一键导入
security-review-checklist
Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when decomposing an implementation plan into executable tasks with dependencies and sizing.
Use before marking any task complete. Runs the project's validation suite (lint, typecheck, tests) and confirms the implementation is in a working state. Use this whenever you have finished implementing a task and need to verify it before calling task_complete.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, artifacts, posters, or applications (examples include websites, landing pages, dashboards, React components, HTML/CSS layouts, or when styling/beautifying any web UI). Generates creative, polished code and UI design that avoids generic AI aesthetics.
Use when reviewing architecture decisions, implementation plans, or PRs against layering, boundaries, and system design expectations.
Use when implementing code changes to ensure quality, consistency, and maintainability.
Use when bootstrapping a repository for Spec-Driven Development. Scan the codebase, ask 2 targeted questions, then write specs/constitution.md and the first epic's product-requirements.md.
| name | security-review-checklist |
| description | Use when performing security review, threat modeling, or OWASP-aligned analysis on code changes. |
Provides a systematic security review framework covering threat modeling, OWASP-aligned analysis, and vulnerability assessment for code changes.
Use this skill during security review to ensure systematic coverage of security concerns.
For each change, identify:
| Category | Check | Applies? |
|---|---|---|
| A01: Broken Access Control | Are authorization checks present and correct? | |
| A02: Cryptographic Failures | Is sensitive data encrypted properly? | |
| A03: Injection | Are queries parameterized? Is user input sanitized? | |
| A04: Insecure Design | Does the design have security controls built in? | |
| A05: Security Misconfiguration | Are defaults secure? Are unnecessary features disabled? | |
| A06: Vulnerable Components | Are dependencies up to date and free of known CVEs? | |
| A07: Authentication Failures | Are auth mechanisms robust (rate limiting, MFA)? | |
| A08: Data Integrity Failures | Is deserialization controlled? Are updates verified? | |
| A09: Logging Failures | Are security events logged without exposing secrets? | |
| A10: SSRF | Are outbound requests validated against allowlists? |
For each finding:
### [Severity]: [Title]
**OWASP**: [Category, e.g., A03: Injection]
**Location**: [file:line]
**Description**: [What the vulnerability is]
**Impact**: [What could happen if exploited]
**Fix**: [Suggested remediation approach]
Severity levels:
Follow the structured report format defined in the Security agent: