Back to Details

security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security

安全

Read 
AGENTS.md
first. This skill adds security-specific guidance.
请先阅读
AGENTS.md
。本技能提供安全专项指导。

Default Stance

默认立场

  • prioritize realistic attacker goals and concrete impact
  • ground claims in actual code, entrypoints, data flows, and deployment shape
  • prefer secure defaults that do not silently break intended behavior
  • 优先关注真实攻击者目标及具体影响
  • 所有论断需基于实际代码、入口点、数据流与部署形态
  • 优先采用不会静默破坏预期行为的安全默认配置

Threat-Model Workflow

威胁建模工作流

  1. Identify components, entrypoints, trust boundaries, assets, and attacker goals.
  2. Separate runtime behavior from build/test/dev tooling.
  3. Enumerate a small set of high-quality abuse paths.
  4. Rank findings by likelihood and impact with explicit assumptions.
  5. Recommend mitigations tied to concrete boundaries or components.
  1. 识别组件、入口点、信任边界、资产与攻击者目标。
  2. 区分运行时行为与构建/测试/开发工具链。
  3. 枚举少量高质量的滥用路径。
  4. 基于明确假设,按发生概率与影响对发现的问题进行排序。
  5. 给出与具体边界或组件绑定的缓解方案建议。

Secure-Review Workflow

安全审查工作流

When reviewing code for security:
  • look for auth/authz gaps, unsafe parsing, command execution, path traversal, injection, secrets exposure, weak validation, and denial-of-service risks
  • note where types/contracts could make misuse harder
  • distinguish critical findings from hygiene improvements
开展代码安全审查时:
  • 排查认证/授权缺口、不安全解析、命令执行、路径遍历、注入攻击、凭证泄露、弱校验及拒绝服务风险
  • 标注可提升误用成本的类型/契约位置
  • 区分严重问题与规范性优化项

Reporting Rules

报告规则

  • findings first, ordered by severity
  • include concrete file references and impacted asset/boundary
  • make assumptions explicit
  • avoid generic checklist noise when the repo evidence does not support it
  • 优先呈现发现的问题,按严重程度排序
  • 包含具体的文件引用及受影响的资产/边界
  • 明确列出假设前提
  • 若仓库证据不支持,避免使用通用checklist类的无效内容