메뉴
安全漏洞檢測與修復專家。在撰寫處理用戶輸入、認證、API 端點或敏感資料的程式碼後主動使用。檢測機密資料外洩、SSRF、注入攻擊、不安全加密和 OWASP Top 10 漏洞。
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Design banners for social media, ads, website heroes, creative assets, and print. Multiple art direction options with AI-generated visuals. Actions: design, create, generate banner. Platforms: Facebook, Twitter/X, LinkedIn, YouTube, Instagram, Google Display, website hero, print. Styles: minimalist, gradient, bold typography, photo-based, illustrated, geometric, retro, glassmorphism, 3D, neon, duotone, editorial, collage. Uses ui-ux-pro-max, frontend-design, ai-artist, ai-multimodal skills.
Brand voice, visual identity, messaging frameworks, asset management, brand consistency. Activate for branded content, tone of voice, marketing assets, brand compliance, style guides.
Comprehensive design skill: brand identity, design tokens, UI styling, logo generation (55 styles, Gemini AI), corporate identity program (50 deliverables, CIP mockups), HTML presentations (Chart.js), banner design (22 styles, social/ads/web/print), icon design (15 styles, SVG, Gemini 3.1 Pro), social photos (HTML→screenshot, multi-platform). Actions: design logo, create CIP, generate mockups, build slides, design banner, generate icon, create social photos, social media images, brand identity, design system. Platforms: Facebook, Twitter, LinkedIn, YouTube, Instagram, Pinterest, TikTok, Threads, Google Ads.
Token architecture, component specifications, and slide generation. Three-layer tokens (primitive→semantic→component), CSS variables, spacing/typography scales, component specs, strategic slide creation. Use for design tokens, systematic design, brand-compliant presentations.
Create strategic HTML presentations with Chart.js, design tokens, responsive layouts, copywriting formulas, and contextual slide strategies.
Create beautiful, accessible user interfaces with shadcn/ui components (built on Radix UI + Tailwind), Tailwind CSS utility-first styling, and canvas-based visual designs. Use when building user interfaces, implementing design systems, creating responsive layouts, adding accessible components (dialogs, dropdowns, forms, tables), customizing themes and colors, implementing dark mode, generating visual designs and posters, or establishing consistent styling patterns across applications.
| name | security-reviewer |
| description | 安全漏洞檢測與修復專家。在撰寫處理用戶輸入、認證、API 端點或敏感資料的程式碼後主動使用。檢測機密資料外洩、SSRF、注入攻擊、不安全加密和 OWASP Top 10 漏洞。 |
| source | everything-claude-code (MIT License) |
| original_author | affaan-m |
| updated | "2026-01-22T00:00:00.000Z" |
在以下情況主動使用此 Skill:
// 禁止: 硬編碼機密資料
const apiKey = "sk-proj-xxxxx" // 絕對禁止
const password = "admin123" // 絕對禁止
// 正確: 使用環境變數
const apiKey = process.env.OPENAI_API_KEY
if (!apiKey) {
throw new Error('OPENAI_API_KEY 未設定')
}
檢查項目:
.env.local 已加入 .gitignoreimport { z } from 'zod'
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
export async function createUser(input: unknown) {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
}
檢查項目:
// 禁止: 字串串接 SQL
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
// 正確: 參數化查詢
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
檢查項目:
// 正確: JWT Token 使用 httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
// 正確: 授權檢查
export async function deleteUser(userId: string, requesterId: string) {
const requester = await db.users.findUnique({ where: { id: requesterId } })
if (requester.role !== 'admin') {
return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
}
await db.users.delete({ where: { id: userId } })
}
檢查項目:
import DOMPurify from 'isomorphic-dompurify'
function renderUserContent(html: string) {
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
})
return <div dangerouslySetInnerHTML={{ __html: clean }} />
}
檢查項目:
// SameSite Cookies
res.setHeader('Set-Cookie',
`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
檢查項目:
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 分鐘
max: 100, // 每視窗 100 請求
message: '請求過多,請稍後再試'
})
app.use('/api/', limiter)
檢查項目:
// 禁止: 記錄敏感資料
console.log('User login:', { email, password })
// 正確: 清理日誌
console.log('User login:', {
email: email.replace(/(?<=.).(?=.*@)/g, '*'),
passwordProvided: !!password
})
檢查項目:
// 驗證錢包簽名
import { verify } from '@solana/web3.js'
async function verifyWalletOwnership(publicKey: string, signature: string, message: string) {
return verify(
Buffer.from(message),
Buffer.from(signature, 'base64'),
Buffer.from(publicKey, 'base64')
)
}
檢查項目:
# 檢查漏洞
npm audit
# 自動修復
npm audit fix
# 更新依賴
npm update
檢查項目:
# 安全審查報告
**檔案:** [path/to/file.ts]
**審查日期:** YYYY-MM-DD
**審查者:** security-reviewer
## 摘要
- **嚴重問題:** X
- **高風險問題:** Y
- **中風險問題:** Z
- **風險等級:** 高 / 中 / 低
## 嚴重問題 (立即修復)
### 1. [問題標題]
**嚴重程度:** CRITICAL
**類別:** SQL 注入 / XSS / 認證 / 等
**位置:** `file.ts:123`
**問題描述:**
[漏洞描述]
**影響:**
[被利用時的後果]
**修復方案:**
[安全實作範例]
發現 CRITICAL 漏洞時: