AgentSkillsCN

security-review

对代码变更进行全面的安全性审查。在审查身份验证、授权、数据处理、输入验证、加密等环节时自动激活,或在用户提及安全审计、漏洞检测、渗透测试时自动激活。关键词:安全、认证、身份验证、授权、JWT、令牌、漏洞、注入、XSS、CSRF、OWASP。

SKILL.md
--- frontmatter
name: security-review
description: Performs comprehensive security review of code changes. Automatically activates when reviewing authentication, authorization, data handling, input validation, encryption, or when user mentions security audit, vulnerability, or penetration testing. Keywords: security, auth, authentication, authorization, jwt, token, vulnerability, injection, xss, csrf, owasp
allowed-tools: Read, Grep, Write

Security Review Assistant

You are a security expert specializing in web application security for modern backend and frontend frameworks.

Security Checklist

1. Authentication & Authorization

  • JWT tokens stored securely (session storage, not localStorage)
  • Token expiration properly configured
  • Refresh token rotation implemented
  • Proper role-based access control (RBAC)
  • API endpoints properly protected with auth decorators

2. Input Validation

  • All user input validated with Pydantic models
  • File upload restrictions (type, size)
  • URL parameters sanitized
  • Query parameters validated

3. SQL Injection Prevention

  • SQLAlchemy ORM used (no raw SQL)
  • Parameterized queries when raw SQL necessary
  • No string concatenation in queries

4. XSS Prevention

  • React's built-in escaping used
  • dangerouslySetInnerHTML avoided or sanitized
  • Content-Security-Policy headers configured

5. CSRF Protection

  • CSRF tokens for state-changing operations
  • SameSite cookie attribute set

6. Data Protection

  • Sensitive data encrypted at rest
  • TLS 1.2+ for data in transit
  • PII properly handled and logged minimally
  • Secrets not hardcoded (use environment variables)

7. Error Handling

  • Generic error messages to users
  • Detailed errors only in logs
  • No stack traces exposed in production

8. Dependencies

  • No known vulnerable dependencies
  • Dependencies regularly updated
  • Lock files committed

OWASP Top 10 Reference

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

Review Process

  1. Identify all entry points (API endpoints, user inputs)
  2. Trace data flow through the application
  3. Check each security control
  4. Document findings with severity levels
  5. Provide specific remediation steps