一键导入
security-review
Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Keep commits atomic — split a mixed change set into scoped, reviewable commits.
The one-time procedure to take an exported project to live — understand it, confirm the name/goal/stack with the user, run the deterministic `aspis bootstrap`, enrich the judgment files (AGENTS.md, ARCHITECTURE, context), verify, and let the package self-clean. Followed by the bootstrap agent.
Keep per-subsystem architectural intent current through the planning loop — read before designing, record an impact report on change, confirm with the user, apply a dated update, and verify the build against approved intent.
Audit a plan's task dependency graph for structural integrity — circular dependencies, missing prerequisites, orphan tasks, and dependency classification (hard/soft/warning). Produces a pass/warn/fail audit report per dependency so planners catch graph errors before build starts.
Every editing agent should start on a clean working tree so parallel work never collides.
Verify hooks ran, no secrets, protected paths untouched, and commit message valid before committing. Owned by the reviewer.
| name | security-review |
| description | Apply OWASP top 10 and core security checks (injection, authz, secrets, exposure) to a change before issuing a review verdict. |
Evaluate a code change for security vulnerabilities before the reviewer issues a verdict. Covers the OWASP top 10 categories plus ASPIS-specific concerns (secret leakage, permission escalation, protected-path access). Security findings are always at least HIGH severity; a CRITICAL security finding is an automatic REJECTED verdict.
production — the Security dimension is Full.git diff + manual review (no secret-scanning tool assumed)..opencode/, .claude/,
rules/**, **/permissions*.yaml, or .aspis/current/active_feature.json?
If yes and no R-008 approval exists → CRITICAL finding.file:line — what's wrong — why — severity — fix — evidence.