一键导入
security-review
[pr-review-focus-area: Security] Web application security review for XSS, CSRF, SQL injection, auth bypass, data exposure, CORS, and rate limiting.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
[pr-review-focus-area: Security] Web application security review for XSS, CSRF, SQL injection, auth bypass, data exposure, CORS, and rate limiting.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | security-review |
| description | [pr-review-focus-area: Security] Web application security review for XSS, CSRF, SQL injection, auth bypass, data exposure, CORS, and rate limiting. |
| user-invocable | true |
| disable-model-invocation | true |
| allowed-tools | ["Read","Grep","Glob"] |
Review web application code for security vulnerabilities.
/security-review — reviews changed files for security issues.
innerHTML, dangerouslySetInnerHTML, v-html, {@html}, [innerHTML], outerHTML, document.write).type="password" and autocomplete="off".Access-Control-Allow-Origin: * on authenticated endpoints.npm audit / pip audit / equivalent if not part of CI.Dispatch to the principal-frontend subagent with the findings collected above. Ask it to apply its senior lens — XSS sinks, CSP posture, auth cookie flags, secret exposure in the client bundle — to the findings. Integrate its top findings into the Report Format below using the severity scale defined next; do not replace the skill's verdict contract.
Invocation:
Agent({
subagent_type: "principal-frontend",
description: "Security senior review",
prompt: "Review these security findings: <summary of XSS, CSRF, SQLi, authn/z, data-exposure, CORS, rate-limit, and dependency findings>. Apply senior scrutiny to XSS sinks reachable via user input, CSP posture, auth cookie flags (httpOnly/secure/sameSite), and any secret/PII exposure in the client bundle. Return top security risks in severity order."
})
List each finding with severity, file, line, and remediation suggestion. End with a summary count by severity.
Research a work item, draft an implementation plan, and begin work after approval.
Guided one-shot install — discover installed plugins (or help install new ones), pick install scope, calibrate risk tolerance into a concrete allowlist + hooks, scaffold or merge CLAUDE.md, and sanity-check the result.
Finalize work — commit via /commit, push, and create PRs on feature branches.
Reviewer-side PR workflow — checks out the branch in a worktree, runs focus-area reviews plus a senior-engineering pass, optionally cross-checks against an autonomous reviewer, and posts inline findings only on explicit approval. Read-only — never edits, commits, or pushes.
Fetch PR review comments, classify by severity and confidence, and fix the selected subset.
Triage CVE and SBOM scanner output (Trivy, Grype, Snyk, Docker Scout, Dependabot) into a ranked, deduplicated action list.