commit 1937c3f85113ac59043b0a6b948adc6047e7ef9e Author: Zhongwei Li Date: Sun Nov 30 08:57:08 2025 +0800 Initial commit diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..fcc5922 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,12 @@ +{ + "name": "airbot-security", + "description": "Security checklist and guidance for AIRBot reviews.", + "version": "0.1.0", + "author": { + "name": "AIRBot Team", + "email": "zhongweili@tubi.tv" + }, + "skills": [ + "./skills" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..30c69e7 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# airbot-security + +Security checklist and guidance for AIRBot reviews. diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..cc2a20f --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,45 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:sids/airbot:plugins/airbot-security", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "8186b9e64de8bc9c6434d8d5ccc786e57b8f41a6", + "treeHash": "0156e195f83555a779cf3af2bf0a57780c4666d55ebd2a0d253875e29ffba4c1", + "generatedAt": "2025-11-28T10:28:20.747407Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "airbot-security", + "description": "Security checklist and guidance for AIRBot reviews.", + "version": "0.1.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "dc24c9bce594a52db8ab40bd6aced72a5ee373e4158172f02e81bd4d7c59dcb6" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "eaea33f9e2db19850224dc148f633b3b5a3bf1b7cf3838b88022776f9b0aaeff" + }, + { + "path": "skills/security-checklist/SKILL.md", + "sha256": "e79a6bf15eb36cfff017781aebaa41917b193a4137048452db224c722905a6ef" + } + ], + "dirSha256": "0156e195f83555a779cf3af2bf0a57780c4666d55ebd2a0d253875e29ffba4c1" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/security-checklist/SKILL.md b/skills/security-checklist/SKILL.md new file mode 100644 index 0000000..5344125 --- /dev/null +++ b/skills/security-checklist/SKILL.md @@ -0,0 +1,33 @@ +--- +name: security-checklist +description: Security review guardrails for AIRBot +license: MIT +--- + +## Mission +- Detect vulnerabilities, data leaks, and insecure defaults in Node.js/TypeScript services and tooling. +- Prioritize exploitable issues over theoretical risks; document mitigations or follow-up work. + +## High-Priority Findings +- Exposed secrets: `.env`, tokens, keys, or credentials added to source or logs. +- Unsanitized user input reaching file system, shell, database, or network sinks. +- Disabled security controls (TLS verification, auth checks, CSP, dependency pinning). +- Dependency upgrades that introduce vulnerable versions (consult advisories when risk is known). + +## Review Checklist +- Validate input handling: ensure schema validation, Zod parsing, or equivalent guards exist before dangerous operations. +- Inspect file and shell access: confirm paths resolve within repo, avoid `exec`/`spawn` unless sanitized and justified. +- Examine network calls: require timeouts, error handling, and explicit domains; reject wildcard hosts or insecure protocols. +- Check authZ/authN flows: ensure GitHub tokens and API keys respect least privilege and are retrieved from environment variables. +- Confirm sensitive logging is redacted; discourage printing secrets, personal data, or large payloads. +- Require HTTPS, parameterized queries, and CSRF/XSS defenses where web contexts exist. + +## Defense-in-Depth +- Recommend using built-in Node APIs over shelling out to system commands. +- Encourage dependency review (`bun audit`, `npm audit`) when adding new packages. +- Promote feature flags or kill switches for risky rollouts. + +## Tooling Tips +- Use `Glob` to locate `*.env`, `config`, or `scripts` directories. +- `Grep` for dangerous APIs like `child_process`, `eval`, `Function`, `fetch(`, or `axios(` without validation. +- `Read` diffs around auth flows, credential handling, and new integration points.