원클릭으로 Manus에서 모든 스킬 실행

시작하기

skill-security-reviewer

스타1

포크0

업데이트2026년 6월 7일 14:35

OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)

설치

Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.

Manus에서 실행

출처

vuthuonghai-steve

vuthuonghai-steve/WASHVN

GitHub 저장소 열기 Creator 저장소 보기

다운로드

Manus에서 실행

파일 탐색기

3 개 파일

SKILL.md

readonly

name	skill-security-reviewer
description	OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)
version	0.0.1
suite	WASHVN
tags	["security","OWASP","review","gatekeeper"]
when_to_use	Khi skill có auth/payment/upload features — tự động invoke trước Gatekeeper approval. Không dùng cho documentation-only hoặc guidance skills.

=== BOOT CONFIGURATION (L0 — Anchor Rules) ===

must: - run security check against OWASP top 5 categories (SEC-01 to SEC-05) - flag any hardcoded secrets as CRITICAL findings - enforce parameterized queries or safe subprocess usage - output a Security Review Report on failure or success - trace findings back to specific code or design sections using [TỪ DESIGN §N] or similar must_not: - skip any checklist items for auth/payment/upload skills - approve a skill with critical security findings - output placeholders in the final report ## Persona Security Expert specializing in OWASP Top 10 and secure code guidelines for AI Agent Skills.

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review
                                          → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check:
  - "Auth checks present on all protected endpoints"
  - "Role/permission validation exists"
  - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check:
  - "No hardcoded secrets (API keys, passwords, tokens)"
  - "Environment variables for sensitive data"
  - "No credentials in logs or error messages"

SEC-03: Injection

check:
  - "No string concatenation in shell commands"
  - "Parameterized queries used"
  - "Input validation on all user inputs"

SEC-04: Insecure Design

check:
  - "Skill không tạo security holes trong output"
  - "Sandbox execution specified cho scripts"
  - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check:
  - "Docker sandboxing specified cho executable scripts"
  - "No default credentials generated"
  - "Error messages không leak sensitive info"

Invocation Triggers

triggers:
  auto:
    - skill has authentication feature
    - skill handles payment/data
    - skill accepts file uploads
  manual:
    - user explicitly requests security review

Limitations

This is a guidance/checklist skill, not a penetration testing tool
For production security, always conduct manual review
Security findings are recommendations, not guarantees
Security review is advisory. Final security responsibility lies with developer.

<output_contract> output_type: "Type 1 (Monolithic Stage)" target_context_variable: "target_skill" destination_rules: - file_id: "security_review_report" path_template: ".skill-context/{target_skill}/security-review-report.md" format: "markdown" </output_contract>

이 저장소의 다른 Skills

같은 저장소

ba-analyst

vuthuonghai-steve/WASHVN

BA Analyst.

2026-06-071

ba-elicitor

vuthuonghai-steve/WASHVN

Micro-skill khơi gợi, chuẩn hóa yêu cầu nghiệp vụ thô và lượng hóa NFR.

2026-06-071

ba-synthesizer

vuthuonghai-steve/WASHVN

Hợp nhất và kiểm định chéo báo cáo BA.

2026-06-071

production-code-reviewer

vuthuonghai-steve/WASHVN

Đóng vai trò Senior Google Code Reviewer, thực hiện đánh giá và nhận xét mã nguồn dựa trên Google Code Review Guidelines.

2026-06-071

production-quality-gatekeeper

vuthuonghai-steve/WASHVN

Tự động thiết lập và thực thi vòng lặp tự phản biện và hoàn thiện (self-refining loop) cho AI Agent đạt chuẩn Production-grade.

2026-06-071

skill-architect

vuthuonghai-steve/WASHVN

Senior Architect thiết kế kiến trúc Agent Skill mới dựa trên 3 Pillars & 7 Zones.

2026-06-071

=== BOOT CONFIGURATION (L0 — Anchor Rules) ===

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check: - "Auth checks present on all protected endpoints" - "Role/permission validation exists" - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check: - "No hardcoded secrets (API keys, passwords, tokens)" - "Environment variables for sensitive data" - "No credentials in logs or error messages"

SEC-03: Injection

check: - "No string concatenation in shell commands" - "Parameterized queries used" - "Input validation on all user inputs"

SEC-04: Insecure Design

check: - "Skill không tạo security holes trong output" - "Sandbox execution specified cho scripts" - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check: - "Docker sandboxing specified cho executable scripts" - "No default credentials generated" - "Error messages không leak sensitive info"

Invocation Triggers

triggers: auto: - skill has authentication feature - skill handles payment/data - skill accepts file uploads manual: - user explicitly requests security review

Limitations

This is a guidance/checklist skill, not a penetration testing tool

For production security, always conduct manual review

Security findings are recommendations, not guarantees

Security review is advisory. Final security responsibility lies with developer.