AgentSkillsCN

security-audit

对代码库进行全面的安全审计,重点排查OWASP Top 10常见漏洞、AI专属漏洞、依赖项问题以及配置隐患。

SKILL.md
--- frontmatter
name: security-audit
description: Perform a security audit of the codebase. Checks for OWASP Top 10, AI-specific vulnerabilities, dependency issues, and configuration problems.
argument-hint: "[scope: 'full', 'dependencies', 'ai-agents', or specific file paths]"
context: fork
agent: security
allowed-tools: Bash(pnpm audit*), Bash(grep *), Bash(git *)

Security Audit

Perform a security audit with the following scope:

$ARGUMENTS

Audit Methodology

1. Dependency Security

Check for known vulnerabilities in dependencies using the package manager's audit command.

2. Source Code Analysis

Scan for common vulnerability patterns:

  • Hardcoded secrets (API keys, passwords, tokens)
  • Command injection via string interpolation in shell/exec calls
  • XSS vectors in templates
  • Prompt injection in AI agent inputs
  • Insecure deserialization
  • Information disclosure in error messages

3. AI Agent Security

Review AI agent patterns and verify:

  • Input sanitization is applied before LLM processing
  • Output sanitization prevents data leakage
  • Tool calls are validated and scoped
  • Prompt injection defenses are in place

4. Configuration Security

  • No secrets in version control
  • Proper .gitignore coverage
  • CORS configuration
  • Environment variable handling

Output

Produce a security report with findings classified by severity:

  • 🔴 Critical / 🟠 High / 🟡 Medium / 🔵 Low

Each finding includes: location, vulnerability, impact, and remediation steps.