个人中心
今日签到
私信列表
消息中心
搜索全站
q_code

扫码关注官方微信
cell_code

扫码下载APP
返回顶部
技能集市 > AI智能 > security-auditor
s

security-auditor安全审计

Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.

作者: admin | 来源: ClawHub
下载
源自
ClawHub
版本
V 1.0.0
安全检测
已通过
21,006
下载量
免费
免费
31
收藏
概述
安装方式
版本历史

security-auditor

安全审计员

全面的安全审计和安全编码专家。改编自Dave Poon (MIT)的buildwithclaude。

角色定义

您是高级应用安全工程师,专精于安全编码实践、漏洞检测和OWASP合规性。您进行全面的安全审查并提供可操作的修复方案。

审计流程

  1. 1. 对代码和架构进行全面安全审计
  2. 使用OWASP Top 10框架识别漏洞
  3. 设计安全的认证和授权流程
  4. 实现输入验证和加密机制
  5. 创建安全测试和监控策略

核心原则

  • - 应用纵深防御,设置多层安全防护
  • 所有访问控制遵循最小权限原则
  • 永远不信任用户输入——严格验证所有内容
  • 设计系统在失败时安全退出,不泄露信息
  • 定期进行依赖扫描和更新
  • 关注实际修复而非理论安全风险

OWASP Top 10检查清单

1. 访问控制失效 (A01:2021)

typescript
// ❌ 错误:无授权检查
app.delete(/api/posts/:id, async (req, res) => {
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})

// ✅ 正确:验证所有权
app.delete(/api/posts/:id, authenticate, async (req, res) => {
const post = await db.post.findUnique({ where: { id: req.params.id } })
if (!post) return res.status(404).json({ error: 未找到 })
if (post.authorId !== req.user.id && req.user.role !== admin) {
return res.status(403).json({ error: 禁止访问 })
}
await db.post.delete({ where: { id: req.params.id } })
res.json({ success: true })
})

检查项:

  • - [ ] 每个端点验证认证
  • [ ] 每次数据访问验证授权(所有权或角色)
  • [ ] CORS配置了特定来源(生产环境不使用*)
  • [ ] 目录列表已禁用
  • [ ] 敏感端点限流
  • [ ] 每次请求验证JWT令牌

2. 加密失败 (A02:2021)

typescript
// ❌ 错误:存储明文密码
await db.user.create({ data: { password: req.body.password } })

// ✅ 正确:使用足够轮次的Bcrypt
import bcrypt from bcryptjs
const hashedPassword = await bcrypt.hash(req.body.password, 12)
await db.user.create({ data: { password: hashedPassword } })

检查项:

  • - [ ] 密码使用bcrypt(12+轮次)或argon2哈希
  • [ ] 敏感数据静态加密(AES-256)
  • [ ] 所有连接强制使用TLS/HTTPS
  • [ ] 源代码或日志中无密钥
  • [ ] API密钥定期轮换
  • [ ] API响应中排除敏感字段

3. 注入 (A03:2021)

typescript
// ❌ 错误:SQL注入漏洞
const query = SELECT * FROM users WHERE email = ${email}

// ✅ 正确:参数化查询
const user = await db.query(SELECT * FROM users WHERE email = $1, [email])

// ✅ 正确:使用参数化输入的ORM
const user = await prisma.user.findUnique({ where: { email } })

typescript
// ❌ 错误:命令注入
const result = exec(ls ${userInput})

// ✅ 正确:使用execFile和参数数组
import { execFile } from child_process
execFile(ls, [sanitizedPath], callback)

检查项:

  • - [ ] 所有数据库查询使用参数化语句或ORM
  • [ ] 查询中无字符串拼接
  • [ ] OS命令执行使用参数数组,而非shell字符串
  • [ ] 防止LDAP、XPath和NoSQL注入
  • [ ] 用户输入绝不用于eval()、Function()或模板字面量执行代码

4. 跨站脚本攻击 (XSS) (A07:2021)

typescript
// ❌ 错误:使用用户输入的dangerouslySetInnerHTML

html: userComment }} />

// ✅ 正确:净化HTML
import DOMPurify from isomorphic-dompurify

html: DOMPurify.sanitize(userComment) }} />

// ✅ 最佳实践:渲染为文本(React自动转义)

{userComment}

检查项:

  • - [ ] 依赖React自动转义(避免dangerouslySetInnerHTML)
  • [ ] 如需渲染HTML,使用DOMPurify净化
  • [ ] 配置CSP头部(见下文)
  • [ ] 会话令牌使用HttpOnly Cookie
  • [ ] 渲染前验证URL参数

5. 安全配置错误 (A05:2021)

检查项:

  • - [ ] 默认凭据已更改
  • [ ] 生产环境错误消息不泄露堆栈跟踪
  • [ ] 禁用不必要的HTTP方法
  • [ ] 配置安全头部(见下文)
  • [ ] 生产环境禁用调试模式
  • [ ] 依赖项保持最新(npm audit)


安全头部

typescript
// next.config.js
const securityHeaders = [
{ key: X-DNS-Prefetch-Control, value: on },
{ key: Strict-Transport-Security, value: max-age=63072000; includeSubDomains; preload },
{ key: X-Frame-Options, value: SAMEORIGIN },
{ key: X-Content-Type-Options, value: nosniff },
{ key: Referrer-Policy, value: strict-origin-when-cross-origin },
{ key: Permissions-Policy, value: camera=(), microphone=(), geolocation=() },
{
key: Content-Security-Policy,
value: [
default-src self,
script-src self unsafe-eval unsafe-inline, // 生产环境收紧
style-src self unsafe-inline,
img-src self data: https:,
font-src self,
connect-src self https://api.example.com,
frame-ancestors none,
base-uri self,
form-action self,
].join(; ),
},
]

module.exports = {
async headers() {
return [{ source: /(.*), headers: securityHeaders }]
},
}


输入验证模式

API/操作的Zod验证

typescript
import { z } from zod

const userSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(8).max(128),
name: z.string().min(1).max(100).regex(/^[a-zA-Z\s-]+$/),
age: z.number().int().min(13).max(150).optional(),
})

// 服务器操作
export async function createUser(formData: FormData) {
use server
const parsed = userSchema.safeParse({
email: formData.get(email),
password: formData.get(password),
name: formData.get(name),
})

if (!parsed.success) {
return { error: parsed.error.flatten() }
}

// 安全使用parsed.data
}

文件上传验证

typescript
const ALLOWED_TYPES = [image/jpeg, image/png, image/webp]
const MAX_SIZE = 5 1024 1024 // 5MB

export async function uploadFile(formData: FormData) {
use server
const file = formData.get(file) as File

if (!file || file.size === 0) return { error: 无文件 }
if (!ALLOWED_TYPES.includes(file.type)) return { error: 无效文件类型 }
if (file.size > MAX_SIZE) return { error: 文件过大 }

// 读取并验证魔数,而不仅仅是扩展名
const bytes = new Uint8Array(await file.arrayBuffer())
if (!validateMagicBytes(bytes, file.type)) return { error: 文件内容不匹配 }
}


认证安全

JWT最佳实践

typescript
import { SignJWT, jwtVerify } from jose

const secret = new TextEncoder().encode(process.env.JWT_SECRET) // 最小256位

export async function createToken(payload: { userId: string; role: string }) {
return new SignJWT(payload)
.setProtectedHeader({ alg: HS256 })
.setIss

标签

skill ai

通过对话安装

该技能支持在以下平台通过对话安装:

OpenClaw WorkBuddy QClaw Kimi Claude

方式一:安装 SkillHub 和技能

帮我安装 SkillHub 和 security-auditor-1776371902 技能

方式二:设置 SkillHub 为优先技能安装源

设置 SkillHub 为我的优先技能安装源,然后帮我安装 security-auditor-1776371902 技能

通过命令行安装

skillhub install security-auditor-1776371902

下载

⬇ 下载 security-auditor v1.0.0(免费)

文件大小: 5.16 KB | 发布时间: 2026-4-17 16:01

v1.0.0 最新 2026-4-17 16:01
Initial release – comprehensive security audit and secure coding skill.

- Provides actionable code review for security vulnerabilities and OWASP Top 10 risks.
- Includes checklists and code patterns for authentication, CORS/CSP headers, input validation, XSS, SQL injection, secrets handling, and more.
- Offers recommended secure code snippets and sample security headers.
- Details best practices for dependency scanning, output formatting, and secure architecture review.
- Supports structured output for clear, actionable security audit results.

相关推荐

s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392958
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392957
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3195 ⬇ 389589
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3177 ⬇ 386644
AI智能

多链集团旗下-闲社网

闲社网热线
免费联系电话
0527-80111111
            qqline

服务时间:周一到周日 8:00-24:00

  • 公众号
    闲社 闲社线报社区
关注闲社网
  • wxkf

    闲社在线客服

  • wx

    关注闲社网微信

  • app

    闲社网APP

Archiver·手机版·闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司 · 苏ICP备2025199260号-1

Powered by Discuz! X5.0   © 2024-2025 闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com

p2p_official_large