cross-references to expanded areas:

OWASP RiskExpanded Coverage
A01: Broken Access Control§1 Authentication, §6 API Security, §9 Business Logic
A02: Cryptographic Failures§3 Data Exposure, §8 Cryptography
A03: Injection§2 Input Validation, §13 Modern Attack Vectors
A04: Insecure Design§9 Business Logic, §10 Client-Side Security
A05: Security Misconfiguration§6 API Security, §11 HTTP Headers/Cookies
A06: Vulnerable Components§12 Dependency Security
A07: Auth Failures§1 Authentication, §6 API Security
A08: Integrity Failures§12 Dependency Security, §13 Modern Attack Vectors
A09: Logging Failures§3 Data Exposure
A10: SSRF§13 Modern Attack Vectors

Note: Agent extends OWASP Top 10 with 8 additional security focus areas (§6-§13) covering API security, file uploads, business logic, client-side security, HTTP headers, dependencies, and modern attack vectors.