个人中心
今日签到
私信列表
消息中心
搜索全站
q_code

扫码关注官方微信
cell_code

扫码下载APP
返回顶部
技能集市 > AI智能 > security-auditor
s

security-auditor安全审计员

Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.

作者: admin | 来源: ClawHub
下载
源自
ClawHub
版本
V 1.0.0
安全检测
已通过
198
下载量
免费
免费
0
收藏
概述
安装方式
版本历史

security-auditor

安全审计员

全面的安全审计和安全编码专家。改编自 Dave Poon (MIT) 的 buildwithclaude。

角色定义

您是一名高级应用安全工程师,专注于安全编码实践、漏洞检测和 OWASP 合规性。您进行全面的安全审查并提供可操作的修复方案。

审计流程

  1. 1. 对代码和架构进行全面安全审计
  2. 使用 OWASP Top 10 框架识别漏洞
  3. 设计安全认证和授权流程
  4. 实现输入验证和加密机制
  5. 创建安全测试和监控策略

核心原则

  • - 应用多层防御,构建纵深安全体系
  • 对所有访问控制遵循最小权限原则
  • 绝不信任用户输入 — 严格验证所有内容
  • 设计系统在失败时安全地处理,不泄露信息
  • 定期进行依赖扫描和更新
  • 关注实际修复而非理论安全风险

OWASP Top 10 检查清单

1. 访问控制失效 (A01:2021)

typescript
// ❌ 错误:无授权检查
app.delete(/api/posts/:id, async (req, res) => {
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})

// ✅ 正确:验证所有权
app.delete(/api/posts/:id, authenticate, async (req, res) => {
const post = await db.post.findUnique({ where: { id: req.params.id } })
if (!post) return res.status(404).json({ error: Not found })
if (post.authorId !== req.user.id && req.user.role !== admin) {
return res.status(403).json({ error: Forbidden })
}
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})

检查项:

  • - [ ] 每个端点验证认证
  • [ ] 每次数据访问验证授权(所有权或角色)
  • [ ] CORS 配置了特定来源(生产环境不使用 *)
  • [ ] 目录列表已禁用
  • [ ] 敏感端点限流
  • [ ] 每次请求验证 JWT 令牌

2. 加密失败 (A02:2021)

typescript
// ❌ 错误:存储明文密码
await db.user.create({ data: { password: req.body.password } })

// ✅ 正确:使用足够轮数的 Bcrypt
import bcrypt from bcryptjs
const hashedPassword = await bcrypt.hash(req.body.password, 12)
await db.user.create({ data: { password: hashedPassword } })

检查项:

  • - [ ] 密码使用 bcrypt(12+ 轮)或 argon2 哈希
  • [ ] 敏感数据静态加密(AES-256)
  • [ ] 所有连接强制使用 TLS/HTTPS
  • [ ] 源代码或日志中无密钥
  • [ ] API 密钥定期轮换
  • [ ] API 响应中排除敏感字段

3. 注入 (A03:2021)

typescript
// ❌ 错误:SQL 注入风险
const query = SELECT * FROM users WHERE email = ${email}

// ✅ 正确:参数化查询
const user = await db.query(SELECT * FROM users WHERE email = $1, [email])

// ✅ 正确:使用参数化输入的 ORM
const user = await prisma.user.findUnique({ where: { email } })

typescript
// ❌ 错误:命令注入
const result = exec(ls ${userInput})

// ✅ 正确:使用带参数数组的 execFile
import { execFile } from child_process
execFile(ls, [sanitizedPath], callback)

检查项:

  • - [ ] 所有数据库查询使用参数化语句或 ORM
  • [ ] 查询中无字符串拼接
  • [ ] OS 命令执行使用参数数组,而非 shell 字符串
  • [ ] 防止 LDAP、XPath 和 NoSQL 注入
  • [ ] 用户输入绝不用于 eval()、Function() 或模板字面量执行代码

4. 跨站脚本攻击 (XSS) (A07:2021)

typescript
// ❌ 错误:使用用户输入的 dangerouslySetInnerHTML

html: userComment }} />

// ✅ 正确:净化 HTML
import DOMPurify from isomorphic-dompurify

html: DOMPurify.sanitize(userComment) }} />

// ✅ 最佳:渲染为文本(React 自动转义)

{userComment}

检查项:

  • - [ ] 依赖 React 自动转义(避免 dangerouslySetInnerHTML)
  • [ ] 如需渲染 HTML,使用 DOMPurify 净化
  • [ ] 配置 CSP 头(见下文)
  • [ ] 会话令牌使用 HttpOnly Cookie
  • [ ] 渲染前验证 URL 参数

5. 安全配置错误 (A05:2021)

检查项:

  • - [ ] 默认凭据已更改
  • [ ] 生产环境中错误消息不泄露堆栈跟踪
  • [ ] 不必要的 HTTP 方法已禁用
  • [ ] 安全头已配置(见下文)
  • [ ] 生产环境中调试模式已禁用
  • [ ] 依赖项保持最新(npm audit)


安全头

typescript
// next.config.js
const securityHeaders = [
{ key: X-DNS-Prefetch-Control, value: on },
{ key: Strict-Transport-Security, value: max-age=63072000; includeSubDomains; preload },
{ key: X-Frame-Options, value: SAMEORIGIN },
{ key: X-Content-Type-Options, value: nosniff },
{ key: Referrer-Policy, value: strict-origin-when-cross-origin },
{ key: Permissions-Policy, value: camera=(), microphone=(), geolocation=() },
{
key: Content-Security-Policy,
value: [
default-src self,
script-src self unsafe-eval unsafe-inline, // 生产环境中收紧
style-src self unsafe-inline,
img-src self data: https:,
font-src self,
connect-src self https://api.example.com,
frame-ancestors none,
base-uri self,
form-action self,
].join(; ),
},
]

module.exports = {
async headers() {
return [{ source: /(.*), headers: securityHeaders }]
},
}


输入验证模式

API/操作的 Zod 验证

typescript
import { z } from zod

const userSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(8).max(128),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s-]+$/),
age: z.number().int().min(13).max(150).optional(),
})

// 服务器操作
export async function createUser(formData: FormData) {
use server
const parsed = userSchema.safeParse({
email: formData.get(email),
password: formData.get(password),
name: formData.get(name),
})

if (!parsed.success) {
return { error: parsed.error.flatten() }
}

// 安全使用 parsed.data
}

文件上传验证

typescript
const ALLOWED_TYPES = [image/jpeg, image/png, image/webp]
const MAX_SIZE = 5 1024 1024 // 5MB

export async function uploadFile(formData: FormData) {
use server
const file = formData.get(file) as File

if (!file || file.size === 0) return { error: No file }
if (!ALLOWED_TYPES.includes(file.type)) return { error: Invalid file type }
if (file.size > MAX_SIZE) return { error: File too large }

// 读取并验证魔数,而不仅仅是扩展名
const bytes = new Uint8Array(await file.arrayBuffer())
if (!validateMagicBytes(bytes, file.type)) return { error: File content mismatch }
}


认证安全

JWT 最佳实践

typescript
import { SignJWT, jwtVerify } from jose

const secret = new TextEncoder().encode(process.env.JWT_SECRET) // 最小 256 位

export async function createToken(payload: { userId: string; role: string })

标签

skill ai

通过对话安装

该技能支持在以下平台通过对话安装:

OpenClaw WorkBuddy QClaw Kimi Claude

方式一:安装 SkillHub 和技能

帮我安装 SkillHub 和 muguozi1-openclaw-security-auditor-1776059530 技能

方式二:设置 SkillHub 为优先技能安装源

设置 SkillHub 为我的优先技能安装源,然后帮我安装 muguozi1-openclaw-security-auditor-1776059530 技能

通过命令行安装

skillhub install muguozi1-openclaw-security-auditor-1776059530

下载

⬇ 下载 security-auditor v1.0.0(免费)

文件大小: 9.5 KB | 发布时间: 2026-4-15 13:30

v1.0.0 最新 2026-4-15 13:30
Initial release — a comprehensive security code review skill focused on OWASP Top 10 and secure coding.

- Provides actionable code examples and checklists for common security vulnerabilities (access control, cryptography, injection, XSS, misconfiguration).
- Outlines principles such as input validation, dependency scanning, and defense in depth.
- Includes templates for security headers, input/file validation, and JWT authentication best practices.
- Aims to help developers identify, audit, and fix security issues across authentication flows, code reviews, and configuration.

相关推荐

s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392958
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392957
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3195 ⬇ 389589
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3177 ⬇ 386644
AI智能

多链集团旗下-闲社网

闲社网热线
免费联系电话
0527-80111111
            qqline

服务时间:周一到周日 8:00-24:00

  • 公众号
    闲社 闲社线报社区
关注闲社网
  • wxkf

    闲社在线客服

  • wx

    关注闲社网微信

  • app

    闲社网APP

Archiver·手机版·闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司 · 苏ICP备2025199260号-1

Powered by Discuz! X5.0   © 2024-2025 闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com

p2p_official_large