security-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Review

安全审查

An AI-powered security scanner that reasons about your codebase the way a human security researcher would — tracing data flows, understanding component interactions, and catching vulnerabilities that pattern-matching tools miss.

一款AI驱动的安全扫描器，可像人类安全研究员一样分析你的代码库——追踪数据流、理解组件交互，捕获模式匹配工具遗漏的漏洞。

When to Use This Skill

何时使用本工具

Use this skill when the request involves:

Scanning a codebase or file for security vulnerabilities
Running a security review or vulnerability check
Checking for SQL injection, XSS, command injection, or other injection flaws
Finding exposed API keys, hardcoded secrets, or credentials in code
Auditing dependencies for known CVEs
Reviewing authentication, authorization, or access control logic
Detecting insecure cryptography or weak randomness
Performing a data flow analysis to trace user input to dangerous sinks
Any request phrasing like "is my code secure?", "scan this file", or "check my repo for vulnerabilities"
Running
```
/security-review
```
or
```
/security-review <path>
```

当请求涉及以下场景时使用本工具：

扫描代码库或文件的安全漏洞
执行安全审查或漏洞检查
检测SQL injection、XSS、命令注入或其他注入缺陷
查找代码中暴露的API密钥、硬编码密钥或凭证
审计依赖是否存在已知CVE
审查身份认证、授权或访问控制逻辑
检测不安全加密或弱随机性
执行数据流分析，追踪用户输入到危险接收点的链路
任何类似“我的代码安全吗？”“扫描这个文件”或“检查我的仓库是否有漏洞”的表述
执行
```
/security-review
```
或
```
/security-review <path>
```
命令

How This Skill Works

本工具的工作原理

Unlike traditional static analysis tools that match patterns, this skill:

Reads code like a security researcher — understanding context, intent, and data flow
Traces across files — following how user input moves through your application
Self-verifies findings — re-examines each result to filter false positives
Assigns severity ratings — CRITICAL / HIGH / MEDIUM / LOW / INFO
Proposes targeted patches — every finding includes a concrete fix
Requires human approval — nothing is auto-applied; you always review first

和传统基于模式匹配的静态分析工具不同，本工具：

像安全研究员一样解读代码——理解上下文、代码意图和数据流
跨文件追踪链路——跟踪用户输入在整个应用中的流转路径
自检校验结果——二次核查每个结果以过滤误报
划分严重等级——CRITICAL / HIGH / MEDIUM / LOW / INFO
提供针对性修复方案——每个问题都包含具体的修复代码
需人工确认生效——不会自动应用任何修改，所有变更都需你先行审核

Execution Workflow

执行流程

Follow these steps in order every time:

每次使用都严格按照以下顺序执行：

Step 1 — Scope Resolution

步骤1 — 确定扫描范围

Determine what to scan:

If a path was provided (
```
/security-review src/auth/
```
), scan only that scope
If no path given, scan the entire project starting from the root
Identify the language(s) and framework(s) in use (check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml, Gemfile, composer.json, etc.)
Read
```
references/language-patterns.md
```
to load language-specific vulnerability patterns

明确需要扫描的内容：

如果提供了路径（
```
/security-review src/auth/
```
），仅扫描该范围
如果未提供路径，从根目录开始扫描整个项目
识别使用的语言和框架（检查package.json、requirements.txt、go.mod、Cargo.toml、pom.xml、Gemfile、composer.json等）
读取
```
references/language-patterns.md
```
加载对应语言的漏洞特征

Step 2 — Dependency Audit

步骤2 — 依赖审计

Before scanning source code, audit dependencies first (fast wins):

Node.js: Check
```
package.json
```
+
```
package-lock.json
```
for known vulnerable packages
Python: Check
```
requirements.txt
```
/
```
pyproject.toml
```
/
```
Pipfile
```
Java: Check
```
pom.xml
```
/
```
build.gradle
```
Ruby: Check
```
Gemfile.lock
```
Rust: Check
```
Cargo.toml
```
Go: Check
```
go.sum
```
Flag packages with known CVEs, deprecated crypto libs, or suspiciously old pinned versions
Read
```
references/vulnerable-packages.md
```
for a curated watchlist

扫描源代码前先审计依赖（快速发现已知问题）：

Node.js：检查
```
package.json
```
+
```
package-lock.json
```
中是否存在已知漏洞包
Python：检查
```
requirements.txt
```
/
```
pyproject.toml
```
/
```
Pipfile
```
Java：检查
```
pom.xml
```
/
```
build.gradle
```
Ruby：检查
```
Gemfile.lock
```
Rust：检查
```
Cargo.toml
```
Go：检查
```
go.sum
```
标记存在已知CVE、使用已弃用加密库、或版本过旧的依赖包
读取
```
references/vulnerable-packages.md
```
获取精选的风险依赖监控列表

Step 3 — Secrets & Exposure Scan

步骤3 — 密钥与暴露风险扫描

Scan ALL files (including config, env, CI/CD, Dockerfiles, IaC) for:

Hardcoded API keys, tokens, passwords, private keys
```
.env
```
files accidentally committed
Secrets in comments or debug logs
Cloud credentials (AWS, GCP, Azure, Stripe, Twilio, etc.)
Database connection strings with credentials embedded
Read
```
references/secret-patterns.md
```
for regex patterns and entropy heuristics to apply

扫描所有文件（包括配置、环境变量、CI/CD、Dockerfile、IaC），查找：

硬编码的API密钥、令牌、密码、私钥
误提交的
```
.env
```
文件
注释或调试日志中的密钥
云服务凭证（AWS、GCP、Azure、Stripe、Twilio等）
内嵌凭证的数据库连接字符串
读取
```
references/secret-patterns.md
```
获取正则匹配规则和熵值检测逻辑

Step 4 — Vulnerability Deep Scan

步骤4 — 深度漏洞扫描

This is the core scan. Reason about the code — don't just pattern-match. Read

references/vuln-categories.md

for full details on each category.

Injection Flaws

SQL Injection: raw queries with string interpolation, ORM misuse, second-order SQLi
XSS: unescaped output, dangerouslySetInnerHTML, innerHTML, template injection
Command Injection: exec/spawn/system with user input
LDAP, XPath, Header, Log injection

Authentication & Access Control

Missing authentication on sensitive endpoints
Broken object-level authorization (BOLA/IDOR)
JWT weaknesses (alg:none, weak secrets, no expiry validation)
Session fixation, missing CSRF protection
Privilege escalation paths
Mass assignment / parameter pollution

Data Handling

Sensitive data in logs, error messages, or API responses
Missing encryption at rest or in transit
Insecure deserialization
Path traversal / directory traversal
XXE (XML External Entity) processing
SSRF (Server-Side Request Forgery)

Cryptography

Use of MD5, SHA1, DES for security purposes
Hardcoded IVs or salts
Weak random number generation (Math.random() for tokens)
Missing TLS certificate validation

Business Logic

Race conditions (TOCTOU)
Integer overflow in financial calculations
Missing rate limiting on sensitive endpoints
Predictable resource identifiers

这是核心扫描环节，要分析代码逻辑而非仅做模式匹配。可读取

references/vuln-categories.md

获取每个漏洞分类的完整说明。

注入缺陷

SQL Injection：字符串拼接的原生查询、ORM误用、二阶SQLi
XSS：未转义输出、dangerouslySetInnerHTML、innerHTML、模板注入
命令注入：携带用户输入的exec/spawn/system调用
LDAP、XPath、Header、日志注入

身份认证与访问控制

敏感接口缺失身份认证
对象级授权失效（BOLA/IDOR）
JWT缺陷（alg:none、弱密钥、未校验过期时间）
会话固定、缺失CSRF防护
权限提升路径
批量赋值/参数污染

数据处理

日志、错误信息或API响应中包含敏感数据
静态存储或传输过程未加密
不安全反序列化
路径遍历/目录遍历
XXE（XML External Entity）处理
SSRF（Server-Side Request Forgery）

加密相关

安全场景下使用MD5、SHA1、DES
硬编码的IV或盐值
弱随机数生成（使用Math.random()生成令牌）
缺失TLS证书校验

业务逻辑

竞争条件（TOCTOU）
金融计算中的整数溢出
敏感接口缺失限流
可预测的资源ID

Step 5 — Cross-File Data Flow Analysis

步骤5 — 跨文件数据流分析

After the per-file scan, perform a holistic review:

Trace user-controlled input from entry points (HTTP params, headers, body, file uploads) all the way to sinks (DB queries, exec calls, HTML output, file writes)
Identify vulnerabilities that only appear when looking at multiple files together
Check for insecure trust boundaries between services or modules

单文件扫描完成后，执行全局审查：

追踪用户可控输入从入口点（HTTP参数、请求头、请求体、文件上传）到接收点（数据库查询、exec调用、HTML输出、文件写入）的完整链路
识别仅跨文件分析才能发现的漏洞
检查服务或模块之间的不安全信任边界

Step 6 — Self-Verification Pass

步骤6 — 自检校验环节

For EACH finding:

Re-read the relevant code with fresh eyes
Ask: "Is this actually exploitable, or is there sanitization I missed?"
Check if a framework or middleware already handles this upstream
Downgrade or discard findings that aren't genuine vulnerabilities
Assign final severity: CRITICAL / HIGH / MEDIUM / LOW / INFO

对每个发现的问题：

重新审阅相关代码
自问：“这个漏洞真的可利用吗？还是我漏掉了 sanitization 逻辑？”
检查上游是否有框架或中间件已经处理了该风险
降级或排除非真实漏洞的结果
分配最终严重等级：CRITICAL / HIGH / MEDIUM / LOW / INFO

Step 7 — Generate Security Report

步骤7 — 生成安全报告

Output the full report in the format defined in

references/report-format.md

按照

references/report-format.md

定义的格式输出完整报告。

Step 8 — Propose Patches

步骤8 — 提供修复方案

For every CRITICAL and HIGH finding, generate a concrete patch:

Show the vulnerable code (before)
Show the fixed code (after)
Explain what changed and why
Preserve the original code style, variable names, and structure
Add a comment explaining the fix inline

Explicitly state: "Review each patch before applying. Nothing has been changed yet."

为每个CRITICAL和HIGH等级的问题生成具体的修复补丁：

展示漏洞代码（修复前）
展示修复后的代码
说明修改内容和原因
保留原有代码风格、变量名和结构
在内联注释中说明修复逻辑

需明确声明：“应用补丁前请逐一审核，目前尚未修改任何代码。”

Severity Guide

严重等级指南

Severity	Meaning	Example
🔴 CRITICAL	Immediate exploitation risk, data breach likely	SQLi, RCE, auth bypass
🟠 HIGH	Serious vulnerability, exploit path exists	XSS, IDOR, hardcoded secrets
🟡 MEDIUM	Exploitable with conditions or chaining	CSRF, open redirect, weak crypto
🔵 LOW	Best practice violation, low direct risk	Verbose errors, missing headers
⚪ INFO	Observation worth noting, not a vulnerability	Outdated dependency (no CVE)

严重等级	含义	示例
🔴 CRITICAL	存在即时被利用的风险，大概率引发数据泄露	SQLi、RCE、认证绕过
🟠 HIGH	严重漏洞，存在明确的利用路径	XSS、IDOR、硬编码密钥
🟡 MEDIUM	满足特定条件或组合利用时可被攻击	CSRF、开放重定向、弱加密
🔵 LOW	不符合最佳实践，直接风险低	冗余错误信息、缺失安全头
⚪ INFO	值得注意的观察项，不属于漏洞	无CVE的过时依赖

Output Rules

输出规则

Always produce a findings summary table first (counts by severity)
Never auto-apply any patch — present patches for human review only
Always include a confidence rating per finding (High / Medium / Low)
Group findings by category, not by file
Be specific — include file path, line number, and the exact vulnerable code snippet
Explain the risk in plain English — what could an attacker do with this?
If the codebase is clean, say so clearly: "No vulnerabilities found" with what was scanned

始终优先输出问题汇总表（按严重等级统计数量）
绝不自动应用任何补丁——仅提供补丁供人工审核
始终为每个问题标注置信度（高/中/低）
按分类而非文件分组展示问题
表述具体——包含文件路径、行号和准确的漏洞代码片段
用通俗语言解释风险——攻击者利用该漏洞可以做什么？
如果代码库无安全问题，明确说明：“未发现漏洞”，并标注扫描范围

Reference Files

参考文件

For detailed detection guidance, load the following reference files as needed:

```
references/vuln-categories.md
```
— Deep reference for every vulnerability category with detection signals, safe patterns, and escalation checkers
- Search patterns:
```
SQL injection
```
  ,
```
XSS
```
  ,
```
command injection
```
  ,
```
SSRF
```
  ,
```
BOLA
```
  ,
```
IDOR
```
  ,
```
JWT
```
  ,
```
CSRF
```
  ,
```
secrets
```
  ,
```
cryptography
```
  ,
```
race condition
```
  ,
```
path traversal
```

references/secret-patterns.md

— Regex patterns, entropy-based detection, and CI/CD secret risks

Search patterns:

API key

token

private key

connection string

entropy

.env

GitHub Actions

Docker

Terraform

```
references/language-patterns.md
```
— Framework-specific vulnerability patterns for JavaScript, Python, Java, PHP, Go, Ruby, and Rust
- Search patterns:
```
Express
```
  ,
```
React
```
  ,
```
Next.js
```
  ,
```
Django
```
  ,
```
Flask
```
  ,
```
FastAPI
```
  ,
```
Spring Boot
```
  ,
```
PHP
```
  ,
```
Go
```
  ,
```
Rails
```
  ,
```
Rust
```
```
references/vulnerable-packages.md
```
— Curated CVE watchlist for npm, pip, Maven, Rubygems, Cargo, and Go modules
- Search patterns:
```
lodash
```
  ,
```
axios
```
  ,
```
jsonwebtoken
```
  ,
```
Pillow
```
  ,
```
log4j
```
  ,
```
nokogiri
```
  ,
```
CVE
```
```
references/report-format.md
```
— Structured output template for security reports with finding cards, dependency audit, secrets scan, and patch proposal formatting
- Search patterns:
```
report
```
  ,
```
format
```
  ,
```
template
```
  ,
```
finding
```
  ,
```
patch
```
  ,
```
summary
```
  ,
```
confidence
```

如需详细的检测指南，可按需加载以下参考文件：

```
references/vuln-categories.md
```
——所有漏洞分类的深度参考，包含检测特征、安全模式和升级校验规则
- 搜索关键词：
```
SQL injection
```
  、
```
XSS
```
  、
```
command injection
```
  、
```
SSRF
```
  、
```
BOLA
```
  、
```
IDOR
```
  、
```
JWT
```
  、
```
CSRF
```
  、
```
secrets
```
  、
```
cryptography
```
  、
```
race condition
```
  、
```
path traversal
```
```
references/secret-patterns.md
```
——正则匹配规则、基于熵值的检测逻辑、CI/CD密钥风险
- 搜索关键词：
```
API key
```
  、
```
token
```
  、
```
private key
```
  、
```
connection string
```
  、
```
entropy
```
  、
```
.env
```
  、
```
GitHub Actions
```
  、
```
Docker
```
  、
```
Terraform
```
```
references/language-patterns.md
```
——JavaScript、Python、Java、PHP、Go、Ruby、Rust对应框架的漏洞特征
- 搜索关键词：
```
Express
```
  、
```
React
```
  、
```
Next.js
```
  、
```
Django
```
  、
```
Flask
```
  、
```
FastAPI
```
  、
```
Spring Boot
```
  、
```
PHP
```
  、
```
Go
```
  、
```
Rails
```
  、
```
Rust
```
```
references/vulnerable-packages.md
```
——精选的CVE监控列表，覆盖npm、pip、Maven、Rubygems、Cargo、Go模块
- 搜索关键词：
```
lodash
```
  、
```
axios
```
  、
```
jsonwebtoken
```
  、
```
Pillow
```
  、
```
log4j
```
  、
```
nokogiri
```
  、
```
CVE
```
```
references/report-format.md
```
——安全报告的结构化输出模板，包含问题卡片、依赖审计、密钥扫描、修复方案格式规范
- 搜索关键词：
```
report
```
  、
```
format
```
  、
```
template
```
  、
```
finding
```
  、
```
patch
```
  、
```
summary
```
  、
```
confidence
```