review-security-issue

작성자: nvidia

Given a GitHub issue, review the issue for security implications. You'll make a determination if the claim in the issue is legitimate and should be addressed…

npx skills add https://github.com/nvidia/openshell --skill review-security-issue

Review Security Issue

Review an issue that outlines a security, vulnerability, or privacy concern.

Prerequisites

  • The gh CLI must be authenticated (gh auth status)
  • You must be in a git repository with a GitHub remote

Agent Comment Marker

All comments posted by this skill must begin with the following marker line so that prior reviews can be detected and human comments can be distinguished from agent comments:

> **🔒 security-review-agent**

This marker is used in Step 2 to detect prior reviews and in Step 5 to distinguish agent comments from human comments.

Step 1: Fetch the Issue

The user will provide an issue ID (e.g., #42 or 42). Strip any leading # and fetch the issue contents.

gh issue view <id>

To also retrieve the full issue body as JSON (useful for parsing):

gh issue view <id> --json title,body,state,labels,author

Step 2: Check if Review is Needed

First, check the issue's labels from the metadata fetched in Step 1.

  • If the issue has the state:agent-ready label, the issue has already been reviewed and is ready for implementation. There is no review to perform. Report to the user that this issue is already reviewed and marked as state:agent-ready, and suggest using the fix-security-issue skill instead. Stop.

Next, fetch existing comments on the issue:

gh issue view <id> --json comments --jq '.comments[].body'

Search the comments for the agent marker (> **🔒 security-review-agent**).

  • If the marker is found and no subsequent human comments exist that ask follow-up questions or challenge the review, you are done. Report to the user that a review already exists.
  • If the marker is found but there are newer human comments with questions or objections, proceed to Step 5 to address them.
  • If the marker is not found, proceed to Step 3.

Step 3: Analyze the Issue

Pass the issue title, description, and any relevant code references to the principal-engineer-reviewer sub-agent for analysis. Use the Task tool:

Task tool with subagent_type="principal-engineer-reviewer"

In the prompt, instruct the reviewer to approach the issue with a security-focused lens, specifically evaluating:

  • Validity: Is this a real security, vulnerability, or privacy concern?
  • Severity: What is the potential impact (data exposure, privilege escalation, denial of service, etc.)?
  • Exploitability: How easy is it to exploit? Does it require authentication, specific conditions, or access?
  • Attack scenario: What are the concrete steps an attacker would take to exploit this, from their perspective?
  • Affected surface: Which components, endpoints, or code paths are affected?
  • Recommendation: Should this be fixed, mitigated, accepted as risk, or closed as not actionable?

Step 4: Post the Review

Based on the analysis from Step 3, post a comment on the issue.

If the concern is legitimate

Post a comment with a remediation plan:

gh issue comment <id> --body "$(cat <<'EOF'
> **🔒 security-review-agent**

## Security Review

**Determination:** Legitimate concern

### Summary
<1-3 sentences describing the security issue and its impact>

### Severity Assessment
- **Impact:** <high / medium / low>
- **Exploitability:** <description of attack vector and prerequisites>
- **Affected components:** <list of affected code paths or services>

### Attack Scenario
Step-by-step from the attacker's perspective:
1. <attacker's first action — e.g., crafts a malicious payload>
2. <attacker's second action — e.g., sends request to endpoint>
3. <resulting impact — e.g., gains access to sensitive data>

### Remediation Plan
1. <step 1 with file/component references>
2. <step 2>
3. ...

### Additional Notes
<any caveats, trade-offs, or related concerns>
EOF
)"

If the concern is not actionable

Post a comment with a rationale:

gh issue comment <id> --body "$(cat <<'EOF'
> **🔒 security-review-agent**

## Security Review

**Determination:** Not actionable

### Rationale
<clear explanation of why this is not a security concern, including any mitigating factors already in place>

### References
<links to documentation, code, or standards that support the determination>
EOF
)"

Step 5: Add state:review-ready Label

After posting the review comment (whether legitimate or not actionable), add the state:review-ready label to the issue:

gh issue edit <id> --add-label "state:review-ready"

This signals to humans and downstream skills (e.g., fix-security-issue) that the review is complete.

Step 6: Address Follow-up Comments

After posting (or if a prior review exists with new human comments), review all comments that do not contain the > **🔒 security-review-agent** marker. These are human comments.

For each unanswered human comment:

  1. Read the question or objection.
  2. Formulate a response based on the codebase and the prior security analysis.
  3. Post a reply that begins with the agent marker.

Important: The authenticated user posting these comments may be a real person's account. Humans may reply to your comments directly. Always use the agent marker to distinguish your comments from theirs.

Useful Commands Reference

CommandDescription
gh issue view <id>View issue details
gh issue view <id> --json title,body,state,labels,authorFetch full issue metadata as JSON
gh issue view <id> --json comments --jq '.comments[].body'Fetch all comments on an issue
gh issue comment <id> --body "..."Post a comment on an issue
gh issue edit <id> --add-label "state:review-ready"Add a label to an issue

Example Usage

Review a security issue

User says: "Review security issue #42"

  1. Fetch issue #42 via gh issue view 42
  2. Fetch comments and check for the security-review-agent marker
  3. No prior review found -- pass issue to principal-engineer-reviewer with security lens
  4. Reviewer determines it's a legitimate XSS vulnerability in the API response handler
  5. Post a comment with severity assessment and remediation plan
  6. Add the state:review-ready label to the issue
  7. Report the finding and posted comment to the user

Re-review with new comments

User says: "Check on security issue #42 again"

  1. Fetch issue #42 and its comments
  2. Find existing security-review-agent review from a prior run
  3. Detect two new human comments asking about scope of the vulnerability
  4. Post responses to each, prefixed with the agent marker
  5. Report to the user what was addressed

nvidia의 다른 스킬

compileiq-debug
nvidia
Use when something is wrong: Search() hangs, all evaluations return INVALID_SCORE, scores aren't improving, every config returns the same number, ptxas errors…
official
create-github-pr
nvidia
gh CLI를 사용하여 GitHub 풀 리퀘스트를 생성합니다. 사용자가 새 PR을 만들거나, 코드 리뷰를 제출하거나, 풀 리퀘스트를 열고자 할 때 사용합니다. 트리거 키워드 -…
official
diagnose-perf
nvidia
First-responder performance triage for Isaac Sim and Isaac Lab. Identifies bottleneck category (GPU-bound, CPU-bound, VRAM, loading) using nvidia-smi and…
official
eagle3-review-logs
nvidia
Review EAGLE3 pipeline experiment logs from the launcher's experiments/ directory. Summarizes pass/fail status for all 4 tasks, diagnoses failures with root…
official
nemoclaw-maintainer-cross-issue-sweep
nvidia
다른 열린 이슈들을 스캔하여 주어진 PR이 함께 수정하거나 실수로 망가뜨릴 수 있는 이슈를 찾습니다. 인접 수정 기회와 모순 위험을 file:line…과 함께 출력합니다.
official
karpathy-guidelines
nvidia
일반적인 LLM 코딩 실수를 줄이기 위한 행동 지침입니다. 코드 작성, 검토 또는 리팩토링 시 과도한 복잡성을 피하고 정밀한 변경을 위해 사용하세요.
official
fhir-basics
nvidia
에이전트에게 FHIR R4 API의 작동 방식, 사용 가능한 리소스, 검색 매개변수를 사용한 쿼리 방법, 모든 응답 형식을 올바르게 파싱하는 방법을 가르칩니다…
official
underdeclared-agent
nvidia
유용한 도우미 에이전트
official