security-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Review
安全审查
An AI-powered security scanner that reasons about your codebase the way a human security
researcher would — tracing data flows, understanding component interactions, and catching
vulnerabilities that pattern-matching tools miss.
一款AI驱动的安全扫描器,可像人类安全研究员一样分析你的代码库——追踪数据流、理解组件交互,捕获模式匹配工具遗漏的漏洞。
When to Use This Skill
何时使用本工具
Use this skill when the request involves:
- Scanning a codebase or file for security vulnerabilities
- Running a security review or vulnerability check
- Checking for SQL injection, XSS, command injection, or other injection flaws
- Finding exposed API keys, hardcoded secrets, or credentials in code
- Auditing dependencies for known CVEs
- Reviewing authentication, authorization, or access control logic
- Detecting insecure cryptography or weak randomness
- Performing a data flow analysis to trace user input to dangerous sinks
- Any request phrasing like "is my code secure?", "scan this file", or "check my repo for vulnerabilities"
- Running or
/security-review/security-review <path>
当请求涉及以下场景时使用本工具:
- 扫描代码库或文件的安全漏洞
- 执行安全审查或漏洞检查
- 检测SQL injection、XSS、命令注入或其他注入缺陷
- 查找代码中暴露的API密钥、硬编码密钥或凭证
- 审计依赖是否存在已知CVE
- 审查身份认证、授权或访问控制逻辑
- 检测不安全加密或弱随机性
- 执行数据流分析,追踪用户输入到危险接收点的链路
- 任何类似“我的代码安全吗?”“扫描这个文件”或“检查我的仓库是否有漏洞”的表述
- 执行 或
/security-review命令/security-review <path>
How This Skill Works
本工具的工作原理
Unlike traditional static analysis tools that match patterns, this skill:
- Reads code like a security researcher — understanding context, intent, and data flow
- Traces across files — following how user input moves through your application
- Self-verifies findings — re-examines each result to filter false positives
- Assigns severity ratings — CRITICAL / HIGH / MEDIUM / LOW / INFO
- Proposes targeted patches — every finding includes a concrete fix
- Requires human approval — nothing is auto-applied; you always review first
和传统基于模式匹配的静态分析工具不同,本工具:
- 像安全研究员一样解读代码——理解上下文、代码意图和数据流
- 跨文件追踪链路——跟踪用户输入在整个应用中的流转路径
- 自检校验结果——二次核查每个结果以过滤误报
- 划分严重等级——CRITICAL / HIGH / MEDIUM / LOW / INFO
- 提供针对性修复方案——每个问题都包含具体的修复代码
- 需人工确认生效——不会自动应用任何修改,所有变更都需你先行审核
Execution Workflow
执行流程
Follow these steps in order every time:
每次使用都严格按照以下顺序执行:
Step 1 — Scope Resolution
步骤1 — 确定扫描范围
Determine what to scan:
- If a path was provided (), scan only that scope
/security-review src/auth/ - If no path given, scan the entire project starting from the root
- Identify the language(s) and framework(s) in use (check package.json, requirements.txt, go.mod, Cargo.toml, pom.xml, Gemfile, composer.json, etc.)
- Read to load language-specific vulnerability patterns
references/language-patterns.md
明确需要扫描的内容:
- 如果提供了路径(),仅扫描该范围
/security-review src/auth/ - 如果未提供路径,从根目录开始扫描整个项目
- 识别使用的语言和框架(检查package.json、requirements.txt、go.mod、Cargo.toml、pom.xml、Gemfile、composer.json等)
- 读取 加载对应语言的漏洞特征
references/language-patterns.md
Step 2 — Dependency Audit
步骤2 — 依赖审计
Before scanning source code, audit dependencies first (fast wins):
- Node.js: Check +
package.jsonfor known vulnerable packagespackage-lock.json - Python: Check /
requirements.txt/pyproject.tomlPipfile - Java: Check /
pom.xmlbuild.gradle - Ruby: Check
Gemfile.lock - Rust: Check
Cargo.toml - Go: Check
go.sum - Flag packages with known CVEs, deprecated crypto libs, or suspiciously old pinned versions
- Read for a curated watchlist
references/vulnerable-packages.md
扫描源代码前先审计依赖(快速发现已知问题):
- Node.js:检查+
package.json中是否存在已知漏洞包package-lock.json - Python:检查/
requirements.txt/pyproject.tomlPipfile - Java:检查/
pom.xmlbuild.gradle - Ruby:检查
Gemfile.lock - Rust:检查
Cargo.toml - Go:检查
go.sum - 标记存在已知CVE、使用已弃用加密库、或版本过旧的依赖包
- 读取获取精选的风险依赖监控列表
references/vulnerable-packages.md
Step 3 — Secrets & Exposure Scan
步骤3 — 密钥与暴露风险扫描
Scan ALL files (including config, env, CI/CD, Dockerfiles, IaC) for:
- Hardcoded API keys, tokens, passwords, private keys
- files accidentally committed
.env - Secrets in comments or debug logs
- Cloud credentials (AWS, GCP, Azure, Stripe, Twilio, etc.)
- Database connection strings with credentials embedded
- Read for regex patterns and entropy heuristics to apply
references/secret-patterns.md
扫描所有文件(包括配置、环境变量、CI/CD、Dockerfile、IaC),查找:
- 硬编码的API密钥、令牌、密码、私钥
- 误提交的文件
.env - 注释或调试日志中的密钥
- 云服务凭证(AWS、GCP、Azure、Stripe、Twilio等)
- 内嵌凭证的数据库连接字符串
- 读取获取正则匹配规则和熵值检测逻辑
references/secret-patterns.md
Step 4 — Vulnerability Deep Scan
步骤4 — 深度漏洞扫描
This is the core scan. Reason about the code — don't just pattern-match.
Read for full details on each category.
references/vuln-categories.mdInjection Flaws
- SQL Injection: raw queries with string interpolation, ORM misuse, second-order SQLi
- XSS: unescaped output, dangerouslySetInnerHTML, innerHTML, template injection
- Command Injection: exec/spawn/system with user input
- LDAP, XPath, Header, Log injection
Authentication & Access Control
- Missing authentication on sensitive endpoints
- Broken object-level authorization (BOLA/IDOR)
- JWT weaknesses (alg:none, weak secrets, no expiry validation)
- Session fixation, missing CSRF protection
- Privilege escalation paths
- Mass assignment / parameter pollution
Data Handling
- Sensitive data in logs, error messages, or API responses
- Missing encryption at rest or in transit
- Insecure deserialization
- Path traversal / directory traversal
- XXE (XML External Entity) processing
- SSRF (Server-Side Request Forgery)
Cryptography
- Use of MD5, SHA1, DES for security purposes
- Hardcoded IVs or salts
- Weak random number generation (Math.random() for tokens)
- Missing TLS certificate validation
Business Logic
- Race conditions (TOCTOU)
- Integer overflow in financial calculations
- Missing rate limiting on sensitive endpoints
- Predictable resource identifiers
这是核心扫描环节,要分析代码逻辑而非仅做模式匹配。
可读取获取每个漏洞分类的完整说明。
references/vuln-categories.md注入缺陷
- SQL Injection:字符串拼接的原生查询、ORM误用、二阶SQLi
- XSS:未转义输出、dangerouslySetInnerHTML、innerHTML、模板注入
- 命令注入:携带用户输入的exec/spawn/system调用
- LDAP、XPath、Header、日志注入
身份认证与访问控制
- 敏感接口缺失身份认证
- 对象级授权失效(BOLA/IDOR)
- JWT缺陷(alg:none、弱密钥、未校验过期时间)
- 会话固定、缺失CSRF防护
- 权限提升路径
- 批量赋值/参数污染
数据处理
- 日志、错误信息或API响应中包含敏感数据
- 静态存储或传输过程未加密
- 不安全反序列化
- 路径遍历/目录遍历
- XXE(XML External Entity)处理
- SSRF(Server-Side Request Forgery)
加密相关
- 安全场景下使用MD5、SHA1、DES
- 硬编码的IV或盐值
- 弱随机数生成(使用Math.random()生成令牌)
- 缺失TLS证书校验
业务逻辑
- 竞争条件(TOCTOU)
- 金融计算中的整数溢出
- 敏感接口缺失限流
- 可预测的资源ID
Step 5 — Cross-File Data Flow Analysis
步骤5 — 跨文件数据流分析
After the per-file scan, perform a holistic review:
- Trace user-controlled input from entry points (HTTP params, headers, body, file uploads) all the way to sinks (DB queries, exec calls, HTML output, file writes)
- Identify vulnerabilities that only appear when looking at multiple files together
- Check for insecure trust boundaries between services or modules
单文件扫描完成后,执行全局审查:
- 追踪用户可控输入从入口点(HTTP参数、请求头、请求体、文件上传)到接收点(数据库查询、exec调用、HTML输出、文件写入)的完整链路
- 识别仅跨文件分析才能发现的漏洞
- 检查服务或模块之间的不安全信任边界
Step 6 — Self-Verification Pass
步骤6 — 自检校验环节
For EACH finding:
- Re-read the relevant code with fresh eyes
- Ask: "Is this actually exploitable, or is there sanitization I missed?"
- Check if a framework or middleware already handles this upstream
- Downgrade or discard findings that aren't genuine vulnerabilities
- Assign final severity: CRITICAL / HIGH / MEDIUM / LOW / INFO
对每个发现的问题:
- 重新审阅相关代码
- 自问:“这个漏洞真的可利用吗?还是我漏掉了 sanitization 逻辑?”
- 检查上游是否有框架或中间件已经处理了该风险
- 降级或排除非真实漏洞的结果
- 分配最终严重等级:CRITICAL / HIGH / MEDIUM / LOW / INFO
Step 7 — Generate Security Report
步骤7 — 生成安全报告
Output the full report in the format defined in .
references/report-format.md按照定义的格式输出完整报告。
references/report-format.mdStep 8 — Propose Patches
步骤8 — 提供修复方案
For every CRITICAL and HIGH finding, generate a concrete patch:
- Show the vulnerable code (before)
- Show the fixed code (after)
- Explain what changed and why
- Preserve the original code style, variable names, and structure
- Add a comment explaining the fix inline
Explicitly state: "Review each patch before applying. Nothing has been changed yet."
为每个CRITICAL和HIGH等级的问题生成具体的修复补丁:
- 展示漏洞代码(修复前)
- 展示修复后的代码
- 说明修改内容和原因
- 保留原有代码风格、变量名和结构
- 在内联注释中说明修复逻辑
需明确声明:“应用补丁前请逐一审核,目前尚未修改任何代码。”
Severity Guide
严重等级指南
| Severity | Meaning | Example |
|---|---|---|
| 🔴 CRITICAL | Immediate exploitation risk, data breach likely | SQLi, RCE, auth bypass |
| 🟠 HIGH | Serious vulnerability, exploit path exists | XSS, IDOR, hardcoded secrets |
| 🟡 MEDIUM | Exploitable with conditions or chaining | CSRF, open redirect, weak crypto |
| 🔵 LOW | Best practice violation, low direct risk | Verbose errors, missing headers |
| ⚪ INFO | Observation worth noting, not a vulnerability | Outdated dependency (no CVE) |
| 严重等级 | 含义 | 示例 |
|---|---|---|
| 🔴 CRITICAL | 存在即时被利用的风险,大概率引发数据泄露 | SQLi、RCE、认证绕过 |
| 🟠 HIGH | 严重漏洞,存在明确的利用路径 | XSS、IDOR、硬编码密钥 |
| 🟡 MEDIUM | 满足特定条件或组合利用时可被攻击 | CSRF、开放重定向、弱加密 |
| 🔵 LOW | 不符合最佳实践,直接风险低 | 冗余错误信息、缺失安全头 |
| ⚪ INFO | 值得注意的观察项,不属于漏洞 | 无CVE的过时依赖 |
Output Rules
输出规则
- Always produce a findings summary table first (counts by severity)
- Never auto-apply any patch — present patches for human review only
- Always include a confidence rating per finding (High / Medium / Low)
- Group findings by category, not by file
- Be specific — include file path, line number, and the exact vulnerable code snippet
- Explain the risk in plain English — what could an attacker do with this?
- If the codebase is clean, say so clearly: "No vulnerabilities found" with what was scanned
- 始终优先输出问题汇总表(按严重等级统计数量)
- 绝不自动应用任何补丁——仅提供补丁供人工审核
- 始终为每个问题标注置信度(高/中/低)
- 按分类而非文件分组展示问题
- 表述具体——包含文件路径、行号和准确的漏洞代码片段
- 用通俗语言解释风险——攻击者利用该漏洞可以做什么?
- 如果代码库无安全问题,明确说明:“未发现漏洞”,并标注扫描范围
Reference Files
参考文件
For detailed detection guidance, load the following reference files as needed:
- — Deep reference for every vulnerability category with detection signals, safe patterns, and escalation checkers
references/vuln-categories.md- Search patterns: ,
SQL injection,XSS,command injection,SSRF,BOLA,IDOR,JWT,CSRF,secrets,cryptography,race conditionpath traversal
- Search patterns:
- — Regex patterns, entropy-based detection, and CI/CD secret risks
references/secret-patterns.md- Search patterns: ,
API key,token,private key,connection string,entropy,.env,GitHub Actions,DockerTerraform
- Search patterns:
- — Framework-specific vulnerability patterns for JavaScript, Python, Java, PHP, Go, Ruby, and Rust
references/language-patterns.md- Search patterns: ,
Express,React,Next.js,Django,Flask,FastAPI,Spring Boot,PHP,Go,RailsRust
- Search patterns:
- — Curated CVE watchlist for npm, pip, Maven, Rubygems, Cargo, and Go modules
references/vulnerable-packages.md- Search patterns: ,
lodash,axios,jsonwebtoken,Pillow,log4j,nokogiriCVE
- Search patterns:
- — Structured output template for security reports with finding cards, dependency audit, secrets scan, and patch proposal formatting
references/report-format.md- Search patterns: ,
report,format,template,finding,patch,summaryconfidence
- Search patterns:
如需详细的检测指南,可按需加载以下参考文件:
- ——所有漏洞分类的深度参考,包含检测特征、安全模式和升级校验规则
references/vuln-categories.md- 搜索关键词:、
SQL injection、XSS、command injection、SSRF、BOLA、IDOR、JWT、CSRF、secrets、cryptography、race conditionpath traversal
- 搜索关键词:
- ——正则匹配规则、基于熵值的检测逻辑、CI/CD密钥风险
references/secret-patterns.md- 搜索关键词:、
API key、token、private key、connection string、entropy、.env、GitHub Actions、DockerTerraform
- 搜索关键词:
- ——JavaScript、Python、Java、PHP、Go、Ruby、Rust对应框架的漏洞特征
references/language-patterns.md- 搜索关键词:、
Express、React、Next.js、Django、Flask、FastAPI、Spring Boot、PHP、Go、RailsRust
- 搜索关键词:
- ——精选的CVE监控列表,覆盖npm、pip、Maven、Rubygems、Cargo、Go模块
references/vulnerable-packages.md- 搜索关键词:、
lodash、axios、jsonwebtoken、Pillow、log4j、nokogiriCVE
- 搜索关键词:
- ——安全报告的结构化输出模板,包含问题卡片、依赖审计、密钥扫描、修复方案格式规范
references/report-format.md- 搜索关键词:、
report、format、template、finding、patch、summaryconfidence
- 搜索关键词: