Back to Details

security-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Review Skill

安全审查技能

Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
开展全面的安全审计,检查OWASP Top 10漏洞、硬编码密钥以及不安全的代码模式。

When to Use

适用场景

This skill activates when:
  • User requests "security review", "security audit"
  • After writing code that handles user input
  • After adding new API endpoints
  • After modifying authentication/authorization logic
  • Before deploying to production
  • After adding external dependencies
在以下场景中激活该技能:
  • 用户请求“安全审查”“安全审计”时
  • 编写完处理用户输入的代码后
  • 添加新的API端点后
  • 修改身份验证/授权逻辑后
  • 部署到生产环境前
  • 添加外部依赖项后

What It Does

功能说明

Delegates to the 
security-reviewer
agent (Opus model) for deep security analysis:
  1. OWASP Top 10 Scan
    • A01: Broken Access Control
    • A02: Cryptographic Failures
    • A03: Injection (SQL, NoSQL, Command, XSS)
    • A04: Insecure Design
    • A05: Security Misconfiguration
    • A06: Vulnerable and Outdated Components
    • A07: Identification and Authentication Failures
    • A08: Software and Data Integrity Failures
    • A09: Security Logging and Monitoring Failures
    • A10: Server-Side Request Forgery (SSRF)
  2. Secrets Detection
    • Hardcoded API keys
    • Passwords in source code
    • Private keys in repo
    • Tokens and credentials
    • Connection strings with secrets
  3. Input Validation
    • All user inputs sanitized
    • SQL/NoSQL injection prevention
    • Command injection prevention
    • XSS prevention (output escaping)
    • Path traversal prevention
  4. Authentication/Authorization
    • Proper password hashing (bcrypt, argon2)
    • Session management security
    • Access control enforcement
    • JWT implementation security
  5. Dependency Security
    • Run 
      npm audit
      for known vulnerabilities
    • Check for outdated dependencies
    • Identify high-severity CVEs
委托
security-reviewer
Agent(Opus模型)进行深度安全分析:
  1. OWASP Top 10 扫描
    • A01: 访问控制失效
    • A02: 加密机制故障
    • A03: 注入攻击(SQL、NoSQL、命令注入、XSS)
    • A04: 不安全设计
    • A05: 安全配置错误
    • A06: 存在漏洞且未更新的组件
    • A07: 身份识别与验证故障
    • A08: 软件与数据完整性故障
    • A09: 安全日志与监控故障
    • A10: 服务器端请求伪造(SSRF)
  2. 密钥检测
    • 硬编码的API密钥
    • 源代码中的密码
    • 代码仓库中的私钥
    • 令牌与凭证
    • 包含密钥的连接字符串
  3. 输入验证
    • 所有用户输入均经过清理
    • 预防SQL/NoSQL注入
    • 预防命令注入
    • 预防XSS(输出转义)
    • 预防路径遍历
  4. 身份验证/授权
    • 使用强哈希算法存储密码(bcrypt、argon2)
    • 会话管理安全
    • 访问控制强制执行
    • JWT实现安全
  5. 依赖项安全
    • 运行
      npm audit
      检测已知漏洞
    • 检查过时的依赖项
    • 识别高严重程度的CVE

Agent Delegation

Agent委托

Task(
  subagent_type="oh-my-claudecode:security-reviewer",
  model="opus",
  prompt="SECURITY REVIEW TASK

Conduct comprehensive security audit of codebase.

Scope: [specific files or entire codebase]

Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)

Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)
Task(
  subagent_type="oh-my-claudecode:security-reviewer",
  model="opus",
  prompt="SECURITY REVIEW TASK

Conduct comprehensive security audit of codebase.

Scope: [specific files or entire codebase]

Security Checklist:
1. OWASP Top 10 scan
2. Hardcoded secrets detection
3. Input validation review
4. Authentication/authorization review
5. Dependency vulnerability scan (npm audit)

Output: Security review report with:
- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- CVE references where applicable
- Remediation guidance for each issue
- Overall security posture assessment"
)

External Model Consultation (Preferred)

外部模型咨询(推荐)

The security-reviewer agent SHOULD consult Codex for cross-validation.
security-reviewer Agent应咨询Codex进行交叉验证。

Protocol

流程

  1. Form your OWN security analysis FIRST - Complete the review independently
  2. Consult for validation - Cross-check findings with Codex
  3. Critically evaluate - Never blindly adopt external findings
  4. Graceful fallback - Never block if tools unavailable
  1. 先独立完成安全分析 - 自主完成审查
  2. 咨询以验证结果 - 与Codex交叉检查发现的问题
  3. 批判性评估 - 切勿盲目采纳外部结果
  4. 优雅降级 - 工具不可用时切勿阻塞流程

When to Consult

咨询场景

  • Authentication/authorization code
  • Cryptographic implementations
  • Input validation for untrusted data
  • High-risk vulnerability patterns
  • Production deployment code
  • 身份验证/授权代码
  • 加密实现代码
  • 不可信数据的输入验证
  • 高风险漏洞模式
  • 生产部署代码

When to Skip

跳过咨询的场景

  • Low-risk utility code
  • Well-audited patterns
  • Time-critical security assessments
  • Code with existing security tests
  • 低风险工具类代码
  • 已充分审计的代码模式
  • 时间紧迫的安全评估
  • 已有安全测试的代码

Tool Usage

工具使用

Use 
mcp__x__ask_codex
with 
agent_role: "security-reviewer"
.
Note: Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
使用
mcp__x__ask_codex
并设置
agent_role: "security-reviewer"
注意: 安全二次意见具有高价值,建议对CRITICAL/HIGH级别的问题进行咨询。

Output Format

输出格式

SECURITY REVIEW REPORT
======================

Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z

CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
   Finding: AWS API key hardcoded in source code
   Impact: Credential exposure if code is public or leaked
   Remediation: Move to environment variables, rotate key immediately
   Reference: OWASP A02:2021 – Cryptographic Failures

2. src/db/query.ts:45 - SQL Injection Vulnerability
   Finding: User input concatenated directly into SQL query
   Impact: Attacker can execute arbitrary SQL commands
   Remediation: Use parameterized queries or ORM
   Reference: OWASP A03:2021 – Injection

HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
   Finding: Passwords hashed with MD5 (cryptographically broken)
   Impact: Passwords can be reversed via rainbow tables
   Remediation: Use bcrypt or argon2 with appropriate work factor
   Reference: OWASP A02:2021 – Cryptographic Failures

4. src/components/UserInput.tsx:67 - XSS Vulnerability
   Finding: User input rendered with dangerouslySetInnerHTML
   Impact: Cross-site scripting attack vector
   Remediation: Sanitize HTML or use safe rendering
   Reference: OWASP A03:2021 – Injection (XSS)

5. src/api/upload.ts:34 - Path Traversal Vulnerability
   Finding: User-controlled filename used without validation
   Impact: Attacker can read/write arbitrary files
   Remediation: Validate and sanitize filenames, use allowlist
   Reference: OWASP A01:2021 – Broken Access Control

...

MEDIUM (8)
----------
...

LOW (12)
--------
...

DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:

CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
  Installed: axios@0.21.0
  Fix: npm install axios@0.21.2

HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
  Installed: lodash@4.17.19
  Fix: npm install lodash@4.17.21

...

OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)

Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies

Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
SECURITY REVIEW REPORT
======================

Scope: Entire codebase (42 files scanned)
Scan Date: 2026-01-24T14:30:00Z

CRITICAL (2)
------------
1. src/api/auth.ts:89 - Hardcoded API Key
   Finding: AWS API key hardcoded in source code
   Impact: Credential exposure if code is public or leaked
   Remediation: Move to environment variables, rotate key immediately
   Reference: OWASP A02:2021 – Cryptographic Failures

2. src/db/query.ts:45 - SQL Injection Vulnerability
   Finding: User input concatenated directly into SQL query
   Impact: Attacker can execute arbitrary SQL commands
   Remediation: Use parameterized queries or ORM
   Reference: OWASP A03:2021 – Injection

HIGH (5)
--------
3. src/auth/password.ts:22 - Weak Password Hashing
   Finding: Passwords hashed with MD5 (cryptographically broken)
   Impact: Passwords can be reversed via rainbow tables
   Remediation: Use bcrypt or argon2 with appropriate work factor
   Reference: OWASP A02:2021 – Cryptographic Failures

4. src/components/UserInput.tsx:67 - XSS Vulnerability
   Finding: User input rendered with dangerouslySetInnerHTML
   Impact: Cross-site scripting attack vector
   Remediation: Sanitize HTML or use safe rendering
   Reference: OWASP A03:2021 – Injection (XSS)

5. src/api/upload.ts:34 - Path Traversal Vulnerability
   Finding: User-controlled filename used without validation
   Impact: Attacker can read/write arbitrary files
   Remediation: Validate and sanitize filenames, use allowlist
   Reference: OWASP A01:2021 – Broken Access Control

...

MEDIUM (8)
----------
...

LOW (12)
--------
...

DEPENDENCY VULNERABILITIES
--------------------------
Found 3 vulnerabilities via npm audit:

CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
  Installed: axios@0.21.0
  Fix: npm install axios@0.21.2

HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
  Installed: lodash@4.17.19
  Fix: npm install lodash@4.17.21

...

OVERALL ASSESSMENT
------------------
Security Posture: POOR (2 CRITICAL, 5 HIGH issues)

Immediate Actions Required:
1. Rotate exposed AWS API key
2. Fix SQL injection in db/query.ts
3. Upgrade password hashing to bcrypt
4. Update vulnerable dependencies

Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.

Security Checklist

安全检查清单

The security-reviewer agent verifies:
security-reviewer Agent会验证以下内容:

Authentication & Authorization

身份验证与授权

  • Passwords hashed with strong algorithm (bcrypt/argon2)
  • Session tokens cryptographically random
  • JWT tokens properly signed and validated
  • Access control enforced on all protected resources
  • No authentication bypass vulnerabilities
  • 密码使用强算法哈希(bcrypt/argon2)
  • 会话令牌采用加密安全的随机值
  • JWT令牌正确签名与验证
  • 所有受保护资源均强制执行访问控制
  • 不存在身份验证绕过漏洞

Input Validation

输入验证

  • All user inputs validated and sanitized
  • SQL queries use parameterization (no string concatenation)
  • NoSQL queries prevent injection
  • File uploads validated (type, size, content)
  • URLs validated to prevent SSRF
  • 所有用户输入均经过验证与清理
  • SQL查询使用参数化(无字符串拼接)
  • NoSQL查询预防注入
  • 文件上传经过验证(类型、大小、内容)
  • URL经过验证以预防SSRF

Output Encoding

输出编码

  • HTML output escaped to prevent XSS
  • JSON responses properly encoded
  • No user data in error messages
  • Content-Security-Policy headers set
  • HTML输出经过转义以预防XSS
  • JSON响应正确编码
  • 错误消息中不包含用户数据
  • 设置Content-Security-Policy头部

Secrets Management

密钥管理

  • No hardcoded API keys
  • No passwords in source code
  • No private keys in repo
  • Environment variables used for secrets
  • Secrets not logged or exposed in errors
  • 无硬编码API密钥
  • 源代码中无密码
  • 代码仓库中无私钥
  • 使用环境变量存储密钥
  • 密钥未被记录或在错误中暴露

Cryptography

加密

  • Strong algorithms used (AES-256, RSA-2048+)
  • Proper key management
  • Random number generation cryptographically secure
  • TLS/HTTPS enforced for sensitive data
  • 使用强算法(AES-256、RSA-2048+)
  • 密钥管理规范
  • 随机数生成采用加密安全方式
  • 敏感数据传输强制使用TLS/HTTPS

Dependencies

依赖项

  • No known vulnerabilities in dependencies
  • Dependencies up to date
  • No CRITICAL or HIGH CVEs
  • Dependency sources verified
  • 依赖项中无已知漏洞
  • 依赖项保持最新
  • 无CRITICAL或HIGH级别的CVE
  • 依赖项来源已验证

Severity Definitions

严重程度定义

CRITICAL - Exploitable vulnerability with severe impact (data breach, RCE, credential theft) HIGH - Vulnerability requiring specific conditions but serious impact MEDIUM - Security weakness with limited impact or difficult exploitation LOW - Best practice violation or minor security concern
CRITICAL - 可被利用且影响严重的漏洞(数据泄露、远程代码执行、凭证窃取) HIGH - 需要特定条件但影响严重的漏洞 MEDIUM - 安全弱点,影响有限或难以被利用 LOW - 违反最佳实践或轻微安全问题

Remediation Priority

修复优先级

  1. Rotate exposed secrets - Immediate (within 1 hour)
  2. Fix CRITICAL - Urgent (within 24 hours)
  3. Fix HIGH - Important (within 1 week)
  4. Fix MEDIUM - Planned (within 1 month)
  5. Fix LOW - Backlog (when convenient)
  1. 轮换暴露的密钥 - 立即执行(1小时内)
  2. 修复CRITICAL级问题 - 紧急(24小时内)
  3. 修复HIGH级问题 - 重要(1周内)
  4. 修复MEDIUM级问题 - 计划内(1个月内)
  5. 修复LOW级问题 - 待办(方便时处理)

Use with Other Skills

与其他技能配合使用

With Pipeline:
/pipeline security "review authentication module"
Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
With Swarm:
/swarm 4:security-reviewer "audit all API endpoints"
Parallel security review across multiple endpoints.
With Ralph:
/ralph security-review then fix all issues
Review, fix, re-review until all issues resolved.
与Pipeline配合:
/pipeline security "review authentication module"
流程:explore → security-reviewer → executor → security-reviewer-low(重新验证)
与Swarm配合:
/swarm 4:security-reviewer "audit all API endpoints"
对多个端点进行并行安全审查。
与Ralph配合:
/ralph security-review then fix all issues
审查、修复、重新审查,直至所有问题解决。

Best Practices

最佳实践

  • Review early - Security by design, not afterthought
  • Review often - Every major feature or API change
  • Automate - Run security scans in CI/CD pipeline
  • Fix immediately - Don't accumulate security debt
  • Educate - Learn from findings to prevent future issues
  • Verify fixes - Re-run security review after remediation
  • 尽早审查 - 将安全融入设计,而非事后补救
  • 定期审查 - 每次重大功能或API变更后都要审查
  • 自动化 - 在CI/CD流水线中运行安全扫描
  • 立即修复 - 不要积累安全债务
  • 持续学习 - 从发现的问题中学习,预防未来问题
  • 验证修复 - 修复后重新运行安全审查