ワンクリックで
skill-security-reviewer
OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
BA Analyst.
Micro-skill khơi gợi, chuẩn hóa yêu cầu nghiệp vụ thô và lượng hóa NFR.
Hợp nhất và kiểm định chéo báo cáo BA.
Sync skills tu source (skills/rebuild/) den cac vi tri: workspace-level (.hermes/skills, .claude/skills) va user-level (~/.hermes/skills, ~/.claude/skills). Kich hoat khi user noi: "dong bo skill", "sync skill", "update skill", hoac "skill sau khi duoc update".
Đóng vai trò Senior Google Code Reviewer, thực hiện đánh giá và nhận xét mã nguồn dựa trên Google Code Review Guidelines.
Tự động thiết lập và thực thi vòng lặp tự phản biện và hoàn thiện (self-refining loop) cho AI Agent đạt chuẩn Production-grade.
| name | skill-security-reviewer |
| description | OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload) |
| version | 1.0.0 |
| tags | ["security","OWASP","review","gatekeeper"] |
| when_to_use | Khi skill có auth/payment/upload features — tự động invoke trước Gatekeeper approval. Không dùng cho documentation-only hoặc guidance skills. |
Skill Creation → [Auth/Payment/Upload?] → YES → Security Review
→ NO → Skip to Gatekeeper
check:
- "Auth checks present on all protected endpoints"
- "Role/permission validation exists"
- "No direct object references without ownership check"
check:
- "No hardcoded secrets (API keys, passwords, tokens)"
- "Environment variables for sensitive data"
- "No credentials in logs or error messages"
check:
- "No string concatenation in shell commands"
- "Parameterized queries used"
- "Input validation on all user inputs"
check:
- "Skill không tạo security holes trong output"
- "Sandbox execution specified cho scripts"
- "Rate limiting documented nếu applicable"
check:
- "Docker sandboxing specified cho executable scripts"
- "No default credentials generated"
- "Error messages không leak sensitive info"
=== SECURITY REVIEW REPORT ===
Skill: {skill-name}
Timestamp: {date}
Trigger: {auth|payment|upload|manual}
Verdict: APPROVED / REQUEST CHANGES / REJECTED
Findings:
- [CRITICAL] {description}
- [HIGH] {description}
- [MEDIUM] {description}
- [LOW] {description}
Action: {instruction for builder}
triggers:
auto:
- skill has authentication feature
- skill handles payment/data
- skill accepts file uploads
manual:
- user explicitly requests security review
Limitation: Security review is advisory. Final security responsibility lies with developer.