Senior Security
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guida...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 4 · 2.2k · 16 current installs · 16 all-time installs
byAlireza Rezvani@alirezarezvani
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (threat modeling, vulnerability analysis, secret scanning) align with the included files: threat_modeler.py and secret_scanner.py plus comprehensive reference docs. There are no unrelated environment variables, binaries, or external services required that would be unexpected for this purpose.
Instruction Scope
SKILL.md defines workflows and triggers for security reviews and references local tools. The included secret_scanner.py is designed to scan local project files for secrets — this is expected for a secret-scanning tool, but it means the agent will need read access to any directories it is asked to scan. There is no instruction in the visible SKILL.md to transmit scan results to external endpoints, but you should verify the truncated portions of the docs for any steps that post results externally before running.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. Two Python scripts are bundled with the skill and will be available to run locally if the agent executes them; that is consistent with the skill description and not unexpected.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The secret-scanner contains regexes that match many cloud/provider keys (expected for a scanner) but the skill does not request those credentials itself.
Persistence & Privilege
always is false and model invocation is permitted by default. The skill does not request permanent agent-level privileges or modify other skills' configs in the provided files. Bundled scripts operate locally and do not request elevated system privileges in the visible code.
Assessment
This package is internally consistent with its stated purpose. Before installing/using it: (1) review the remainder of SKILL.md (truncated parts) to confirm it does not instruct uploading scan results or contacting external endpoints; (2) be aware that the secret scanner will read files you point it at — avoid scanning sensitive system directories or credential stores unless you intend to; (3) run the scripts in an isolated environment (local checkout or sandbox) and review their output before taking remediation actions; and (4) if you need the agent to run these tools autonomously, consider limiting its available filesystem scope to prevent broad scans.Like a lobster shell, security has layers — review code before you run it.
Current versionv2.1.1
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Senior Security Engineer
Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.
Table of Contents
- Threat Modeling Workflow
- Security Architecture Workflow
- Vulnerability Assessment Workflow
- Secure Code Review Workflow
- Incident Response Workflow
- Security Tools Reference
- Tools and References
Threat Modeling Workflow
Identify and analyze security threats using STRIDE methodology.
Workflow: Conduct Threat Model
- Define system scope and boundaries:
- Identify assets to protect
- Map trust boundaries
- Document data flows
- Create data flow diagram:
- External entities (users, services)
- Processes (application components)
- Data stores (databases, caches)
- Data flows (APIs, network connections)
- Apply STRIDE to each DFD element (see STRIDE per Element Matrix below)
- Score risks using DREAD:
- Damage potential (1-10)
- Reproducibility (1-10)
- Exploitability (1-10)
- Affected users (1-10)
- Discoverability (1-10)
- Prioritize threats by risk score
- Define mitigations for each threat
- Document in threat model report
- Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped
STRIDE Threat Categories
| Category | Security Property | Mitigation Focus |
|---|---|---|
| Spoofing | Authentication | MFA, certificates, strong auth |
| Tampering | Integrity | Signing, checksums, validation |
| Repudiation | Non-repudiation | Audit logs, digital signatures |
| Information Disclosure | Confidentiality | Encryption, access controls |
| Denial of Service | Availability | Rate limiting, redundancy |
| Elevation of Privilege | Authorization | RBAC, least privilege |
STRIDE per Element Matrix
| DFD Element | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | X | ||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | X | ||
| Data Flow | X | X | X |
See: references/threat-modeling-guide.md
Security Architecture Workflow
Design secure systems using defense-in-depth principles.
Workflow: Design Secure Architecture
- Define security requirements:
- Compliance requirements (GDPR, HIPAA, PCI-DSS)
- Data classification (public, internal, confidential, restricted)
- Threat model inputs
- Apply defense-in-depth layers:
- Perimeter: WAF, DDoS protection, rate limiting
- Network: Segmentation, IDS/IPS, mTLS
- Host: Patching, EDR, hardening
- Application: Input validation, authentication, secure coding
- Data: Encryption at rest and in transit
- Implement Zero Trust principles:
- Verify explicitly (every request)
- Least privilege access (JIT/JEA)
- Assume breach (segment, monitor)
- Configure authentication and authorization:
- Identity provider selection
- MFA requirements
- RBAC/ABAC model
- Design encryption strategy:
- Key management approach
- Algorithm selection
- Certificate lifecycle
- Plan security monitoring:
- Log aggregation
- SIEM integration
- Alerting rules
- Document architecture decisions
- Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned
Defense-in-Depth Layers
Layer 1: PERIMETER
WAF, DDoS mitigation, DNS filtering, rate limiting
Layer 2: NETWORK
Segmentation, IDS/IPS, network monitoring, VPN, mTLS
Layer 3: HOST
Endpoint protection, OS hardening, patching, logging
Layer 4: APPLICATION
Input validation, authentication, secure coding, SAST
Layer 5: DATA
Encryption at rest/transit, access controls, DLP, backup
Authentication Pattern Selection
| Use Case | Recommended Pattern |
|---|---|
| Web application | OAuth 2.0 + PKCE with OIDC |
| API authentication | JWT with short expiration + refresh tokens |
| Service-to-service | mTLS with certificate rotation |
| CLI/Automation | API keys with IP allowlisting |
| High security | FIDO2/WebAuthn hardware keys |
See: references/security-architecture-patterns.md
Vulnerability Assessment Workflow
Identify and remediate security vulnerabilities in applications.
Workflow: Conduct Vulnerability Assessment
- Define assessment scope:
- In-scope systems and applications
- Testing methodology (black box, gray box, white box)
- Rules of engagement
- Gather information:
- Technology stack inventory
- Architecture documentation
- Previous vulnerability reports
- Perform automated scanning:
- SAST (static analysis)
- DAST (dynamic analysis)
- Dependency scanning
- Secret detection
- Conduct manual testing:
- Business logic flaws
- Authentication bypass
- Authorization issues
- Injection vulnerabilities
- Classify findings by severity:
- Critical: Immediate exploitation risk
- High: Significant impact, easier to exploit
- Medium: Moderate impact or difficulty
- Low: Minor impact
- Develop remediation plan:
- Prioritize by risk
- Assign owners
- Set deadlines
- Verify fixes and document
- Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked
For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10.
Vulnerability Severity Matrix
| Impact \ Exploitability | Easy | Moderate | Difficult |
|---|---|---|---|
| Critical | Critical | Critical | High |
| High | Critical | High | Medium |
| Medium | High | Medium | Low |
| Low | Medium | Low | Low |
Secure Code Review Workflow
Review code for security vulnerabilities before deployment.
Workflow: Conduct Security Code Review
- Establish review scope:
- Changed files and functions
- Security-sensitive areas (auth, crypto, input handling)
- Third-party integrations
- Run automated analysis:
- SAST tools (Semgrep, CodeQL, Bandit)
- Secret scanning
- Dependency vulnerability check
- Review authentication code:
- Password handling (hashing, storage)
- Session management
- Token validation
- Review authorization code:
- Access control checks
- RBAC implementation
- Privilege boundaries
- Review data handling:
- Input validation
- Output encoding
- SQL query construction
- File path handling
- Review cryptographic code:
- Algorithm selection
- Key management
- Random number generation
- Document findings with severity
- Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented
Security Code Review Checklist
| Category | Check | Risk |
|---|---|---|
| Input Validation | All user input validated and sanitized | Injection |
| Output Encoding | Context-appropriate encoding applied | XSS |
| Authentication | Passwords hashed with Argon2/bcrypt | Credential theft |
| Session | Secure cookie flags set (HttpOnly, Secure, SameSite) | Session hijacking |
| Authorization | Server-side permission checks on all endpoints | Privilege escalation |
| SQL | Parameterized queries used exclusively | SQL injection |
| File Access | Path traversal sequences rejected | Path traversal |
| Secrets | No hardcoded credentials or keys | Information disclosure |
| Dependencies | Known vulnerable packages updated | Supply chain |
| Logging | Sensitive data not logged | Information disclosure |
Secure vs Insecure Patterns
| Pattern | Issue | Secure Alternative |
|---|---|---|
| SQL string formatting | SQL injection | Use parameterized queries with placeholders |
| Shell command building | Command injection | Use subprocess with argument lists, no shell |
| Path concatenation | Path traversal | Validate and canonicalize paths |
| MD5/SHA1 for passwords | Weak hashing | Use Argon2id or bcrypt |
| Math.random for tokens | Predictable values | Use crypto.getRandomValues |
Inline Code Examples
SQL Injection — insecure vs. secure (Python):
# ❌ Insecure: string formatting allows SQL injection
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
# ✅ Secure: parameterized query — user input never interpreted as SQL
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))
Password Hashing with Argon2id (Python):
from argon2 import PasswordHasher
ph = PasswordHasher() # uses secure defaults (time_cost, memory_cost)
# On registration
hashed = ph.hash(plain_password)
# On login — raises argon2.exceptions.VerifyMismatchError on failure
ph.verify(hashed, plain_password)
Secret Scanning — core pattern matching (Python):
import re, pathlib
SECRET_PATTERNS = {
"aws_access_key": re.compile(r"AKIA[0-9A-Z]{16}"),
"github_token": re.compile(r"ghp_[A-Za-z0-9]{36}"),
"private_key": re.compile(r"-----BEGIN (RSA |EC )?PRIVATE KEY-----"),
"generic_secret": re.compile(r'(?i)(password|secret|api_key)\s*=\s*["\']?\S{8,}'),
}
def scan_file(path: pathlib.Path) -> list[dict]:
findings = []
for lineno, line in enumerate(path.read_text(errors="replace").splitlines(), 1):
for name, pattern in SECRET_PATTERNS.items():
if pattern.search(line):
findings.append({"file": str(path), "line": lineno, "type": name})
return findings
Incident Response Workflow
Respond to and contain security incidents.
Workflow: Handle Security Incident
- Identify and triage:
- Validate incident is genuine
- Assess initial scope and severity
- Activate incident response team
- Contain the threat:
- Isolate affected systems
- Block malicious IPs/accounts
- Disable compromised credentials
- Eradicate root cause:
- Remove malware/backdoors
- Patch vulnerabilities
- Update configurations
- Recover operations:
- Restore from clean backups
- Verify system integrity
- Monitor for recurrence
- Conduct post-mortem:
- Timeline reconstruction
- Root cause analysis
- Lessons learned
- Implement improvements:
- Update detection rules
- Enhance controls
- Update runbooks
- Document and report
- Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented
Incident Severity Levels
| Level | Response Time | Escalation |
|---|---|---|
| P1 - Critical (active breach/exfiltration) | Immediate | CISO, Legal, Executive |
| P2 - High (confirmed, contained) | 1 hour | Security Lead, IT Director |
| P3 - Medium (potential, under investigation) | 4 hours | Security Team |
| P4 - Low (suspicious, low impact) | 24 hours | On-call engineer |
Incident Response Checklist
| Phase | Actions |
|---|---|
| Identification | Validate alert, assess scope, determine severity |
| Containment | Isolate systems, preserve evidence, block access |
| Eradication | Remove threat, patch vulnerabilities, reset credentials |
| Recovery | Restore services, verify integrity, increase monitoring |
| Lessons Learned | Document timeline, identify gaps, update procedures |
Security Tools Reference
Recommended Security Tools
| Category | Tools |
|---|---|
| SAST | Semgrep, CodeQL, Bandit (Python), ESLint security plugins |
| DAST | OWASP ZAP, Burp Suite, Nikto |
| Dependency Scanning | Snyk, Dependabot, npm audit, pip-audit |
| Secret Detection | GitLeaks, TruffleHog, detect-secrets |
| Container Security | Trivy, Clair, Anchore |
| Infrastructure | Checkov, tfsec, ScoutSuite |
| Network | Wireshark, Nmap, Masscan |
| Penetration | Metasploit, sqlmap, Burp Suite Pro |
Cryptographic Algorithm Selection
| Use Case | Algorithm | Key Size |
|---|---|---|
| Symmetric encryption | AES-256-GCM | 256 bits |
| Password hashing | Argon2id | N/A (use defaults) |
| Message authentication | HMAC-SHA256 | 256 bits |
| Digital signatures | Ed25519 | 256 bits |
| Key exchange | X25519 | 256 bits |
| TLS | TLS 1.3 | N/A |
See: references/cryptography-implementation.md
Tools and References
Scripts
| Script | Purpose |
|---|---|
| threat_modeler.py | STRIDE threat analysis with DREAD risk scoring; JSON and text output; interactive guided mode |
| secret_scanner.py | Detect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready |
For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly.
References
| Document | Content |
|---|---|
| security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security |
| threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation |
| cryptography-implementation.md | AES-GCM, RSA, Ed25519, password hashing, key management |
Security Standards Reference
Security Headers Checklist
| Header | Recommended Value |
|---|---|
| Content-Security-Policy | default-src self; script-src self |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | geolocation=(), microphone=(), camera=() |
For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation.
Related Skills
| Skill | Integration Point |
|---|---|
| senior-devops | CI/CD security, infrastructure hardening |
| senior-secops | Security monitoring, incident response |
| senior-backend | Secure API development |
| senior-architect | Security architecture decisions |
Files
6 totalSelect a file
Select a file to preview.
Comments
Loading comments…