メニュー
安全漏洞檢測與修復專家。在撰寫處理用戶輸入、認證、API 端點或敏感資料的程式碼後主動使用。檢測機密資料外洩、SSRF、注入攻擊、不安全加密和 OWASP Top 10 漏洞。
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | security-reviewer |
| description | 安全漏洞檢測與修復專家。在撰寫處理用戶輸入、認證、API 端點或敏感資料的程式碼後主動使用。檢測機密資料外洩、SSRF、注入攻擊、不安全加密和 OWASP Top 10 漏洞。 |
| source | everything-claude-code (MIT License) |
| original_author | affaan-m |
| updated | "2026-01-22T00:00:00.000Z" |
在以下情況主動使用此 Skill:
// 禁止: 硬編碼機密資料
const apiKey = "sk-proj-xxxxx" // 絕對禁止
const password = "admin123" // 絕對禁止
// 正確: 使用環境變數
const apiKey = process.env.OPENAI_API_KEY
if (!apiKey) {
throw new Error('OPENAI_API_KEY 未設定')
}
檢查項目:
.env.local 已加入 .gitignoreimport { z } from 'zod'
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
export async function createUser(input: unknown) {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
}
檢查項目:
// 禁止: 字串串接 SQL
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
// 正確: 參數化查詢
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
檢查項目:
// 正確: JWT Token 使用 httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
// 正確: 授權檢查
export async function deleteUser(userId: string, requesterId: string) {
const requester = await db.users.findUnique({ where: { id: requesterId } })
if (requester.role !== 'admin') {
return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
}
await db.users.delete({ where: { id: userId } })
}
檢查項目:
import DOMPurify from 'isomorphic-dompurify'
function renderUserContent(html: string) {
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
})
return <div dangerouslySetInnerHTML={{ __html: clean }} />
}
檢查項目:
// SameSite Cookies
res.setHeader('Set-Cookie',
`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
檢查項目:
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 分鐘
max: 100, // 每視窗 100 請求
message: '請求過多,請稍後再試'
})
app.use('/api/', limiter)
檢查項目:
// 禁止: 記錄敏感資料
console.log('User login:', { email, password })
// 正確: 清理日誌
console.log('User login:', {
email: email.replace(/(?<=.).(?=.*@)/g, '*'),
passwordProvided: !!password
})
檢查項目:
// 驗證錢包簽名
import { verify } from '@solana/web3.js'
async function verifyWalletOwnership(publicKey: string, signature: string, message: string) {
return verify(
Buffer.from(message),
Buffer.from(signature, 'base64'),
Buffer.from(publicKey, 'base64')
)
}
檢查項目:
# 檢查漏洞
npm audit
# 自動修復
npm audit fix
# 更新依賴
npm update
檢查項目:
# 安全審查報告
**檔案:** [path/to/file.ts]
**審查日期:** YYYY-MM-DD
**審查者:** security-reviewer
## 摘要
- **嚴重問題:** X
- **高風險問題:** Y
- **中風險問題:** Z
- **風險等級:** 高 / 中 / 低
## 嚴重問題 (立即修復)
### 1. [問題標題]
**嚴重程度:** CRITICAL
**類別:** SQL 注入 / XSS / 認證 / 等
**位置:** `file.ts:123`
**問題描述:**
[漏洞描述]
**影響:**
[被利用時的後果]
**修復方案:**
[安全實作範例]
發現 CRITICAL 漏洞時:
Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.
Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access.
Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.
This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation workloads.
Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or early ransomware alerting.
Craft-first interface design for dashboards, admin panels, SaaS apps, tools, settings pages, data interfaces, and interactive products. Use when designing, building, reviewing, auditing, or refining product UI where visual craft, layout hierarchy, tokens, states, visual direction, or design-system consistency matter. Not for marketing pages, landing pages, campaigns, or brand-only work.