UnitOneAI · chenxiaojie555 · Jun 11, 2026
@@ -6,7 +6,7 @@
 meta:
   version: "1.0.0"
   last_updated: "2026-03-05"
-  skill_count: 45
+  skill_count: 46
   role_count: 5
 
 tag_vocabulary:
@@ -138,6 +138,18 @@ skills:
     file: skills/identity/privileged-access/SKILL.md
     compatible_tools: [claude-code, gemini-cli, cursor, codex-cli, openclaw, kiro]
 
+  - id: download-export-authorization-review
+    name: "Download and Export Authorization Review"
+    tags: [identity, authorization, export, download, data-exposure]
+    role: [security-engineer, appsec-engineer, architect]
+    phase: [design, build, review]
+    activity: [review, assess, test]
+    frameworks: [OWASP-API-Security-2023, OWASP-ASVS, NIST-SP-800-53-AC]
+    difficulty: intermediate
+    time_estimate: "30-60min"
+    file: skills/identity/download-export-authorization-review/SKILL.md
+    compatible_tools: [claude-code, gemini-cli, cursor, codex-cli, openclaw, kiro]
+
   # -- Cloud ----------------------------------------------------------------
   - id: aws-review
     name: "AWS Security Posture Review"

@@ -0,0 +1,50 @@
+# Download and Export Authorization Review
+
+This skill reviews file generation and delivery paths where a user can export,
+download, or receive data outside normal interactive screens. It focuses on the
+authorization split between:
+
+- generation time, when an export job decides which rows and fields to include;
+- retrieval time, when a user, worker, email recipient, CDN, or pre-signed URL
+  delivers the generated file.
+
+The skill is intended for SaaS admin panels, customer portals, reporting
+services, support tools, data rooms, scheduled reports, and bulk-download APIs.
+
+## What It Catches
+
+- Export endpoints that trust client-supplied `tenant_id`, `account_id`, or
+  object IDs.
+- Async workers that generate files with broad service-account privileges.
+- Pre-signed URLs that remain valid after user removal or role downgrade.
+- Cached export files shared across actors or tenants.
+- UI-hidden fields that reappear in CSV, PDF, or ZIP exports.
+- Job IDs or file keys that can be guessed and claimed by another user.
+- Support/admin exports without approval, purpose, or durable audit evidence.
+
+## What Good Looks Like
+
+A safe export path re-checks authorization before generation and retrieval,
+binds generated files to actor, tenant, data scope, policy version, and expiry,
+uses short-lived revocable links, and includes negative tests for cross-tenant
+IDs, stale jobs, hidden fields, revoked users, and expired links.
+
+## Test Fixtures
+
+The `tests/vulnerable` fixtures show patterns that should be reported:
+
+- screen-level access reused as export authorization;
+- pre-signed links not bound to current user authorization;
+- background jobs expanding scope with service credentials.
+
+The `tests/benign` fixtures show acceptable patterns:
+
+- server-side object authorization before serialization;
+- pre-signed link issuance with revocation and short TTL;
+- policy snapshots revalidated by workers and download endpoints.
+
+## Bounty Reference
+
+Implements requested new skill issue:
+
+- https://github.com/UnitOneAI/SecuritySkills/issues/556