Run any Skill in Manus with one click

security-review

Stars2

Forks1

UpdatedMay 13, 2026 at 07:31

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

forgivesam168

forgivesam168/ai-dev-workflow

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

File Explorer

2 files

SKILL.md

readonly

More from this repository

same repository

brainstorming

forgivesam168/ai-dev-workflow

Start a work item: triage risk, run structured brainstorming to clarify requirements, compare solution options, and produce a decision log + change package skeleton.

2026-05-132

agentic-eval

forgivesam168/ai-dev-workflow

Adversarial evaluation patterns for any output or decision where you want a devil's advocate challenge before committing. Use when: you want to challenge a decision, get an adversarial second opinion, implement self-critique loops, apply rubric-based scoring, run evaluator-optimizer pipelines, judge-and-refine cycles, verify a downstream agent can consume an upstream artifact, or check inter-stage artifact consistency. Triggers on "devil's advocate", "challenge this decision", "挑戰這個決策", "扮演反對者", "adversarial review", "self-critique", "質疑這個方案". Do NOT use for standard code review (use code-security-review skill), general refactoring (use refactor skill), or security audits.

2026-05-132

specification

forgivesam168/ai-dev-workflow

Generate comprehensive specification documents (PRD/Spec). Use when asked to "write spec", "create PRD", "document requirements", "user stories", "acceptance criteria", "產生規格", "寫需求文件", "specifications", or transforming brainstorm results into formal structured requirements for features.

2026-05-132

tdd-workflow

forgivesam168/ai-dev-workflow

Test-Driven Development workflow enforcement skill. Use when explicitly asked for TDD methodology, test-first development, red-green-refactor cycle, or TDD implementation. Triggers on keywords like "start TDD", "test-driven development", "write tests first", or in Chinese "開始 TDD", "測試先行", "TDD 實作". Provides comprehensive TDD patterns, coverage requirements, and Red-Green-Refactor workflow guidance.

2026-05-132

ci-cd-and-automation

forgivesam168/ai-dev-workflow

CI/CD pipeline design and automation quality gates. Use when designing or reviewing continuous integration pipelines, setting up quality gates, implementing Shift Left testing strategies, automating deployment workflows, or diagnosing slow/broken pipelines. Triggers on: "CI/CD", "pipeline design", "quality gate", "Shift Left", "automate deployment", "GitHub Actions", "pipeline slow", "build pipeline", "continuous integration", "continuous deployment". Do NOT use for production launch decisions (use shipping-and-launch), code review (use code-security-review), or infrastructure provisioning.

2026-05-132

shipping-and-launch

forgivesam168/ai-dev-workflow

Production deployment and launch management skill. Use when preparing to ship a feature to production: staged rollout planning, rollback plan design, production readiness checklists, launch go/no-go decisions, and post-launch monitoring setup. Triggers on: "deploy to production", "ship this feature", "launch plan", "rollout strategy", "rollback plan", "production checklist", "go-live", "staged rollout". Do NOT use for internal code finalization (use work-archiving), CI/CD pipeline design (use ci-cd-and-automation), or code review (use code-security-review).

2026-05-132

name	security-review
description	Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

Security Review Skill

This skill ensures all code follows security best practices and identifies potential vulnerabilities.

When to Activate

Choose the mode before activating:

Mode	When	How
Quick Gate	Every PR, every code review	Self-score 0–10; list concerns if < 8/10
Deep Scan	High-risk features, periodic review, payment/auth changes	Full OWASP Top 10 threat model

Default mode: Quick Gate. Escalate to Deep Scan when implementing payment features, auth changes, or handling sensitive data.

Implementing authentication or authorization
Handling user input or file uploads
Creating new API endpoints
Working with secrets or credentials
Implementing payment features
Storing or transmitting sensitive data
Integrating third-party APIs

Security Checklist

1. Secrets Management

❌ NEVER Do This

// 【警告：以下為錯誤示範，切勿在實際程式碼中使用】
const apiKey = "<REDACTED-NEVER-HARDCODE-SECRETS>"  // Hardcoded secret
const dbPassword = "<REDACTED-NEVER-HARDCODE-SECRETS>" // In source code

✅ ALWAYS Do This

const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL

// Verify secrets exist
if (!apiKey) {
  throw new Error('OPENAI_API_KEY not configured')
}

Verification Steps

No hardcoded API keys, tokens, or passwords
All secrets in environment variables
.env.local in .gitignore
No secrets in git history
Production secrets in hosting platform (Vercel, Railway)

2. Input Validation

Always Validate User Input

import { z } from 'zod'

// Define validation schema
const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  age: z.number().int().min(0).max(150)
})

// Validate before processing
export async function createUser(input: unknown) {
  try {
    const validated = CreateUserSchema.parse(input)
    return await db.users.create(validated)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return { success: false, errors: error.errors }
    }
    throw error
  }
}

File Upload Validation

function validateFileUpload(file: File) {
  // Size check (5MB max)
  const maxSize = 5 * 1024 * 1024
  if (file.size > maxSize) {
    throw new Error('File too large (max 5MB)')
  }

  // Type check
  const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
  if (!allowedTypes.includes(file.type)) {
    throw new Error('Invalid file type')
  }

  // Extension check
  const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
  const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
  if (!extension || !allowedExtensions.includes(extension)) {
    throw new Error('Invalid file extension')
  }

  return true
}

Verification Steps

All user inputs validated with schemas
File uploads restricted (size, type, extension)
No direct use of user input in queries
Whitelist validation (not blacklist)
Error messages don't leak sensitive info

3. SQL Injection Prevention

❌ NEVER Concatenate SQL

// DANGEROUS - SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)

✅ ALWAYS Use Parameterized Queries

// Safe - parameterized query
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('email', userEmail)

// Or with raw SQL
await db.query(
  'SELECT * FROM users WHERE email = $1',
  [userEmail]
)

Verification Steps

All database queries use parameterized queries
No string concatenation in SQL
ORM/query builder used correctly
Supabase queries properly sanitized

4. Authentication & Authorization

JWT Token Handling

// ❌ WRONG: localStorage (vulnerable to XSS)
// 【警告：以下為錯誤示範，切勿在實際程式碼中使用】
localStorage.setItem('token', token)

// ✅ CORRECT: httpOnly cookies (recommended)
// 使用 httpOnly cookie 防止 XSS 攻擊
res.setHeader('Set-Cookie',
  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)

Authorization Checks

export async function deleteUser(userId: string, requesterId: string) {
  // ALWAYS verify authorization first
  const requester = await db.users.findUnique({
    where: { id: requesterId }
  })

  if (requester.role !== 'admin') {
    return NextResponse.json(
      { error: 'Unauthorized' },
      { status: 403 }
    )
  }

  // Proceed with deletion
  await db.users.delete({ where: { id: userId } })
}

Row Level Security (Supabase)

-- Enable RLS on all tables
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Users can only view their own data
CREATE POLICY "Users view own data"
  ON users FOR SELECT
  USING (auth.uid() = id);

-- Users can only update their own data
CREATE POLICY "Users update own data"
  ON users FOR UPDATE
  USING (auth.uid() = id);

Verification Steps

Tokens stored in httpOnly cookies (not localStorage)
Authorization checks before sensitive operations
Row Level Security enabled in Supabase
Role-based access control implemented
Session management secure

5. XSS Prevention

Sanitize HTML

import DOMPurify from 'isomorphic-dompurify'

// ALWAYS sanitize user-provided HTML
function renderUserContent(html: string) {
  const clean = DOMPurify.sanitize(html, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
    ALLOWED_ATTR: []
  })
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}

Content Security Policy

// next.config.js
const securityHeaders = [
  {
    key: 'Content-Security-Policy',
    value: `
      default-src 'self';
      script-src 'self' 'unsafe-eval' 'unsafe-inline';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data: https:;
      font-src 'self';
      connect-src 'self' https://api.example.com;
    `.replace(/\s{2,}/g, ' ').trim()
  }
]

Verification Steps

User-provided HTML sanitized
CSP headers configured
No unvalidated dynamic content rendering
React's built-in XSS protection used

6. CSRF Protection

CSRF Tokens

import { csrf } from '@/lib/csrf'

export async function POST(request: Request) {
  const token = request.headers.get('X-CSRF-Token')

  if (!csrf.verify(token)) {
    return NextResponse.json(
      { error: 'Invalid CSRF token' },
      { status: 403 }
    )
  }

  // Process request
}

SameSite Cookies

res.setHeader('Set-Cookie',
  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)

Verification Steps

CSRF tokens on state-changing operations
SameSite=Strict on all cookies
Double-submit cookie pattern implemented

7. Rate Limiting

API Rate Limiting

import rateLimit from 'express-rate-limit'

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // 100 requests per window
  message: 'Too many requests'
})

// Apply to routes
app.use('/api/', limiter)

Expensive Operations

// Aggressive rate limiting for searches
const searchLimiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 10, // 10 requests per minute
  message: 'Too many search requests'
})

app.use('/api/search', searchLimiter)

Verification Steps

Rate limiting on all API endpoints
Stricter limits on expensive operations
IP-based rate limiting
User-based rate limiting (authenticated)

8. Sensitive Data Exposure

Logging

// ❌ WRONG: Logging sensitive data
// 【警告：以下為錯誤示範，切勿記錄敏感資料】
console.log('User login:', { email, password })  // 不可記錄密碼
console.log('Payment:', { cardNumber, cvv })      // 不可記錄完整卡號和CVV

// ✅ CORRECT: Redact sensitive data
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })

Error Messages

// ❌ WRONG: Exposing internal details
catch (error) {
  return NextResponse.json(
    { error: error.message, stack: error.stack },
    { status: 500 }
  )
}

// ✅ CORRECT: Generic error messages
catch (error) {
  console.error('Internal error:', error)
  return NextResponse.json(
    { error: 'An error occurred. Please try again.' },
    { status: 500 }
  )
}

Verification Steps

No passwords, tokens, or secrets in logs
Error messages generic for users
Detailed errors only in server logs
No stack traces exposed to users

9. Blockchain Security (Solana)

Wallet Verification

import { verify } from '@solana/web3.js'

async function verifyWalletOwnership(
  publicKey: string,
  signature: string,
  message: string
) {
  try {
    const isValid = verify(
      Buffer.from(message),
      Buffer.from(signature, 'base64'),
      Buffer.from(publicKey, 'base64')
    )
    return isValid
  } catch (error) {
    return false
  }
}

Transaction Verification

async function verifyTransaction(transaction: Transaction) {
  // Verify recipient
  if (transaction.to !== expectedRecipient) {
    throw new Error('Invalid recipient')
  }

  // Verify amount
  if (transaction.amount > maxAmount) {
    throw new Error('Amount exceeds limit')
  }

  // Verify user has sufficient balance
  const balance = await getBalance(transaction.from)
  if (balance < transaction.amount) {
    throw new Error('Insufficient balance')
  }

  return true
}

Verification Steps

Wallet signatures verified
Transaction details validated
Balance checks before transactions
No blind transaction signing

10. Dependency Security

Regular Updates

# Check for vulnerabilities
npm audit

# Fix automatically fixable issues
npm audit fix

# Update dependencies
npm update

# Check for outdated packages
npm outdated

Lock Files

# ALWAYS commit lock files
git add package-lock.json

# Use in CI/CD for reproducible builds
npm ci  # Instead of npm install

Verification Steps

Security Testing

Automated Security Tests

// Test authentication
test('requires authentication', async () => {
  const response = await fetch('/api/protected')
  expect(response.status).toBe(401)
})

// Test authorization
test('requires admin role', async () => {
  const response = await fetch('/api/admin', {
    headers: { Authorization: `Bearer ${userToken}` }
  })
  expect(response.status).toBe(403)
})

// Test input validation
test('rejects invalid input', async () => {
  const response = await fetch('/api/users', {
    method: 'POST',
    body: JSON.stringify({ email: 'not-an-email' })
  })
  expect(response.status).toBe(400)
})

// Test rate limiting
test('enforces rate limits', async () => {
  const requests = Array(101).fill(null).map(() =>
    fetch('/api/endpoint')
  )

  const responses = await Promise.all(requests)
  const tooManyRequests = responses.filter(r => r.status === 429)

  expect(tooManyRequests.length).toBeGreaterThan(0)
})

Pre-Deployment Security Checklist

Before ANY production deployment:

CSO 雙模式（Confidence-Scored Oversight）

Quick Gate Mode（每次 PR 必執行）

Before each PR merge or code review approval:

Self-score security confidence: 0–10
Score < 8/10 → STOP: list every specific concern — cannot proceed to merge
Score ≥ 8/10 → proceed; document brief rationale for any score below 10

Output format:

Quick Gate: [score]/10
Concerns (required if < 8):
- [specific vulnerability or risk area]
- [specific vulnerability or risk area]

Deep Scan Mode（週期性 / 高風險功能）

Trigger Deep Scan when:

New payment or financial feature
Authentication / authorization changes
Sensitive data handling (PII, credentials)
Third-party integration with elevated permissions
Periodic security review (recommended: every major release)

OWASP Top 10 scan checklist:

#	Category	Result
A01	Broken Access Control	PASS / FAIL / N/A
A02	Cryptographic Failures	PASS / FAIL / N/A
A03	Injection	PASS / FAIL / N/A
A04	Insecure Design	PASS / FAIL / N/A
A05	Security Misconfiguration	PASS / FAIL / N/A
A06	Vulnerable and Outdated Components	PASS / FAIL / N/A
A07	Identification and Authentication Failures	PASS / FAIL / N/A
A08	Software and Data Integrity Failures	PASS / FAIL / N/A
A09	Security Logging and Monitoring Failures	PASS / FAIL / N/A
A10	Server-Side Request Forgery (SSRF)	PASS / FAIL / N/A

Any FAIL → provide remediation before approval.

Resources

Remember: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.