Back to Details

security-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Auditor Skill

Security Auditor 技能

Automatic security vulnerability detection.
自动检测安全漏洞。

When I Activate

触发场景

  • ✅ Code files modified (especially auth, API, database)
  • ✅ User mentions security or vulnerabilities
  • ✅ Before deployments or commits
  • ✅ Dependency changes
  • ✅ Configuration file changes
  • ✅ 代码文件被修改(尤其是认证、API、数据库相关文件)
  • ✅ 用户提及安全或漏洞相关内容
  • ✅ 部署或提交代码前
  • ✅ 依赖项变更
  • ✅ 配置文件变更

What I Scan For

扫描范围

OWASP Top 10 Patterns

OWASP Top 10 常见模式

1. SQL Injection
javascript
// CRITICAL: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
2. XSS (Cross-Site Scripting)
javascript
// CRITICAL: XSS vulnerability
element.innerHTML = userInput;

// SECURE: Use textContent or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
3. Authentication Issues
javascript
// CRITICAL: Weak JWT secret
const token = jwt.sign(payload, 'secret123');

// SECURE: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET);
4. Sensitive Data Exposure
python
undefined
1. SQL Injection
javascript
// CRITICAL: SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
2. XSS (Cross-Site Scripting)
javascript
// CRITICAL: XSS vulnerability
element.innerHTML = userInput;

// SECURE: Use textContent or sanitize
element.textContent = userInput;
// or
element.innerHTML = DOMPurify.sanitize(userInput);
3. Authentication Issues
javascript
// CRITICAL: Weak JWT secret
const token = jwt.sign(payload, 'secret123');

// SECURE: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET);
4. Sensitive Data Exposure
python
undefined

CRITICAL: Exposed password

CRITICAL: Exposed password

password = "admin123"
password = "admin123"

SECURE: Environment variable

SECURE: Environment variable

password = os.getenv("DB_PASSWORD")

**5. Broken Access Control**
```javascript
// CRITICAL: No authorization check
app.delete('/api/users/:id', (req, res) => {
  User.delete(req.params.id);
});

// SECURE: Authorization check
app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {
  User.delete(req.params.id);
});
password = os.getenv("DB_PASSWORD")

**5. Broken Access Control**
```javascript
// CRITICAL: No authorization check
app.delete('/api/users/:id', (req, res) => {
  User.delete(req.params.id);
});

// SECURE: Authorization check
app.delete('/api/users/:id', auth, checkOwnership, (req, res) => {
  User.delete(req.params.id);
});

Additional Security Checks

额外安全检查项

  • Insecure Deserialization
  • Security Misconfiguration
  • Insufficient Logging
  • CSRF Protection Missing
  • CORS Misconfiguration
  • Insecure Deserialization(不安全的反序列化)
  • Security Misconfiguration(安全配置错误)
  • Insufficient Logging(日志记录不足)
  • CSRF Protection Missing(缺少CSRF防护)
  • CORS Misconfiguration(CORS配置错误)

Alert Format

告警格式

🚨 CRITICAL: [Vulnerability type]
📍 Location: file.js:42
🔧 Fix: [Specific remediation]
📖 Reference: [OWASP/CWE link]
🚨 CRITICAL: [漏洞类型]
📍 位置: file.js:42
🔧 修复方案: [具体修复建议]
📖 参考链接: [OWASP/CWE 链接]

Severity Levels

严重等级

  • 🚨 CRITICAL: Must fix immediately (exploitable vulnerabilities)
  • ⚠️ HIGH: Should fix soon (security weaknesses)
  • 📋 MEDIUM: Consider fixing (potential issues)
  • 💡 LOW: Best practice improvements
  • 🚨 CRITICAL(严重): 必须立即修复(可被利用的漏洞)
  • ⚠️ HIGH(高): 应尽快修复(安全弱点)
  • 📋 MEDIUM(中): 建议修复(潜在问题)
  • 💡 LOW(低): 最佳实践优化

Real-World Examples

实际案例

SQL Injection Detection

SQL Injection 检测

javascript
// You write:
app.get('/users', (req, res) => {
  const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;
  db.query(sql, (err, results) => res.json(results));
});

// I alert:
🚨 CRITICAL: SQL injection vulnerability (line 2)
📍 File: routes/users.js, Line 2
🔧 Fix: Use parameterized queries
  const sql = 'SELECT * FROM users WHERE name = ?';
  db.query(sql, [req.query.name], ...);
📖 https://owasp.org/www-community/attacks/SQL_Injection
javascript
// 你编写的代码:
app.get('/users', (req, res) => {
  const sql = `SELECT * FROM users WHERE name = '${req.query.name}'`;
  db.query(sql, (err, results) => res.json(results));
});

// 我的告警:
🚨 CRITICAL: SQL injection vulnerability (line 2)
📍 文件: routes/users.js, 行号: 2
🔧 修复方案: 使用参数化查询
  const sql = 'SELECT * FROM users WHERE name = ?';
  db.query(sql, [req.query.name], ...);
📖 https://owasp.org/www-community/attacks/SQL_Injection

Password Storage

密码存储

python
undefined
python
undefined

You write:

你编写的代码:

def create_user(username, password): user = User(username=username, password=password) user.save()
def create_user(username, password): user = User(username=username, password=password) user.save()

I alert:

我的告警:

🚨 CRITICAL: Storing plain text password (line 2) 📍 File: models.py, Line 2 🔧 Fix: Hash passwords before storing from bcrypt import hashpw, gensalt hashed = hashpw(password.encode(), gensalt()) user = User(username=username, password=hashed) 📖 Use bcrypt, scrypt, or argon2 for password hashing
undefined
🚨 CRITICAL: Storing plain text password (line 2) 📍 文件: models.py, 行号: 2 🔧 修复方案: 存储前对密码进行哈希处理 from bcrypt import hashpw, gensalt hashed = hashpw(password.encode(), gensalt()) user = User(username=username, password=hashed) 📖 使用 bcrypt、scrypt 或 argon2 进行密码哈希
undefined

API Key Exposure

API密钥泄露

javascript
// You write:
const stripe = require('stripe')('sk_live_abc123...');

// I alert:
🚨 CRITICAL: Hardcoded API key detected (line 1)
📍 File: payment.js, Line 1
🔧 Fix: Use environment variables
  const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
📖 Never commit API keys to version control
javascript
// 你编写的代码:
const stripe = require('stripe')('sk_live_abc123...');

// 我的告警:
🚨 CRITICAL: Hardcoded API key detected (line 1)
📍 文件: payment.js, 行号: 1
🔧 修复方案: 使用环境变量
  const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
📖 切勿将API密钥提交到版本控制系统

Dependency Scanning

依赖项扫描

I can run security audits on dependencies:
bash
undefined
我可以对依赖项进行安全审计:
bash
undefined

Node.js

Node.js

npm audit
npm audit

Python

Python

pip-audit
pip-audit

Results flagged with severity

结果会标记严重等级

undefined
undefined

Relationship with @code-reviewer Sub-Agent

与 @code-reviewer 子Agent的关系

Me (Skill): Quick vulnerability pattern detection @code-reviewer (Sub-Agent): Deep security audit with threat modeling
我(Skill): 快速检测漏洞模式 @code-reviewer(子Agent): 结合威胁建模的深度安全审计

Workflow

工作流程

  1. I detect vulnerability pattern
  2. I flag: "🚨 SQL injection detected"
  3. You want full analysis → Invoke @code-reviewer sub-agent
  4. Sub-agent provides comprehensive security audit
  1. 我检测到漏洞模式
  2. 我发出告警:"🚨 检测到SQL注入"
  3. 若你需要全面分析 → 调用 @code-reviewer 子Agent
  4. 子Agent提供全面的安全审计报告

Common Vulnerability Patterns

常见漏洞模式

Authentication

认证相关

  • Weak password policies
  • Missing MFA
  • Session fixation
  • Insecure password storage
  • 弱密码策略
  • 缺少多因素认证(MFA)
  • 会话固定攻击
  • 不安全的密码存储

Authorization

授权相关

  • Missing access control
  • Privilege escalation
  • IDOR (Insecure Direct Object Reference)
  • 缺少访问控制
  • 权限提升
  • IDOR(不安全的直接对象引用)

Data Protection

数据保护

  • Unencrypted sensitive data
  • Weak encryption algorithms
  • Missing HTTPS
  • Insecure cookies
  • 敏感数据未加密
  • 弱加密算法
  • 缺少HTTPS
  • 不安全的Cookie

Input Validation

输入验证

  • SQL injection
  • Command injection
  • XSS
  • Path traversal
  • SQL注入
  • 命令注入
  • XSS
  • 路径遍历

Sandboxing Compatibility

沙箱兼容性

Works without sandboxing: ✅ Yes Works with sandboxing: ✅ Yes
Optional: For dependency scanning
json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "api.github.com"
    ]
  }
}
无需沙箱即可运行: ✅ 是 支持沙箱环境运行: ✅ 是
可选:依赖项扫描配置
json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "api.github.com"
    ]
  }
}

Integration with Tools

与工具的集成

With secret-scanner Skill

与 secret-scanner Skill 集成

security-auditor: Checks code patterns
secret-scanner: Checks for exposed secrets
Together: Comprehensive security coverage
security-auditor: 检查代码模式
secret-scanner: 检查密钥泄露
组合使用: 全面的安全覆盖

With /review Command

与 /review 命令集成

bash
/review --scope staged --checks security
bash
/review --scope staged --checks security

Workflow:

工作流程:

1. My automatic security findings

1. 我自动检测到的安全问题

2. @code-reviewer sub-agent deep audit

2. @code-reviewer 子Agent进行深度审计

3. Comprehensive security report

3. 生成全面的安全报告

undefined
undefined

Customization

自定义配置

Add company-specific security patterns:
bash
cp -r ~/.claude/skills/security/security-auditor \
      ~/.claude/skills/security/company-security-auditor
添加公司特定的安全检测规则:
bash
cp -r ~/.claude/skills/security/security-auditor \
      ~/.claude/skills/security/company-security-auditor

Edit SKILL.md to add:

编辑 SKILL.md 添加以下内容:

- Internal API patterns

- 内部API模式

- Company security policies

- 公司安全策略

- Custom vulnerability checks

- 自定义漏洞检测规则

undefined
undefined

Learn More

更多学习资源