一键导入
security-review
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Rewrite engineer-to-engineer content for leadership audiences — VPs, directors, PMs, release managers. Shapes for the channel: JIRA comment, Slack post, standup note, email, or meeting talking-points. Use after post-mortem or any technical update that needs to flow up the org.
Write the canonical engineering record of a fixed bug — root cause, mechanism, fix, validation, and how it slipped through. Use after a debug session lands a validated fix, before closing the bug.
Outsider-perspective deep review of a plan, PR, design doc, or code change — questions intent first (should this exist?), then traces the actual code path end-to-end to verify the change does what it claims. Use for serious PR reviews, design audits, or second opinions. Lighter pre-commit checks use `review` instead.
Review feature spec files with 3 focused agents — spec quality (business+correctness+ambiguity), completeness (missing scenarios+safety+testability), and buildability (compatibility+blockers+traceability). Sequential by default.
Systematic debugging framework — opens every session by reciting the 4-mantra block (reproduce, trace the fail path, falsify the hypothesis, cross-reference breadcrumbs), then applies multi-layer investigation. Use when diagnosing bugs, flaky tests, unknown failures, or cross-component issues.
Use when starting any conversation - establishes how to find and use skills, requiring Skill tool invocation before ANY response including clarifying questions
| name | security-review |
| description | OWASP Top 10 vulnerability detection. Use PROACTIVELY for code handling user input, auth, APIs, payments, or sensitive data. |
| allowed-tools | Read, Grep, Bash |
BAD:
API_KEY = "sk-abc123def456"
db_url = "postgres://admin:password@prod-db:5432/app"
GOOD:
API_KEY = env("API_KEY")
db_url = env("DATABASE_URL")
Verify:
.env files listed in .gitignoreBAD:
def get_user(request):
id = request.query("id") # No validation
db.query("SELECT * FROM users WHERE id = " + id) # SQL injection!
GOOD:
def get_user(request):
id = parse_int(request.query("id"))
if id is None or id <= 0:
return error_response(400, "Invalid ID")
db.query("SELECT * FROM users WHERE id = $1", [id]) # Parameterized
Verify:
Verify:
Verify:
BAD:
# Rendering raw user HTML without sanitization
render_html(user_comment)
GOOD:
# Sanitize before rendering, or render as plain text
render_html(sanitize(user_comment))
# Or better: render as plain text (no HTML interpretation)
render_text(user_comment)
Verify:
Verify:
SameSite cookie attribute set to Strict or LaxOrigin header validated on API endpointsVerify:
Verify:
Verify:
TODO: fix security or HACK comments left*)## Security Review: [Component/Feature]
### Critical — Fix Immediately
[Vulnerabilities that could lead to data breach or system compromise]
- **Location:** `file:line`
- **Issue:** [Description]
- **Risk:** [Impact if exploited]
- **Fix:** [Specific remediation]
### High — Fix Before Deploy
[Issues that weaken security posture]
### Medium — Fix Soon
[Best practice violations]
### Recommendations
[Hardening suggestions]
**Overall Risk Level:** [Critical / High / Medium / Low]