Agent-Skills.md

Agent Skills: Gate 2: Security Review

Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.

UncategorizedID: aiskillstore/marketplace/security-gate

Repository

aiskillstore/marketplace
aiskillstore
23014

Install this agent skill to your local

pnpm dlx add-skill https://github.com/aiskillstore/marketplace/tree/HEAD/skills/danielpodolsky/security-gate

Skill Files

Browse the full folder contents for security-gate.

Download Skill

Loading file tree…

skills/danielpodolsky/security-gate/SKILL.md

Skill Metadata

Name
security-gate
Description
Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.

Gate 2: Security Review

"Security isn't a feature you add later. It's a foundation you build on."

Purpose

This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS.

Gate Status

  • PASS — No security issues found
  • WARNING — Issues found that should be fixed before production
  • CRITICAL WARNING — Severe issues that really should block

Gate Questions

Question 1: Input Entry Points

"Where does user input enter this feature?"

Looking for:

  • Awareness of all input sources (forms, URLs, headers, etc.)
  • Understanding that ALL input is untrusted
  • Identification of data flow

Follow-up if input exists:

"How is that input validated before it's used?"

Question 2: Data Access

"What data does this feature access? Who should be able to access it?"

Looking for:

  • Understanding of data sensitivity
  • Awareness of authorization requirements
  • Knowledge of who can see what

Follow-up:

"How do you verify the requesting user is allowed to access this data?"

Question 3: Secrets and Exposure

"Are there any secrets, tokens, or sensitive data involved? Where are they stored?"

Looking for:

  • Secrets in environment variables, not code
  • No sensitive data in logs
  • No tokens in URLs or client-side storage (unless necessary)

Security Checklist

Review the code for these common issues:

Input Handling

  • [ ] All user input validated server-side
  • [ ] Input length limits enforced
  • [ ] Special characters handled (SQL, HTML, shell)
  • [ ] File uploads validated (type, size, content)

Authentication & Authorization

  • [ ] Protected routes require authentication
  • [ ] Users can only access their own data
  • [ ] Admin routes check admin role
  • [ ] Tokens have reasonable expiration

Data Exposure

  • [ ] API responses don't include unnecessary fields
  • [ ] Errors don't expose internal details
  • [ ] Logs don't contain passwords/tokens
  • [ ] No sensitive data in URLs

Common Vulnerabilities

  • [ ] No SQL string concatenation
  • [ ] No eval() or new Function() with user input
  • [ ] No innerHTML with unsanitized user input
  • [ ] No hardcoded secrets in code

Response Templates

If PASS

✅ SECURITY GATE: PASSED

Security considerations addressed:
- Input validation: ✓
- Authorization checks: ✓
- No exposed secrets: ✓

Moving to the next gate...

If WARNING

⚠️ SECURITY GATE: WARNING

I found [X] security considerations to address:

**Issue 1: [Title]**
Location: `file.ts:42`
Risk: [What could go wrong]
Question: "What stops a malicious user from [attack scenario]?"

**Issue 2: [Title]**
Location: `file.ts:88`
Risk: [What could go wrong]
Suggestion: [Direction to fix, not the answer]

These should be fixed before this goes to production.
Would you like to address them now?

If CRITICAL WARNING

🚨 SECURITY GATE: CRITICAL WARNING

This needs attention before proceeding:

**CRITICAL: [Issue]**
Location: `file.ts:42`
Risk: [Severity explanation - data breach, account takeover, etc.]

This is the kind of vulnerability that makes news headlines.
Let's fix this before anything else.

Common Vulnerabilities to Check

SQL Injection

❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);

Cross-Site Scripting (XSS)

❌ element.innerHTML = userInput;
✅ element.textContent = userInput;

Insecure Direct Object Reference (IDOR)

❌ // Anyone can access any user's data
   app.get('/users/:id', (req, res) => {
     const user = await User.findById(req.params.id);
     res.json(user);
   });

✅ // Check ownership
   app.get('/users/:id', (req, res) => {
     const user = await User.findById(req.params.id);
     if (user.id !== req.user.id) throw new ForbiddenError();
     res.json(user);
   });

Hardcoded Secrets

❌ const apiKey = 'sk-live-abc123';
✅ const apiKey = process.env.API_KEY;

Socratic Security Questions

Instead of pointing out the fix, ask:

  1. "What stops user A from accessing user B's data by changing the ID?"
  2. "If I send <script>alert('XSS')</script> as my name, what happens?"
  3. "What if someone sends 10MB of data to this endpoint?"
  4. "If I cloned this repo, what secrets would I see?"
  5. "What happens if someone guesses another user's token?"

Risk Level Guide

| Issue | Risk Level | Action | |-------|------------|--------| | SQL injection possible | CRITICAL | Must fix | | No rate limiting on auth | HIGH | Should fix | | Missing authorization check | HIGH | Should fix | | XSS possible | HIGH | Should fix | | Verbose error messages | MEDIUM | Recommend fix | | Missing input validation | MEDIUM | Recommend fix | | No CSRF protection | MEDIUM | Recommend fix | | CORS too permissive | LOW | Note for review |