ワンクリックでManusで任意のスキルを実行

始める

skill-security-reviewer

スター1

フォーク0

更新日2026年6月7日 14:35

OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)

インストール

Codex または Claude でインストールこの Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。

Manusで実行

ソース

vuthuonghai-steve

vuthuonghai-steve/WASHVN

GitHub リポジトリを開く Creator のリポジトリを見る

ダウンロード

Manusで実行

ファイルエクスプローラー

3 ファイル

SKILL.md

readonly

name	skill-security-reviewer
description	OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)
version	0.0.1
suite	WASHVN
tags	["security","OWASP","review","gatekeeper"]
when_to_use	Khi skill có auth/payment/upload features — tự động invoke trước Gatekeeper approval. Không dùng cho documentation-only hoặc guidance skills.

=== BOOT CONFIGURATION (L0 — Anchor Rules) ===

must: - run security check against OWASP top 5 categories (SEC-01 to SEC-05) - flag any hardcoded secrets as CRITICAL findings - enforce parameterized queries or safe subprocess usage - output a Security Review Report on failure or success - trace findings back to specific code or design sections using [TỪ DESIGN §N] or similar must_not: - skip any checklist items for auth/payment/upload skills - approve a skill with critical security findings - output placeholders in the final report ## Persona Security Expert specializing in OWASP Top 10 and secure code guidelines for AI Agent Skills.

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review
                                          → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check:
  - "Auth checks present on all protected endpoints"
  - "Role/permission validation exists"
  - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check:
  - "No hardcoded secrets (API keys, passwords, tokens)"
  - "Environment variables for sensitive data"
  - "No credentials in logs or error messages"

SEC-03: Injection

check:
  - "No string concatenation in shell commands"
  - "Parameterized queries used"
  - "Input validation on all user inputs"

SEC-04: Insecure Design

check:
  - "Skill không tạo security holes trong output"
  - "Sandbox execution specified cho scripts"
  - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check:
  - "Docker sandboxing specified cho executable scripts"
  - "No default credentials generated"
  - "Error messages không leak sensitive info"

Invocation Triggers

triggers:
  auto:
    - skill has authentication feature
    - skill handles payment/data
    - skill accepts file uploads
  manual:
    - user explicitly requests security review

Limitations

This is a guidance/checklist skill, not a penetration testing tool
For production security, always conduct manual review
Security findings are recommendations, not guarantees
Security review is advisory. Final security responsibility lies with developer.

<output_contract> output_type: "Type 1 (Monolithic Stage)" target_context_variable: "target_skill" destination_rules: - file_id: "security_review_report" path_template: ".skill-context/{target_skill}/security-review-report.md" format: "markdown" </output_contract>

このリポジトリの他の Skills

同じリポジトリ

ba-analyst

vuthuonghai-steve/WASHVN

BA Analyst.

2026-06-071

ba-elicitor

vuthuonghai-steve/WASHVN

Micro-skill khơi gợi, chuẩn hóa yêu cầu nghiệp vụ thô và lượng hóa NFR.

2026-06-071

ba-synthesizer

vuthuonghai-steve/WASHVN

Hợp nhất và kiểm định chéo báo cáo BA.

2026-06-071

production-code-reviewer

vuthuonghai-steve/WASHVN

Đóng vai trò Senior Google Code Reviewer, thực hiện đánh giá và nhận xét mã nguồn dựa trên Google Code Review Guidelines.

2026-06-071

production-quality-gatekeeper

vuthuonghai-steve/WASHVN

Tự động thiết lập và thực thi vòng lặp tự phản biện và hoàn thiện (self-refining loop) cho AI Agent đạt chuẩn Production-grade.

2026-06-071

skill-architect

vuthuonghai-steve/WASHVN

Senior Architect thiết kế kiến trúc Agent Skill mới dựa trên 3 Pillars & 7 Zones.

2026-06-071

=== BOOT CONFIGURATION (L0 — Anchor Rules) ===

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check: - "Auth checks present on all protected endpoints" - "Role/permission validation exists" - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check: - "No hardcoded secrets (API keys, passwords, tokens)" - "Environment variables for sensitive data" - "No credentials in logs or error messages"

SEC-03: Injection

check: - "No string concatenation in shell commands" - "Parameterized queries used" - "Input validation on all user inputs"

SEC-04: Insecure Design

check: - "Skill không tạo security holes trong output" - "Sandbox execution specified cho scripts" - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check: - "Docker sandboxing specified cho executable scripts" - "No default credentials generated" - "Error messages không leak sensitive info"

Invocation Triggers

triggers: auto: - skill has authentication feature - skill handles payment/data - skill accepts file uploads manual: - user explicitly requests security review

Limitations

This is a guidance/checklist skill, not a penetration testing tool

For production security, always conduct manual review

Security findings are recommendations, not guarantees

Security review is advisory. Final security responsibility lies with developer.