oh-my-codex 0.1.1

package/skills/security-review/SKILL.md

@@ -0,0 +1,284 @@
+---
+name: security-review
+description: Run a comprehensive security review on code
+---
+
+# Security Review Skill
+
+Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
+
+## When to Use
+
+This skill activates when:
+- User requests "security review", "security audit"
+- After writing code that handles user input
+- After adding new API endpoints
+- After modifying authentication/authorization logic
+- Before deploying to production
+- After adding external dependencies
+
+## What It Does
+
+Delegates to the `security-reviewer` agent (Opus model) for deep security analysis:
+
+1. **OWASP Top 10 Scan**
+   - A01: Broken Access Control
+   - A02: Cryptographic Failures
+   - A03: Injection (SQL, NoSQL, Command, XSS)
+   - A04: Insecure Design
+   - A05: Security Misconfiguration
+   - A06: Vulnerable and Outdated Components
+   - A07: Identification and Authentication Failures
+   - A08: Software and Data Integrity Failures
+   - A09: Security Logging and Monitoring Failures
+   - A10: Server-Side Request Forgery (SSRF)
+
+2. **Secrets Detection**
+   - Hardcoded API keys
+   - Passwords in source code
+   - Private keys in repo
+   - Tokens and credentials
+   - Connection strings with secrets
+
+3. **Input Validation**
+   - All user inputs sanitized
+   - SQL/NoSQL injection prevention
+   - Command injection prevention
+   - XSS prevention (output escaping)
+   - Path traversal prevention
+
+4. **Authentication/Authorization**
+   - Proper password hashing (bcrypt, argon2)
+   - Session management security
+   - Access control enforcement
+   - JWT implementation security
+
+5. **Dependency Security**
+   - Run `npm audit` for known vulnerabilities
+   - Check for outdated dependencies
+   - Identify high-severity CVEs
+
+## Agent Delegation
+
+```
+spawn_sub_agent(
+  subagent_type="oh-my-codex:security-reviewer",
+  model="opus",
+  prompt="SECURITY REVIEW TASK
+
+Conduct comprehensive security audit of codebase.
+
+Scope: [specific files or entire codebase]
+
+Security Checklist:
+1. OWASP Top 10 scan
+2. Hardcoded secrets detection
+3. Input validation review
+4. Authentication/authorization review
+5. Dependency vulnerability scan (npm audit)
+
+Output: Security review report with:
+- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
+- Specific file:line locations
+- CVE references where applicable
+- Remediation guidance for each issue
+- Overall security posture assessment"
+)
+```
+
+## External Model Consultation (Preferred)
+
+The security-reviewer agent SHOULD consult Codex for cross-validation.
+
+### Protocol
+1. **Form your OWN security analysis FIRST** - Complete the review independently
+2. **Consult for validation** - Cross-check findings with Codex
+3. **Critically evaluate** - Never blindly adopt external findings
+4. **Graceful fallback** - Never block if tools unavailable
+
+### When to Consult
+- Authentication/authorization code
+- Cryptographic implementations
+- Input validation for untrusted data
+- High-risk vulnerability patterns
+- Production deployment code
+
+### When to Skip
+- Low-risk utility code
+- Well-audited patterns
+- Time-critical security assessments
+- Code with existing security tests
+
+### Tool Usage
+Before first MCP tool use, call `ToolSearch("mcp")` to discover deferred MCP tools.
+Use `mcp__x__ask_codex` with `agent_role: "security-reviewer"`.
+If ToolSearch finds no MCP tools, fall back to the `security-reviewer` Claude agent.
+
+**Note:** Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
+
+## Output Format
+
+```
+SECURITY REVIEW REPORT
+======================
+
+Scope: Entire codebase (42 files scanned)
+Scan Date: 2026-01-24T14:30:00Z
+
+CRITICAL (2)
+------------
+1. src/api/auth.ts:89 - Hardcoded API Key
+   Finding: AWS API key hardcoded in source code
+   Impact: Credential exposure if code is public or leaked
+   Remediation: Move to environment variables, rotate key immediately
+   Reference: OWASP A02:2021 – Cryptographic Failures
+
+2. src/db/query.ts:45 - SQL Injection Vulnerability
+   Finding: User input concatenated directly into SQL query
+   Impact: Attacker can execute arbitrary SQL commands
+   Remediation: Use parameterized queries or ORM
+   Reference: OWASP A03:2021 – Injection
+
+HIGH (5)
+--------
+3. src/auth/password.ts:22 - Weak Password Hashing
+   Finding: Passwords hashed with MD5 (cryptographically broken)
+   Impact: Passwords can be reversed via rainbow tables
+   Remediation: Use bcrypt or argon2 with appropriate work factor
+   Reference: OWASP A02:2021 – Cryptographic Failures
+
+4. src/components/UserInput.tsx:67 - XSS Vulnerability
+   Finding: User input rendered with dangerouslySetInnerHTML
+   Impact: Cross-site scripting attack vector
+   Remediation: Sanitize HTML or use safe rendering
+   Reference: OWASP A03:2021 – Injection (XSS)
+
+5. src/api/upload.ts:34 - Path Traversal Vulnerability
+   Finding: User-controlled filename used without validation
+   Impact: Attacker can read/write arbitrary files
+   Remediation: Validate and sanitize filenames, use allowlist
+   Reference: OWASP A01:2021 – Broken Access Control
+
+...
+
+MEDIUM (8)
+----------
+...
+
+LOW (12)
+--------
+...
+
+DEPENDENCY VULNERABILITIES
+--------------------------
+Found 3 vulnerabilities via npm audit:
+
+CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
+  Installed: axios@0.21.0
+  Fix: npm install axios@0.21.2
+
+HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
+  Installed: lodash@4.17.19
+  Fix: npm install lodash@4.17.21
+
+...
+
+OVERALL ASSESSMENT
+------------------
+Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
+
+Immediate Actions Required:
+1. Rotate exposed AWS API key
+2. Fix SQL injection in db/query.ts
+3. Upgrade password hashing to bcrypt
+4. Update vulnerable dependencies
+
+Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
+```
+
+## Security Checklist
+
+The security-reviewer agent verifies:
+
+### Authentication & Authorization
+- [ ] Passwords hashed with strong algorithm (bcrypt/argon2)
+- [ ] Session tokens cryptographically random
+- [ ] JWT tokens properly signed and validated
+- [ ] Access control enforced on all protected resources
+- [ ] No authentication bypass vulnerabilities
+
+### Input Validation
+- [ ] All user inputs validated and sanitized
+- [ ] SQL queries use parameterization (no string concatenation)
+- [ ] NoSQL queries prevent injection
+- [ ] File uploads validated (type, size, content)
+- [ ] URLs validated to prevent SSRF
+
+### Output Encoding
+- [ ] HTML output escaped to prevent XSS
+- [ ] JSON responses properly encoded
+- [ ] No user data in error messages
+- [ ] Content-Security-Policy headers set
+
+### Secrets Management
+- [ ] No hardcoded API keys
+- [ ] No passwords in source code
+- [ ] No private keys in repo
+- [ ] Environment variables used for secrets
+- [ ] Secrets not logged or exposed in errors
+
+### Cryptography
+- [ ] Strong algorithms used (AES-256, RSA-2048+)
+- [ ] Proper key management
+- [ ] Random number generation cryptographically secure
+- [ ] TLS/HTTPS enforced for sensitive data
+
+### Dependencies
+- [ ] No known vulnerabilities in dependencies
+- [ ] Dependencies up to date
+- [ ] No CRITICAL or HIGH CVEs
+- [ ] Dependency sources verified
+
+## Severity Definitions
+
+**CRITICAL** - Exploitable vulnerability with severe impact (data breach, RCE, credential theft)
+**HIGH** - Vulnerability requiring specific conditions but serious impact
+**MEDIUM** - Security weakness with limited impact or difficult exploitation
+**LOW** - Best practice violation or minor security concern
+
+## Remediation Priority
+
+1. **Rotate exposed secrets** - Immediate (within 1 hour)
+2. **Fix CRITICAL** - Urgent (within 24 hours)
+3. **Fix HIGH** - Important (within 1 week)
+4. **Fix MEDIUM** - Planned (within 1 month)
+5. **Fix LOW** - Backlog (when convenient)
+
+## Use with Other Skills
+
+**With Pipeline:**
+```
+/pipeline security "review authentication module"
+```
+Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
+
+**With Swarm:**
+```
+/swarm 4:security-reviewer "audit all API endpoints"
+```
+Parallel security review across multiple endpoints.
+
+**With Ralph:**
+```
+/ralph security-review then fix all issues
+```
+Review, fix, re-review until all issues resolved.
+
+## Best Practices
+
+- **Review early** - Security by design, not afterthought
+- **Review often** - Every major feature or API change
+- **Automate** - Run security scans in CI/CD pipeline
+- **Fix immediately** - Don't accumulate security debt
+- **Educate** - Learn from findings to prevent future issues
+- **Verify fixes** - Re-run security review after remediation