AgentSkillsCN

owasp-privacy-top-10

OWASP无服务器架构安全十大风险——聚焦于无服务器(Lambda、Functions)应用的安全防护、检测与修复。适用于无服务器应用的构建与评审:从事件注入、函数权限过度授予、不安全的依赖项,到机密信息管理、配置优化,以及Web Top 10中针对无服务器环境的其他专项安全考量。

SKILL.md
--- frontmatter
name: owasp-privacy-top-10
description: "OWASP Top 10 Privacy Risks - prevention, detection, and remediation for privacy in web applications. Use when addressing app vulnerabilities, data leakage, breach response, consent, transparency, data deletion, data quality, session expiration, user access rights, excessive data collection."

OWASP Top 10 Privacy Risks

This skill encodes the OWASP Top 10 Privacy Risks for privacy-aware design and review. References are loaded per risk. Based on OWASP Top 10 Privacy Risks v2.0 2021.

When to Read Which Reference

RiskRead
P1 Web Application Vulnerabilitiesreferences/p1-web-app-vulnerabilities.md
P2 Operator-sided Data Leakagereferences/p2-operator-data-leakage.md
P3 Insufficient Data Breach Responsereferences/p3-breach-response.md
P4 Consent on Everythingreferences/p4-consent.md
P5 Non-transparent Policiesreferences/p5-non-transparent-policies.md
P6 Insufficient Deletion of User Datareferences/p6-insufficient-deletion.md
P7 Insufficient Data Qualityreferences/p7-data-quality.md
P8 Missing or Insufficient Session Expirationreferences/p8-session-expiration.md
P9 Inability to Access and Modify Datareferences/p9-user-access-modify-data.md
P10 Excessive Data Collectionreferences/p10-excessive-collection.md

Quick Patterns

  • Fix technical vulnerabilities that affect data; prevent operator leakage; have a breach response plan. Obtain valid consent; be transparent; support deletion, access, and portability; minimize collection; expire sessions.

Quick Reference / Examples

TaskApproach
Obtain valid consentExplicit opt-in, granular choices, easy withdrawal. See P4.
Support data deletionImplement "right to erasure" across all stores. See P6.
Provide data accessExport user data in portable format (JSON/CSV). See P9.
Minimize collectionCollect only what's necessary for the stated purpose. See P10.
Breach responseHave a documented plan, notify within required timeframes. See P3.

Data deletion endpoint:

python
@app.delete("/api/users/{user_id}/data")
def delete_user_data(user_id: str, current_user: User):
    if current_user.id != user_id:
        raise HTTPException(403)
    # Delete from all data stores
    UserDB.delete(user_id)
    AnalyticsDB.anonymize(user_id)
    SearchIndex.remove(user_id)
    BackupService.schedule_deletion(user_id)
    return {"status": "deletion_scheduled"}

Consent collection (explicit opt-in):

javascript
// Require explicit action, no pre-checked boxes
<input type="checkbox" id="marketing" />
<label for="marketing">I agree to receive marketing emails</label>
// Only enable submit when required consents are given

Data export endpoint:

python
@app.get("/api/users/{user_id}/export")
def export_user_data(user_id: str):
    data = collect_all_user_data(user_id)
    return Response(
        content=json.dumps(data, indent=2),
        media_type="application/json",
        headers={"Content-Disposition": f"attachment; filename={user_id}_data.json"}
    )

Workflow

Load the reference for the risk you are addressing. See OWASP Top 10 Privacy Risks for the official list.