全部技能 分类浏览
← 返回
未分类 中文

Elixir Security Review

Reviews Elixir code for security vulnerabilities including code injection, atom exhaustion, and secret handling. Use when reviewing code handling user input,...
审查 Elixir 代码中的安全漏洞,涵盖代码注入、原子耗尽和密钥处理,适用于涉及用户输入的代码审查。
anderskev anderskev 来源
未分类 clawhub v1.2.2 3 版本 100000 Key: 无需
★ 0
Stars
📥 540
下载
💾 1
安装
3
版本
#latest

概述

Elixir Security Review

Quick Reference

Issue TypeReference
-----------------------
Code.eval_string, binary_to_termreferences/code-injection.md
String.to_atom dangersreferences/atom-exhaustion.md
Config, environment variablesreferences/secrets.md
ETS visibility, process dictionaryreferences/process-exposure.md

Review Checklist

Critical (Block Merge)

  • [ ] No Code.eval_string/1 on user input
  • [ ] No :erlang.binary_to_term/1 without :safe on untrusted data
  • [ ] No String.to_atom/1 on external input
  • [ ] No hardcoded secrets in source code

Major

  • [ ] ETS tables use appropriate access controls
  • [ ] No sensitive data in process dictionary
  • [ ] No dynamic module creation from user input
  • [ ] Path traversal prevented in file operations

Configuration

  • [ ] Secrets loaded from environment
  • [ ] No secrets in config/*.exs committed to git
  • [ ] Runtime config used for deployment secrets

Valid Patterns (Do NOT Flag)

  • String.to_atom on compile-time constants - Atoms created at compile time are safe
  • Code.eval_string in dev/test - May be needed for tooling
  • ETS :public tables - Valid when intentionally shared
  • binary_to_term with :safe - Explicitly safe option used

Context-Sensitive Rules

IssueFlag ONLY IF
---------------------
String.to_atomInput comes from external source (user, API, file)
binary_to_termData comes from untrusted source
ETS :publicContains sensitive data

Hard gates (before reporting)

Complete in order for each finding you intend to report. Do not advance until the pass condition is satisfied.

  1. Location artifact — The finding includes [FILE:LINE] (or a line range) that you copied from the current file contents; the path resolves in this repo.
  2. Scope read — You read the full surrounding function or module section that contains the flagged code, not only a diff hunk or summary.
  3. External-data claim (only if the finding depends on “user/untrusted input”) — You can name one concrete ingress (for example conn.params, Jason.decode!/1 result, uploaded file path, message from another node) or you drop the finding because the value is compile-time, test-only, or internal per Context-Sensitive Rules.
  4. Protocol — Pre-report steps in review-verification-protocol are satisfied for this item (no finding if they are not).

Before Submitting Findings

Use the issue format: [FILE:LINE] ISSUE_TITLE for each finding.

Hard gate 4 requires review-verification-protocol; use it as the full pre-report checklist and issue-type verification (it extends beyond this skill’s summary).

版本历史

共 3 个版本

  • v1.2.2 当前
    2026-06-01 20:53 安全 安全
  • v1.2.1
    2026-05-03 06:17 安全 安全
  • v1.2.0
    2026-03-31 00:06 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 197 📥 67,971
dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 681 📥 329,515
dev-programming

CodeConductor.ai

larsonreever
AI驱动平台,提供快速全栈开发、智能体、工作流自动化及低代码AI集成的可扩展产品创建。
★ 76 📥 182,482

Skill工具集 © 2026