security-reviewer

📁 seikaikyo/dash-skills 📅 Feb 6, 2026

总安装量

周安装量

#31977

全站排名

安装命令

npx skills add https://github.com/seikaikyo/dash-skills --skill security-reviewer

Agent 安装分布

amp 6

github-copilot 6

codex 6

kimi-cli 6

gemini-cli 6

opencode 6

Skill 文档

Security Reviewer (å®å¨å¯©æ¥)

When to Use

å¨ä»¥ä¸ææ³ä¸»åä½¿ç¨æ¤ Skillï¼

å¯¦ä½èªèæææ¬åè½
èçç¨æ¶è¼¸å¥ææªæ¡ä¸å³
å»ºç«æ°ç API ç«¯é»
èçæ©å¯è³æææè
å¯¦ä½æ¯ä»åè½
æ´åç¬¬ä¸æ¹ API
èçéè/äº¤æç¸éç¨å¼ç¢¼

å®å¨æª¢æ¥æ¸å® (10 å¤§é¡å¥)

1. æ©å¯è³æç®¡ç (CRITICAL)

// ç¦æ¢: ç¡¬ç·¨ç¢¼æ©å¯è³æ
const apiKey = "sk-proj-xxxxx"  // çµå°ç¦æ¢
const password = "admin123"     // çµå°ç¦æ¢

// æ£ç¢º: ä½¿ç¨ç°å¢è®æ¸
const apiKey = process.env.OPENAI_API_KEY
if (!apiKey) {
  throw new Error('OPENAI_API_KEY æªè¨å®')
}

æª¢æ¥é ç®:

ç¡ç¡¬ç·¨ç¢¼ API keysãtokensãå¯ç¢¼
æææ©å¯è³æä½¿ç¨ç°å¢è®æ¸
.env.local å·²å å¥ .gitignore
Git æ·å²ä¸ç¡æ©å¯è³æ
çç¢ç°å¢æ©å¯åæ¾æ¼ Vercel/Render

2. è¼¸å¥é©è

import { z } from 'zod'

const CreateUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  age: z.number().int().min(0).max(150)
})

export async function createUser(input: unknown) {
  const validated = CreateUserSchema.parse(input)
  return await db.users.create(validated)
}

æª¢æ¥é ç®:

ææç¨æ¶è¼¸å¥ä½¿ç¨ Zod é©è
æªæ¡ä¸å³éå¶ (å¤§å°ãé¡åãå¯æªå)
é¯èª¤è¨æ¯ä¸æ´©é²ææè³è¨

3. SQL æ³¨å¥é²è· (CRITICAL)

// ç¦æ¢: åä¸²ä¸²æ¥ SQL
const query = `SELECT * FROM users WHERE email = '${userEmail}'`

// æ£ç¢º: åæ¸åæ¥è©¢
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('email', userEmail)

æª¢æ¥é ç®:

ææè³æåº«æ¥è©¢ä½¿ç¨åæ¸åæ¥è©¢
ç¡åä¸²ä¸²æ¥ SQL
ORM/Query Builder æ£ç¢ºä½¿ç¨

4. èªèèææ¬

// æ£ç¢º: JWT Token ä½¿ç¨ httpOnly cookies
res.setHeader('Set-Cookie',
  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)

// æ£ç¢º: ææ¬æª¢æ¥
export async function deleteUser(userId: string, requesterId: string) {
  const requester = await db.users.findUnique({ where: { id: requesterId } })
  if (requester.role !== 'admin') {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
  }
  await db.users.delete({ where: { id: userId } })
}

æª¢æ¥é ç®:

Tokens åæ¾æ¼ httpOnly cookies (é localStorage)
æææä½åé©èææ¬
Supabase åç¨ Row Level Security
å¯¦ä½ RBAC

5. XSS é²è·

import DOMPurify from 'isomorphic-dompurify'

function renderUserContent(html: string) {
  const clean = DOMPurify.sanitize(html, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
    ALLOWED_ATTR: []
  })
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}

æª¢æ¥é ç®:

ç¨æ¶æä¾ç HTML å·²æ¸ç
è¨å® CSP æ¨é
ä½¿ç¨ React å§å»ºç XSS é²è·

6. CSRF é²è·

// SameSite Cookies
res.setHeader('Set-Cookie',
  `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)

æª¢æ¥é ç®:

çæè®æ´æä½ä½¿ç¨ CSRF tokens
ææ cookies è¨å® SameSite=Strict

7. éçéå¶

import rateLimit from 'express-rate-limit'

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 åé
  max: 100, // æ¯è¦çª 100 è«æ±
  message: 'è«æ±éå¤ï¼è«ç¨å¾åè©¦'
})

app.use('/api/', limiter)

æª¢æ¥é ç®:

ææ API ç«¯é»åç¨éçéå¶
æè²´æä½ææ´å´æ ¼çéå¶

8. ææè³æå¤æ´©

// ç¦æ¢: è¨éææè³æ
console.log('User login:', { email, password })

// æ£ç¢º: æ¸çæ¥èª
console.log('User login:', {
  email: email.replace(/(?<=.).(?=.*@)/g, '*'),
  passwordProvided: !!password
})

æª¢æ¥é ç®:

é¯èª¤è¨æ¯å°ç¨æ¶æ¯éç¨ç

9. åå¡éå®å¨ (Solana)

// é©èé¢åç°½å
import { verify } from '@solana/web3.js'

async function verifyWalletOwnership(publicKey: string, signature: string, message: string) {
  return verify(
    Buffer.from(message),
    Buffer.from(signature, 'base64'),
    Buffer.from(publicKey, 'base64')
  )
}

æª¢æ¥é ç®:

é¢åç°½åå·²é©è
äº¤æåé¤é¡æª¢æ¥
ç¡ç²ç°½äº¤æ

10. ä¾è³´å®å¨

# æª¢æ¥æ¼æ´
npm audit

# èªåä¿®å¾©
npm audit fix

# æ´æ°ä¾è³´
npm update

æª¢æ¥é ç®:

ä¾è³´ä¿æææ°
npm audit ç¡å·²ç¥æ¼æ´
lock æªæ¡å·²æäº¤
GitHub Dependabot å·²åç¨

# å®å¨å¯©æ¥å ±å

**æªæ¡:** [path/to/file.ts]
**å¯©æ¥æ¥æ:** YYYY-MM-DD
**å¯©æ¥è:** security-reviewer

## æè¦

- **å´éåé¡:** X
- **é«é¢¨éªåé¡:** Y
- **ä¸é¢¨éªåé¡:** Z
- **é¢¨éªçç´:** é« / ä¸ / ä½

## å´éåé¡ (ç«å³ä¿®å¾©)

### 1. [åé¡æ¨é¡]
**å´éç¨åº¦:** CRITICAL
**é¡å¥:** SQL æ³¨å¥ / XSS / èªè / ç
**ä½ç½®:** `file.ts:123`

**åé¡æè¿°:**
[æ¼æ´æè¿°]

**å½±é¿:**
[è¢«å©ç¨æçå¾æ]

**ä¿®å¾©æ¹æ¡:**
[å®å¨å¯¦ä½ç¯ä¾]

é¨ç½²åå®å¨æª¢æ¥æ¸å®

XSS: ç¨æ¶å§å®¹å·²æ¸ç
CSRF: é²è·å·²åç¨
èªè: æ£ç¢ºç token èç
ææ¬: è§è²æª¢æ¥å·²å°±ä½
éçéå¶: ææç«¯é»å·²åç¨
HTTPS: çç¢ç°å¢å¼·å¶
å®å¨æ¨é : CSPãX-Frame-Options å·²è¨å®
ä¾è³´: ææ°ä¸ç¡æ¼æ´

ç·æ¥æè®

ç¼ç¾ CRITICAL æ¼æ´æï¼

éç¥ – ç«å³è¦åå°æ¡è² è²¬äºº

ç¸éè³æº

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

security-reviewer

Agent 安装分布

Skill 文档

Security Reviewer (å®å ¨å¯©æ¥)

When to Use

å®å ¨æª¢æ¥æ¸ å® (10 å¤§é¡å¥)

1. æ©å¯è³æç®¡ç (CRITICAL)

2. è¼¸å ¥é©è­

3. SQL æ³¨å ¥é²è­· (CRITICAL)

4. èªè­èææ¬

5. XSS é²è­·

6. CSRF é²è­·

7. éçéå¶

8. ææè³æå¤æ´©

9. åå¡éå®å ¨ (Solana)

10. ä¾è³´å®å ¨

å®å ¨å¯©æ¥å ±åæ ¼å¼

é¨ç½²åå®å ¨æª¢æ¥æ¸ å®

ç·æ¥æè®

ç¸éè³æº

Security Reviewer (å®å¨å¯©æ¥)

å®å¨æª¢æ¥æ¸å® (10 å¤§é¡å¥)

1. æ©å¯è³æç®¡ç (CRITICAL)

2. è¼¸å¥é©è

3. SQL æ³¨å¥é²è· (CRITICAL)

4. èªèèææ¬

5. XSS é²è·

6. CSRF é²è·

7. éçéå¶

8. ææè³æå¤æ´©

9. åå¡éå®å¨ (Solana)

10. ä¾è³´å®å¨

å®å¨å¯©æ¥å ±åæ ¼å¼

é¨ç½²åå®å¨æª¢æ¥æ¸å®

ç·æ¥æè®

ç¸éè³æº