一键导入
security-gate
Verifies security before merge/deploy including OWASP Top 10, input validation, and auth checks. WARNING gate triggered during /own:done flow.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Verifies security before merge/deploy including OWASP Top 10, input validation, and auth checks. WARNING gate triggered during /own:done flow.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Transforms completed work into powerful resume bullet points with action verbs, technical context, and quantified impact. Use when completing tasks, updating portfolio, or preparing job applications.
Transforms completed work into STAR interview stories (Situation, Task, Action, Result). Use when completing tasks, preparing for behavioral interviews, or documenting achievements.
Reviews accessibility including WCAG, ARIA, keyboard navigation. Use when junior builds forms, buttons, modals, interactive elements, or asks "is this accessible", "a11y", "screen reader".
Reviews API design, REST conventions, and backend architecture. Use when junior builds API endpoints, Express routes, middleware, controllers, or asks "is this RESTful", "check my endpoint".
Reviews schema design, SQL queries, ORM patterns. Use when junior creates schema, writes queries, adds migrations, works with Prisma/MongoDB/PostgreSQL, or asks "is this SQL safe", "N+1", "index".
Guides systematic debugging through Protocol D (READ, ISOLATE, DOCS, HYPOTHESIZE, VERIFY). Use when junior says "stuck", "not working", "broken", "bug", "error", "crashed", "failing", "can't figure out", or expresses frustration. Do NOT use for general questions.
| name | security-gate |
| description | Verifies security before merge/deploy including OWASP Top 10, input validation, and auth checks. WARNING gate triggered during /own:done flow. |
"Security isn't a feature you add later. It's a foundation you build on."
This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS.
"Where does user input enter this feature?"
Looking for:
Follow-up if input exists:
"How is that input validated before it's used?"
"What data does this feature access? Who should be able to access it?"
Looking for:
Follow-up:
"How do you verify the requesting user is allowed to access this data?"
"Are there any secrets, tokens, or sensitive data involved? Where are they stored?"
Looking for:
Review the code for these common issues:
eval() or new Function() with user inputinnerHTML with unsanitized user input✅ SECURITY GATE: PASSED
Security considerations addressed:
- Input validation: ✓
- Authorization checks: ✓
- No exposed secrets: ✓
Moving to the next gate...
⚠️ SECURITY GATE: WARNING
I found [X] security considerations to address:
**Issue 1: [Title]**
Location: `file.ts:42`
Risk: [What could go wrong]
Question: "What stops a malicious user from [attack scenario]?"
**Issue 2: [Title]**
Location: `file.ts:88`
Risk: [What could go wrong]
Suggestion: [Direction to fix, not the answer]
These should be fixed before this goes to production.
Would you like to address them now?
🚨 SECURITY GATE: CRITICAL WARNING
This needs attention before proceeding:
**CRITICAL: [Issue]**
Location: `file.ts:42`
Risk: [Severity explanation - data breach, account takeover, etc.]
This is the kind of vulnerability that makes news headlines.
Let's fix this before anything else.
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
❌ element.innerHTML = userInput;
✅ element.textContent = userInput;
❌ // Anyone can access any user's data
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
✅ // Check ownership
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
if (user.id !== req.user.id) throw new ForbiddenError();
res.json(user);
});
❌ const apiKey = 'sk-live-abc123';
✅ const apiKey = process.env.API_KEY;
Instead of pointing out the fix, ask:
<script>alert('XSS')</script> as my name, what happens?"| Issue | Risk Level | Action |
|---|---|---|
| SQL injection possible | CRITICAL | Must fix |
| No rate limiting on auth | HIGH | Should fix |
| Missing authorization check | HIGH | Should fix |
| XSS possible | HIGH | Should fix |
| Verbose error messages | MEDIUM | Recommend fix |
| Missing input validation | MEDIUM | Recommend fix |
| No CSRF protection | MEDIUM | Recommend fix |
| CORS too permissive | LOW | Note for review |