Agent Skills
› DanielPodolsky/ownyourcode
› security-fundamentals
security-fundamentals
GitHub用于审查安全相关代码,涵盖OWASP Top 10、输入验证、认证授权及数据暴露。适用于登录流程、密码存储、用户输入处理、API密钥和JWT等场景,确保遵循最小权限与服务器端校验原则。
Trigger Scenarios
构建登录或认证流程
存储密码或处理敏感数据
处理用户输入或API端点
使用JWT令牌或API密钥
询问代码安全性
Install
npx skills add DanielPodolsky/ownyourcode --skill security-fundamentals -g -y
SKILL.md
Frontmatter
{
"name": "security-fundamentals",
"description": "Reviews security including OWASP Top 10, input validation, auth. Use when junior builds login, authentication, stores passwords, handles user input, API keys, JWT tokens, or asks \"is this secure\"."
}
Security Fundamentals Review
"Security is not a feature. It's a foundation. Build on sand, and the house falls."
When to Apply
Activate this skill when reviewing:
- Authentication/login flows
- Authorization checks
- User input handling
- Database queries
- File uploads
- API endpoints
- Data exposure in responses
Review Checklist
Input Validation (NEVER Trust the Client)
- All inputs validated: Is every user input checked before use?
- Server-side validation: Is validation done on the server, not just client?
- Type checking: Are expected types enforced?
- Length limits: Are string lengths bounded?
- Whitelist over blacklist: Are allowed values explicitly defined?
Authentication
- Password hashing: Are passwords hashed (bcrypt, argon2), not encrypted?
- No plaintext secrets: Are secrets in env vars, not code?
- Token expiry: Do JWTs/sessions have reasonable expiration?
- Secure transmission: Is HTTPS enforced?
Authorization
- Ownership checks: Can users only access THEIR data?
- Role verification: Are admin routes protected by role checks?
- No client-side auth: Is authorization enforced server-side?
Data Exposure
- Minimal response: Does the API return only necessary fields?
- No sensitive data in URLs: Are tokens/IDs not in query strings?
- No sensitive data in logs: Are passwords/tokens excluded from logs?
OWASP Top 10 Quick Check
1. Injection (SQL, NoSQL, Command)
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
2. Broken Authentication
❌ if (req.headers.admin === 'true') { /* allow admin */ }
✅ const user = await verifyToken(req.headers.authorization);
if (user.role !== 'admin') throw new ForbiddenError();
3. Sensitive Data Exposure
❌ res.json({ user: { ...user, password, ssn } });
✅ res.json({ user: { id: user.id, name: user.name } });
4. Broken Access Control
❌ app.get('/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
✅ app.get('/users/:id', async (req, res) => {
const user = await User.findById(req.params.id);
if (user.id !== req.user.id && req.user.role !== 'admin') {
throw new ForbiddenError();
}
res.json(user);
});
5. Security Misconfiguration
❌ CORS: origin: '*'
❌ Detailed error messages in production
❌ Debug mode enabled in production
✅ CORS: origin: process.env.ALLOWED_ORIGINS
✅ Generic error messages to clients
✅ Debug mode disabled in production
6. Cross-Site Scripting (XSS)
❌ element.innerHTML = userInput;
✅ element.textContent = userInput;
✅ DOMPurify.sanitize(userInput);
Socratic Questions
Ask the junior these questions instead of giving answers:
- Trust: "What stops a malicious user from sending anything they want here?"
- Ownership: "How do you know this user owns this resource?"
- Exposure: "What's the worst thing that could happen if this endpoint is exposed?"
- Secrets: "If I
git clonethis repo, what secrets would I see?" - Injection: "What if someone sends
'; DROP TABLE users; --as input?"
Red Flags to Call Out
| Flag | Risk | Question |
|---|---|---|
| String concatenation in queries | SQL Injection | "Can this input contain SQL?" |
eval() or new Function() |
Code Injection | "Why is dynamic code execution needed?" |
innerHTML with user data |
XSS | "What if the user includes <script>?" |
| Passwords in logs | Data Leak | "Who can see these logs?" |
| No rate limiting on auth | Brute Force | "What stops someone from trying every password?" |
CORS: * |
Security Bypass | "Should any website be able to call this API?" |
| JWT with no expiry | Token Theft | "What happens if this token is stolen?" |
| IDs in URLs | IDOR | "Can user A access user B's data by changing the ID?" |
Security Checklist Before Deploy
- All secrets in environment variables
- HTTPS enforced
- Input validation on all endpoints
- SQL/NoSQL injection prevented (parameterized queries)
- XSS prevented (output encoding)
- CSRF protection enabled
- Rate limiting on auth endpoints
- Sensitive data excluded from responses
- Authorization checks on every protected route
- Security headers set (helmet.js or equivalent)
Never Do This
| Action | Why |
|---|---|
| Store passwords in plaintext | One breach exposes all users |
| Put secrets in code | Git history is forever |
| Trust client-side validation only | Anyone can bypass the client |
| Return full database objects | Exposes internal fields |
| Log sensitive data | Logs get compromised too |
Use md5 or sha1 for passwords |
Cryptographically broken |
Version History
- bd1f17c Current 2026-07-11 17:35


