Agent Skillslarlarua/AutoCVE › code-security

code-security

GitHub

提供跨语言的代码安全指南,覆盖OWASP Top 10及基础设施配置。支持在编写或审查涉及用户输入、认证、数据库等敏感操作的代码时主动检测漏洞,并针对Python、JS等多种语言提供具体防护规则。

skill_library/code-security/SKILL.md larlarua/AutoCVE

Trigger Scenarios

编写处理用户输入、认证、文件操作、数据库查询或网络请求的代码 审查代码以查找漏洞、检查安全性或询问安全实践 使用Terraform、Kubernetes等工具进行基础设施配置

Install

npx skills add larlarua/AutoCVE --skill code-security -g -y
More Options

Non-standard path

npx skills add https://github.com/larlarua/AutoCVE/tree/main/skill_library/code-security -g -y

Use without installing

npx skills use larlarua/AutoCVE@code-security

指定 Agent (Claude Code)

npx skills add larlarua/AutoCVE --skill code-security -a claude-code -g -y

安装 repo 全部 skill

npx skills add larlarua/AutoCVE --all -g -y

预览 repo 内 skill

npx skills add larlarua/AutoCVE --list

SKILL.md

Frontmatter
{
    "name": "code-security",
    "tags": [
        "github-import"
    ],
    "description": "Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'."
}

name: code-security description: "Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'."

Code Security Guidelines

Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories.

How to Use This Skill

Proactive mode — When writing or reviewing code, automatically check for relevant vulnerabilities based on the language and patterns present. You don't need to wait for the user to ask about security.

Reactive mode — When the user asks about security, use the categories below to find the relevant rule file, then read it for detailed vulnerable/secure code examples.

Workflow

  1. Identify the language and what the code does (handles input? queries a DB? reads files?)
  2. Check the relevant rules below — focus on Critical and High impact first
  3. Read the specific rule file from rules/ for detailed code examples in that language
  4. Apply the secure patterns, or flag the vulnerable patterns if reviewing

Language-Specific Priority Rules

When writing code in these languages, check these rules first:

Language Priority Rules to Check
Python SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto
JavaScript/TypeScript XSS, prototype pollution, code injection, insecure transport, CSRF
Java SQL injection, XXE, insecure deserialization, insecure crypto, SSRF
Go SQL injection, command injection, path traversal, insecure transport
C/C++ Memory safety, unsafe functions, command injection, path traversal
Ruby SQL injection, command injection, code injection, insecure deserialization
PHP SQL injection, XSS, command injection, code injection, path traversal
HCL/YAML Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions

Categories

Critical Impact

  • SQL Injection (rules/sql-injection.md) - Use parameterized queries, never concatenate user input
  • Command Injection (rules/command-injection.md) - Avoid shell commands with user input, use safe APIs
  • XSS (rules/xss.md) - Escape output, use framework protections
  • XXE (rules/xxe.md) - Disable external entities in XML parsers
  • Path Traversal (rules/path-traversal.md) - Validate and sanitize file paths
  • Insecure Deserialization (rules/insecure-deserialization.md) - Never deserialize untrusted data
  • Code Injection (rules/code-injection.md) - Never eval() user input
  • Hardcoded Secrets (rules/secrets.md) - Use environment variables or secret managers
  • Memory Safety (rules/memory-safety.md) - Prevent buffer overflows, use-after-free (C/C++)

High Impact

  • Insecure Crypto (rules/insecure-crypto.md) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
  • Insecure Transport (rules/insecure-transport.md) - Use HTTPS, verify certificates
  • SSRF (rules/ssrf.md) - Validate URLs, use allowlists
  • JWT Issues (rules/authentication-jwt.md) - Always verify signatures
  • CSRF (rules/csrf.md) - Use CSRF tokens on state-changing requests
  • Prototype Pollution (rules/prototype-pollution.md) - Validate object keys in JavaScript

Infrastructure

  • Terraform AWS/Azure/GCP (rules/terraform-aws.md, rules/terraform-azure.md, rules/terraform-gcp.md) - Encryption, least privilege, no public access
  • Kubernetes (rules/kubernetes.md) - No privileged containers, run as non-root
  • Docker (rules/docker.md) - Don't run as root, pin image versions
  • GitHub Actions (rules/github-actions.md) - Avoid script injection, pin action versions

Medium/Low Impact

  • Regex DoS (rules/regex-dos.md) - Avoid catastrophic backtracking
  • Race Conditions (rules/race-condition.md) - Use proper synchronization
  • Correctness (rules/correctness.md) - Avoid common logic bugs
  • Best Practices (rules/best-practice.md) - General secure coding patterns

See rules/_sections.md for the full index with CWE/OWASP references.

Quick Reference

Vulnerability Key Prevention
SQL Injection Parameterized queries
XSS Output encoding
Command Injection Avoid shell, use APIs
Path Traversal Validate paths
SSRF URL allowlists
Secrets Environment variables
Crypto SHA-256, AES-256

Version History

  • 97ce141 Current 2026-07-05 09:22

Same Skill Collection

backend/skill_library/code-audit-finding/SKILL.md
skill_library/code-audit-finding/SKILL.md
skill_library/cve-report-writer/SKILL.md
skill_library/secknowledge-skill/SKILL.md

Metadata

Files
0
Version
97ce141
Hash
4eaedbd6
Indexed
2026-07-05 09:22

Accueil - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-11 13:40
浙ICP备14020137号-1 $Carte des visiteurs$