Files
Nexus/.skills/nexus-security-review/SKILL.md
T
2026-07-08 22:31:31 +08:00

2.1 KiB

name, description
name description
nexus-security-review Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests.

Nexus Security Review

Use this skill before changing Nexus backend/API code or doing a security pass.

Required workflow

  1. Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call.
  2. Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external.
  3. Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs.
  4. Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks.
  5. For every fix, add pytest coverage for the dangerous case and the allowed case.
  6. Run focused tests, then full pytest when practical, then git diff --check.
  7. Update the Nexus Markdown report with changed files, tests, and residual risks.

Nexus-specific rules

  • Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials.
  • script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction.
  • File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI.
  • Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames.
  • Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types.
  • Error responses must not expose stack traces or secrets.
  • DB access should use SQLAlchemy parameters/query builder, not raw string interpolation.

Review output

For each finding record:

  • Severity: Critical/High/Medium/Low/Hardening
  • Call chain
  • Evidence file/function
  • Exploit or failure boundary
  • Fix summary
  • Test command/result
  • Commit hash if committed