verify-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Verification
安全验证
Purpose
目的
Verify code for security anti-patterns and vulnerabilities. All analysis happens locally—code never leaves your machine.
检查代码中的安全反模式与漏洞。所有分析均在本地进行——代码绝不会离开你的设备。
When to Use
适用场景
Trigger this skill when the user asks to:
- "verify agent security"
- "verify security"
- "check for secrets"
- "scan for vulnerabilities"
- "security audit"
Note: For full verification including patterns, quality, and language-specific checks, tell the user to say "verify agent".
当用户提出以下请求时触发此技能:
- "verify agent security"
- "验证安全性"
- "检查密钥"
- "扫描漏洞"
- "安全审计"
注意: 若需包含模式、质量及特定语言检查的完整验证,请告知用户说出 "verify agent"。
Process
流程
Step 1: Discover Files
步骤1:发现文件
Locate files to analyze:
Configuration files:
- ,
package.json,pyproject.toml- DependenciesCargo.toml - ,
.env,.env.example- Environment files.env.local - ,
config.py,settings.py- Configurationconfig.ts
Source files:
- ,
*.py,*.ts,*.js,*.go- Source code*.rs - Prioritize files with: ,
auth,api,client,secretin nameconfig
Exclude:
- ,
node_modules/,.venv/,venv/__pycache__/ - ,
*.test.*,*.spec.**_test.go
定位待分析的文件:
配置文件:
- ,
package.json,pyproject.toml- 依赖项Cargo.toml - ,
.env,.env.example- 环境文件.env.local - ,
config.py,settings.py- 配置文件config.ts
源代码文件:
- ,
*.py,*.ts,*.js,*.go- 源代码*.rs - 优先处理名称包含 、
auth、api、client、secret的文件config
排除文件:
- ,
node_modules/,.venv/,venv/__pycache__/ - ,
*.test.*,*.spec.**_test.go
Step 2: Run Security Checks
步骤2:执行安全检查
Check Tiers
检查层级
- — Mechanical check. Apply exactly as written.
[PATTERN] - — Judgment required. Mark findings clearly.
[HEURISTIC]
Tag every finding with for pattern or for heuristic.
[P][H]- —— 机械检查。严格按照规则执行。
[PATTERN] - —— 需要判断。清晰标记检查结果。
[HEURISTIC]
为每个检查结果标记 (模式匹配)或 (启发式判断)。
[P][H]2.1 [PATTERN]
Hardcoded Secrets
[PATTERN]2.1 [PATTERN]
硬编码密钥
[PATTERN]Scan for assignments matching these patterns (case-insensitive):
| Variable pattern | Fail condition |
|---|---|
| Assigned to string literal |
| Assigned to string literal |
| Assigned to string literal |
| Assigned to string literal |
| Assigned to string literal |
| Assigned to string literal |
| Assigned to string literal |
Examples of failures:
python
undefined扫描符合以下模式的赋值语句(不区分大小写):
| 变量模式 | 失败条件 |
|---|---|
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
| 被赋值为字符串字面量 |
失败示例:
python
undefined❌ Issue
❌ 问题
API_KEY = "sk-abc123..."
password = "hunter2"
OPENAI_API_KEY = "sk-proj-..."
API_KEY = "sk-abc123..."
password = "hunter2"
OPENAI_API_KEY = "sk-proj-..."
✅ Pass
✅ 通过
API_KEY = os.environ["API_KEY"]
password = os.getenv("PASSWORD")
api_key = settings.API_KEY
**Also flag:**
- String literals matching known API key patterns:
- `sk-...` (OpenAI)
- `sk-ant-...` (Anthropic)
- `AKIA...` (AWS)
- `ghp_...` (GitHub)
- `xoxb-...` (Slack)
Severity: ❌ Issue
---API_KEY = os.environ["API_KEY"]
password = os.getenv("PASSWORD")
api_key = settings.API_KEY
**同时标记:**
- 匹配已知API密钥模式的字符串字面量:
- `sk-...` (OpenAI)
- `sk-ant-...` (Anthropic)
- `AKIA...` (AWS)
- `ghp_...` (GitHub)
- `xoxb-...` (Slack)
严重程度:❌ 问题
---2.2 [PATTERN]
Dependency Version Pinning
[PATTERN]2.2 [PATTERN]
依赖项版本锁定
[PATTERN]Python ():
requirements.txt| Pattern | Severity |
|---|---|
| ❌ Issue |
| ❌ Issue |
| ❌ Issue |
| ✅ Pass |
| ✅ Pass |
Python ():
pyproject.tomlCheck and :
[project.dependencies][tool.poetry.dependencies]- Unpinned or versions → ❌ Issue
>= - Pinned with or
==or^→ ✅ Pass~
JavaScript/TypeScript ():
package.json| Pattern | Severity |
|---|---|
| ❌ Issue |
| ❌ Issue |
| ⚠️ Warning |
| ✅ Pass |
| ✅ Pass |
| ✅ Pass |
Python ():
requirements.txt| 模式 | 严重程度 |
|---|---|
| ❌ 问题 |
| ❌ 问题 |
| ❌ 问题 |
| ✅ 通过 |
| ✅ 通过 |
Python ():
pyproject.toml检查 和 :
[project.dependencies][tool.poetry.dependencies]- 未锁定或使用 版本 → ❌ 问题
>= - 使用 、
==或^锁定版本 → ✅ 通过~
JavaScript/TypeScript ():
package.json| 模式 | 严重程度 |
|---|---|
| ❌ 问题 |
| ❌ 问题 |
| ⚠️ 警告 |
| ✅ 通过 |
| ✅ 通过 |
| ✅ 通过 |
2.3 [HEURISTIC]
Input Validation
[HEURISTIC]2.3 [HEURISTIC]
输入验证
[HEURISTIC]Check for external data handling:
Look for:
- HTTP request handlers (,
@app.route, etc.)router.get - User input processing (,
request.body,req.params)input() - File uploads
- Database queries with user input
Flag if:
- User input is passed directly to database queries without sanitization
- File paths are constructed from user input without validation
- JSON parsing without schema validation on external data
Severity: ⚠️ Warning
Example patterns to flag:
python
undefined检查外部数据处理逻辑:
关注内容:
- HTTP请求处理器(、
@app.route等)router.get - 用户输入处理(、
request.body、req.params)input() - 文件上传
- 包含用户输入的数据库查询
标记情况:
- 用户输入未经清理直接传入数据库查询
- 使用用户输入构造文件路径但未验证
- 对外部数据进行JSON解析但未做 schema 验证
严重程度:⚠️ 警告
需标记的模式示例:
python
undefined⚠️ Warning - SQL without parameterization
⚠️ 警告 - SQL未参数化
query = f"SELECT * FROM users WHERE id = {user_id}"
query = f"SELECT * FROM users WHERE id = {user_id}"
⚠️ Warning - Path traversal risk
⚠️ 警告 - 存在路径遍历风险
file_path = os.path.join(base_dir, user_filename)
file_path = os.path.join(base_dir, user_filename)
✅ Pass - Parameterized query
✅ 通过 - 参数化查询
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
---cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
---2.4 [HEURISTIC]
Error Message Exposure
[HEURISTIC]2.4 [HEURISTIC]
错误信息暴露
[HEURISTIC]Check error handling for information leakage:
Flag if:
- Stack traces returned in HTTP responses
- Database error messages exposed to users
- Internal paths or system info in error messages
- Debug mode enabled in production code
Look for:
python
undefined检查错误处理是否存在信息泄露:
标记情况:
- HTTP响应中返回堆栈跟踪
- 向用户暴露数据库错误信息
- 错误信息中包含内部路径或系统信息
- 生产代码中启用调试模式
关注内容:
python
undefined⚠️ Warning
⚠️ 警告
except Exception as e:
return {"error": str(e)} # Exposes internal details
except Exception as e:
return {"error": str(e)} # 暴露内部细节
⚠️ Warning
⚠️ 警告
app = Flask(name)
app.debug = True # Debug in production
app = Flask(name)
app.debug = True # 生产环境启用调试
✅ Pass
✅ 通过
except Exception as e:
logger.error(f"Error: {e}")
return {"error": "An error occurred"}
Severity: ⚠️ Warning
---except Exception as e:
logger.error(f"Error: {e}")
return {"error": "An error occurred"}
严重程度:⚠️ 警告
---2.5 [HEURISTIC]
Secure Defaults
[HEURISTIC]2.5 [HEURISTIC]
安全默认配置
[HEURISTIC]Check configuration for insecure defaults:
| Setting | Insecure | Secure |
|---|---|---|
| CORS | | Specific origins |
| SSL verification | | |
| Debug mode | | |
| Cookie security | | |
| CSRF | Disabled | Enabled |
Examples:
python
undefined检查配置是否存在不安全的默认设置:
| 设置项 | 不安全配置 | 安全配置 |
|---|---|---|
| CORS | | 指定来源 |
| SSL验证 | | |
| 调试模式 | | |
| Cookie安全性 | | |
| CSRF | 禁用 | 启用 |
示例:
python
undefined⚠️ Warning
⚠️ 警告
requests.get(url, verify=False)
app.config["SESSION_COOKIE_SECURE"] = False
CORS(app, origins="*")
requests.get(url, verify=False)
app.config["SESSION_COOKIE_SECURE"] = False
CORS(app, origins="*")
✅ Pass
✅ 通过
requests.get(url) # verify=True is default
app.config["SESSION_COOKIE_SECURE"] = True
CORS(app, origins=["https://example.com"])
Severity: ⚠️ Warning
---requests.get(url) # 默认 verify=True
app.config["SESSION_COOKIE_SECURE"] = True
CORS(app, origins=["https://example.com"])
严重程度:⚠️ 警告
---2.6 [HEURISTIC]
Sensitive Data Logging
[HEURISTIC]2.6 [HEURISTIC]
敏感数据日志
[HEURISTIC]Check logging statements for sensitive data:
Flag if logging includes:
- Passwords or tokens
- API keys
- Personal identifiable information (PII)
- Credit card numbers
- Session tokens
Look for:
python
undefined检查日志语句是否包含敏感数据:
标记情况:日志包含以下内容
- 密码或令牌
- API密钥
- 个人身份信息(PII)
- 信用卡号
- 会话令牌
关注内容:
python
undefined⚠️ Warning
⚠️ 警告
logger.info(f"User login: {username} with password {password}")
print(f"API response: {response.json()}") # May contain tokens
logger.info(f"User login: {username} with password {password}")
print(f"API response: {response.json()}") # 可能包含令牌
✅ Pass
✅ 通过
logger.info(f"User login: {username}")
logger.debug(f"Request to {url}") # No sensitive data
Severity: ⚠️ Warning
---logger.info(f"User login: {username}")
logger.debug(f"Request to {url}") # 无敏感数据
严重程度:⚠️ 警告
---Step 3: Generate Report
步骤3:生成报告
markdown
undefinedmarkdown
undefinedSecurity Verification Report
安全验证报告
Project: [name or path]
Date: [current date]
Files analyzed: [count]
项目: [名称或路径]
日期: [当前日期]
分析文件数: [数量]
Summary
摘要
✅ X checks passed | ⚠️ Y warnings | ❌ Z issues
✅ X项检查通过 | ⚠️ Y项警告 | ❌ Z项问题
Secrets
密钥检查
- No hardcoded secrets found
- ❌ Hardcoded secret at
[file:line]
- 未发现硬编码密钥
- ❌ 在 发现硬编码密钥
[文件:行号]
Dependencies
依赖项检查
- All dependencies pinned
- ❌ Unpinned dependencies in
[file]
- 所有依赖项均已锁定版本
- ❌ 中存在未锁定版本的依赖项
[文件]
Input Validation
输入验证检查
- External input properly validated
- ⚠️ Potential injection at
[file:line]
- 外部输入已正确验证
- ⚠️ 存在潜在注入风险
[文件:行号]
Error Handling
错误处理检查
- Errors properly sanitized
- ⚠️ Information leakage at
[file:line]
- 错误信息已正确脱敏
- ⚠️ 存在信息泄露
[文件:行号]
Findings
检查结果
= pattern-matched ·[P]= heuristic[H]
= 模式匹配 ·[P]= 启发式判断[H]
✅ Passing
✅ 通过项
- No hardcoded API keys or secrets
[P] - Dependencies properly pinned
[P]
- 未发现硬编码API密钥或其他密钥
[P] - 依赖项版本已正确锁定
[P]
⚠️ Warnings
⚠️ 警告项
- [Check]: [description]
[H]- Location: [file:line]
- Risk: [what could go wrong]
- Suggestion: [how to fix]
- [检查项]:[描述]
[H]- 位置: [文件:行号]
- 风险: [可能出现的问题]
- 建议: [修复方案]
❌ Issues
❌ 问题项
- [Check]: [description]
[P]- Location: [file:line]
- Rule: [which rule violated]
- Fix: [specific remediation]
- [检查项]:[描述]
[P]- 位置: [文件:行号]
- 规则: [违反的规则]
- 修复方案: [具体整改措施]
Recommendations
建议
- [Priority recommendation]
- [Additional improvements]
---
*For full verification including patterns, quality, and language-specific checks, say "verify agent".*- [优先级建议]
- [其他改进建议]
---
*若需包含模式、质量及特定语言检查的完整验证,请说出 "verify agent"。*