一键导入
security-review
Security checklist for credential handling, request signing, artifact redaction, and order-path guards before any broad change lands.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Security checklist for credential handling, request signing, artifact redaction, and order-path guards before any broad change lands.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | security-review |
| description | Security checklist for credential handling, request signing, artifact redaction, and order-path guards before any broad change lands. |
| origin | adapted from ZMB-UZH/omero-docker-extended security-review for a Binance testnet CLI |
Use this skill whenever you touch api.py, config.py, cli.py, live-order paths, persisted artifacts, or anything that reads env variables or prompts for secrets.
git diff).AGENTS.md — single-session rule, redaction contract, testnet-first defaults._redact_request_url, _redact_sensitive_text, RuntimeConfig.public_dict.signature, timestamp, recvWindow, or the raw API key into logs, error messages, last_request_info, or JSON artifacts. If you build a new URL by hand, redact it before storing.order_error), never allowed to bubble up as raw exceptions that might contain signed material in the traceback.reduceOnly=true and market type RESULT. A close path that could increase exposure is a bug.BINANCE_BASE_URL, BINANCE_SPOT_BASE_URL, BINANCE_FUTURES_BASE_URL) are trusted only within the session that reads them. Do not persist env-resolved hostnames back into config.~/.config/simple_ai_trading/runtime.json) are written with mode 0o600. A new writer must call chmod explicitly.BaseException. Narrow your except to the class you actually handle.last_request_info).Use the pinned external CocoIndex Code MCP workflow for broad repository routing, then prove exact candidates with rg and direct file reads.
Bound repository context reads and semantic-search output without weakening source, test, or evidence verification.
Choose staged contract tests that catch partial AI-generated fixes across models, data, risk, execution ownership, and CLI/Windows parity.
Keep concise user docs and machine-readable model evidence synchronized with real behavior without losing provenance or caveats.
Apply four anti-error coding principles plus this repository's stricter financial-evidence, safety, and single-session rules.
Research the existing implementation, tests, primary technical sources, and financial rationale before adding trading code or dependencies.