‹ 首页

v3-security-overhaul

@spencermarx · 收录于 1 周前

Complete security architecture overhaul for claude-flow v3. Addresses critical CVEs (CVE-1, CVE-2, CVE-3) and implements secure-by-default patterns. Use for security-first v3 implementation.

适合你,如果正在升级 Claude Flow v3 并需要修复已知安全漏洞。

/ 下载安装
v3-security-overhaul.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add spencermarx/open-code-review/v3-security-overhaul
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- spencermarx/open-code-review/v3-security-overhaul
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify spencermarx/open-code-review/v3-security-overhaul
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
296GitHub stars
~473上下文体积 · 单文件
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · d8dfa3b

V3 Security Overhaul

What This Skill Does

Orchestrates comprehensive security overhaul for claude-flow v3, addressing critical vulnerabilities and establishing security-first development practices using specialized v3 security agents.

Quick Start
# Initialize V3 security domain (parallel)
Task("Security architecture", "Design v3 threat model and security boundaries", "v3-security-architect")
Task("CVE remediation", "Fix CVE-1, CVE-2, CVE-3 critical vulnerabilities", "security-auditor")
Task("Security testing", "Implement TDD London School security framework", "test-architect")
Critical Security Fixes
CVE-1: Vulnerable Dependencies
npm update @anthropic-ai/claude-code@^2.0.31
npm audit --audit-level high
CVE-2: Weak Password Hashing
// ❌ Old: SHA-256 with hardcoded salt
const hash = crypto.createHash('sha256').update(password + salt).digest('hex');

// ✅ New: bcrypt with 12 rounds
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
CVE-3: Hardcoded Credentials
// ✅ Generate secure random credentials
const apiKey = crypto.randomBytes(32).toString('hex');
Security Patterns
Input Validation (Zod)
import { z } from 'zod';

const TaskSchema = z.object({
  taskId: z.string().uuid(),
  content: z.string().max(10000),
  agentType: z.enum(['security', 'core', 'integration'])
});
Path Sanitization
function securePath(userPath: string, allowedPrefix: string): string {
  const resolved = path.resolve(allowedPrefix, userPath);
  if (!resolved.startsWith(path.resolve(allowedPrefix))) {
    throw new SecurityError('Path traversal detected');
  }
  return resolved;
}
Safe Command Execution
import { execFile } from 'child_process';

// ✅ Safe: No shell interpretation
const { stdout } = await execFile('git', [userInput], { shell: false });
Success Metrics
  • Security Score: 90/100 (npm audit + custom scans)
  • CVE Resolution: 100% of critical vulnerabilities fixed
  • Test Coverage: >95% security-critical code
  • Implementation: All secure patterns documented and tested
按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。