security-review

GitHub

针对代码变更、PR或分支执行专注的安全审查,覆盖认证、授权、注入、密钥处理等风险。通过信号扫描与手动追踪定位问题,按严重度报告发现,适用于安全风险评估场景。

skills/security-review/SKILL.md franklioxygen/agent-workflows

Trigger Scenarios

请求代码安全审查 进行威胁建模或攻击面分析 评估认证/权限逻辑安全性 检测敏感数据泄露或依赖风险

Install

npx skills add franklioxygen/agent-workflows --skill security-review -g -y
More Options

Use without installing

npx skills use franklioxygen/agent-workflows@security-review

指定 Agent (Claude Code)

npx skills add franklioxygen/agent-workflows --skill security-review -a claude-code -g -y

安装 repo 全部 skill

npx skills add franklioxygen/agent-workflows --all -g -y

预览 repo 内 skill

npx skills add franklioxygen/agent-workflows --list

SKILL.md

Frontmatter
{
    "name": "security-review",
    "description": "Perform focused security reviews of code changes, pull requests, branches, or workspace diffs for authentication, authorization, input validation, injection, secrets handling, sensitive data exposure, dependency risk, insecure transport, and unsafe operational behavior. Use when Codex is asked for a security review, threat-focused code review, auth\/permission review, or security-risk assessment."
}

Security Review

Quick Start

  • Use this skill as a focused review layer, not a replacement for normal correctness review.
  • Run scripts/security_signal_scan.py <path> when a repository or changed-file path is available.
  • Read references/security-review-checklist.md before finalizing findings.
  • Follow shared safety, validation, and scope rules in ../_shared/references/skill-operating-rules.md.
  • Stay read-only unless the user explicitly asks for fixes.
  • Do not commit, push, deploy, rotate secrets, revoke keys, or run destructive commands without explicit permission.

Review Workflow

  1. Establish scope:
  • Review target: PR, branch, workspace changes, or specific files.
  • Comparison base, if reviewing a diff.
  • Trust boundaries affected by the change.
  • Security-sensitive domains touched: auth, permissions, secrets, payments, PII, file upload, network calls, command execution, database access, dependency upgrades, logging, or telemetry.
  1. Run signal scan:
python3 scripts/security_signal_scan.py /path/to/repo-or-file
  1. Manually trace high-risk flows:
  • External input to sink: database query, shell command, HTML/template rendering, file path, network request, deserialization, logging, or redirect.
  • Identity to authorization decision: authentication source, user/session lookup, role/permission check, tenant or ownership boundary.
  • Secret creation to storage/use/logging.
  • Sensitive data from storage to response, logs, analytics, or third-party calls.
  1. Report findings first, ordered by severity. Use this format:
### [Severity] Finding title

- Location:
- Problem:
- Why it matters:
- Attack or failure scenario:
- Recommended fix:
- Severity: Critical / Major / Minor / Nit
  1. If no findings are found, state that explicitly and list residual risks, skipped checks, and validation performed.

Severity Guidance

  • Critical: Direct data exposure, authentication bypass, authorization bypass, credential leak, remote code execution, destructive data mutation, or exploitable injection.
  • Major: Missing edge-case authorization, unsafe input handling with plausible exploit path, sensitive logs, insecure defaults, unsafe dependency upgrade, or tenant-boundary risk.
  • Minor: Defense-in-depth gap, weak validation, incomplete audit trail, ambiguous security behavior, or low-likelihood exposure.
  • Nit: Naming, comment, or structure issue with no meaningful security impact.

Coordination With Other Workflows

  • Use code-review-agent-workflow.md for broad review and this skill for focused security depth.
  • If the security review finds a bug, hand off to the bug-fix workflow after reporting the finding.
  • If the review finds a design or policy decision gap, hand off to the feature workflow rather than inventing security policy.

Version History

  • 063f52c Current 2026-07-05 20:14

Same Skill Collection

skills/docs-maintenance/SKILL.md
skills/migration-planning/SKILL.md
skills/performance-review/SKILL.md
skills/project-initialization/SKILL.md
skills/release-prep/SKILL.md
skills/test-strategy/SKILL.md
skills/workflow-automation/SKILL.md
skills/workflow-maintainer/SKILL.md
zh-cn/skills/docs-maintenance/SKILL.md
zh-cn/skills/migration-planning/SKILL.md
zh-cn/skills/performance-review/SKILL.md
zh-cn/skills/project-initialization/SKILL.md
zh-cn/skills/release-prep/SKILL.md
zh-cn/skills/security-review/SKILL.md
zh-cn/skills/test-strategy/SKILL.md
zh-cn/skills/workflow-automation/SKILL.md
zh-cn/skills/workflow-maintainer/SKILL.md

Metadata

Files
0
Version
063f52c
Hash
f9233e9d
Indexed
2026-07-05 20:14

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 00:05
浙ICP备14020137号-1 $Гость$