← 返回 Skills 市场
Senior Security
作者
Alireza Rezvani
· GitHub ↗
· v2.1.1
· MIT-0
3147
总下载
7
收藏
24
当前安装
2
版本数
在 OpenClaw 中安装
/install senior-security
功能描述
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guida...
使用说明 (SKILL.md)
Senior Security Engineer
Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.
Table of Contents
- Threat Modeling Workflow
- Security Architecture Workflow
- Vulnerability Assessment Workflow
- Secure Code Review Workflow
- Incident Response Workflow
- Security Tools Reference
- Tools and References
Threat Modeling Workflow
Identify and analyze security threats using STRIDE methodology.
Workflow: Conduct Threat Model
- Define system scope and boundaries:
- Identify assets to protect
- Map trust boundaries
- Document data flows
- Create data flow diagram:
- External entities (users, services)
- Processes (application components)
- Data stores (databases, caches)
- Data flows (APIs, network connections)
- Apply STRIDE to each DFD element (see STRIDE per Element Matrix below)
- Score risks using DREAD:
- Damage potential (1-10)
- Reproducibility (1-10)
- Exploitability (1-10)
- Affected users (1-10)
- Discoverability (1-10)
- Prioritize threats by risk score
- Define mitigations for each threat
- Document in threat model report
- Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped
STRIDE Threat Categories
| Category | Security Property | Mitigation Focus |
|---|---|---|
| Spoofing | Authentication | MFA, certificates, strong auth |
| Tampering | Integrity | Signing, checksums, validation |
| Repudiation | Non-repudiation | Audit logs, digital signatures |
| Information Disclosure | Confidentiality | Encryption, access controls |
| Denial of Service | Availability | Rate limiting, redundancy |
| Elevation of Privilege | Authorization | RBAC, least privilege |
STRIDE per Element Matrix
| DFD Element | S | T | R | I | D | E |
|---|---|---|---|---|---|---|
| External Entity | X | X | ||||
| Process | X | X | X | X | X | X |
| Data Store | X | X | X | X | ||
| Data Flow | X | X | X |
See: references/threat-modeling-guide.md
Security Architecture Workflow
Design secure systems using defense-in-depth principles.
Workflow: Design Secure Architecture
- Define security requirements:
- Compliance requirements (GDPR, HIPAA, PCI-DSS)
- Data classification (public, internal, confidential, restricted)
- Threat model inputs
- Apply defense-in-depth layers:
- Perimeter: WAF, DDoS protection, rate limiting
- Network: Segmentation, IDS/IPS, mTLS
- Host: Patching, EDR, hardening
- Application: Input validation, authentication, secure coding
- Data: Encryption at rest and in transit
- Implement Zero Trust principles:
- Verify explicitly (every request)
- Least privilege access (JIT/JEA)
- Assume breach (segment, monitor)
- Configure authentication and authorization:
- Identity provider selection
- MFA requirements
- RBAC/ABAC model
- Design encryption strategy:
- Key management approach
- Algorithm selection
- Certificate lifecycle
- Plan security monitoring:
- Log aggregation
- SIEM integration
- Alerting rules
- Document architecture decisions
- Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned
Defense-in-Depth Layers
Layer 1: PERIMETER
WAF, DDoS mitigation, DNS filtering, rate limiting
Layer 2: NETWORK
Segmentation, IDS/IPS, network monitoring, VPN, mTLS
Layer 3: HOST
Endpoint protection, OS hardening, patching, logging
Layer 4: APPLICATION
Input validation, authentication, secure coding, SAST
Layer 5: DATA
Encryption at rest/transit, access controls, DLP, backup
Authentication Pattern Selection
| Use Case | Recommended Pattern |
|---|---|
| Web application | OAuth 2.0 + PKCE with OIDC |
| API authentication | JWT with short expiration + refresh tokens |
| Service-to-service | mTLS with certificate rotation |
| CLI/Automation | API keys with IP allowlisting |
| High security | FIDO2/WebAuthn hardware keys |
See: references/security-architecture-patterns.md
Vulnerability Assessment Workflow
Identify and remediate security vulnerabilities in applications.
Workflow: Conduct Vulnerability Assessment
- Define assessment scope:
- In-scope systems and applications
- Testing methodology (black box, gray box, white box)
- Rules of engagement
- Gather information:
- Technology stack inventory
- Architecture documentation
- Previous vulnerability reports
- Perform automated scanning:
- SAST (static analysis)
- DAST (dynamic analysis)
- Dependency scanning
- Secret detection
- Conduct manual testing:
- Business logic flaws
- Authentication bypass
- Authorization issues
- Injection vulnerabilities
- Classify findings by severity:
- Critical: Immediate exploitation risk
- High: Significant impact, easier to exploit
- Medium: Moderate impact or difficulty
- Low: Minor impact
- Develop remediation plan:
- Prioritize by risk
- Assign owners
- Set deadlines
- Verify fixes and document
- Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked
For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10.
Vulnerability Severity Matrix
| Impact \ Exploitability | Easy | Moderate | Difficult |
|---|---|---|---|
| Critical | Critical | Critical | High |
| High | Critical | High | Medium |
| Medium | High | Medium | Low |
| Low | Medium | Low | Low |
Secure Code Review Workflow
Review code for security vulnerabilities before deployment.
Workflow: Conduct Security Code Review
- Establish review scope:
- Changed files and functions
- Security-sensitive areas (auth, crypto, input handling)
- Third-party integrations
- Run automated analysis:
- SAST tools (Semgrep, CodeQL, Bandit)
- Secret scanning
- Dependency vulnerability check
- Review authentication code:
- Password handling (hashing, storage)
- Session management
- Token validation
- Review authorization code:
- Access control checks
- RBAC implementation
- Privilege boundaries
- Review data handling:
- Input validation
- Output encoding
- SQL query construction
- File path handling
- Review cryptographic code:
- Algorithm selection
- Key management
- Random number generation
- Document findings with severity
- Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented
Security Code Review Checklist
| Category | Check | Risk |
|---|---|---|
| Input Validation | All user input validated and sanitized | Injection |
| Output Encoding | Context-appropriate encoding applied | XSS |
| Authentication | Passwords hashed with Argon2/bcrypt | Credential theft |
| Session | Secure cookie flags set (HttpOnly, Secure, SameSite) | Session hijacking |
| Authorization | Server-side permission checks on all endpoints | Privilege escalation |
| SQL | Parameterized queries used exclusively | SQL injection |
| File Access | Path traversal sequences rejected | Path traversal |
| Secrets | No hardcoded credentials or keys | Information disclosure |
| Dependencies | Known vulnerable packages updated | Supply chain |
| Logging | Sensitive data not logged | Information disclosure |
Secure vs Insecure Patterns
| Pattern | Issue | Secure Alternative |
|---|---|---|
| SQL string formatting | SQL injection | Use parameterized queries with placeholders |
| Shell command building | Command injection | Use subprocess with argument lists, no shell |
| Path concatenation | Path traversal | Validate and canonicalize paths |
| MD5/SHA1 for passwords | Weak hashing | Use Argon2id or bcrypt |
| Math.random for tokens | Predictable values | Use crypto.getRandomValues |
Inline Code Examples
SQL Injection — insecure vs. secure (Python):
# ❌ Insecure: string formatting allows SQL injection
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
# ✅ Secure: parameterized query — user input never interpreted as SQL
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))
Password Hashing with Argon2id (Python):
from argon2 import PasswordHasher
ph = PasswordHasher() # uses secure defaults (time_cost, memory_cost)
# On registration
hashed = ph.hash(plain_password)
# On login — raises argon2.exceptions.VerifyMismatchError on failure
ph.verify(hashed, plain_password)
Secret Scanning — core pattern matching (Python):
import re, pathlib
SECRET_PATTERNS = {
"aws_access_key": re.compile(r"AKIA[0-9A-Z]{16}"),
"github_token": re.compile(r"ghp_[A-Za-z0-9]{36}"),
"private_key": re.compile(r"-----BEGIN (RSA |EC )?PRIVATE KEY-----"),
"generic_secret": re.compile(r'(?i)(password|secret|api_key)\s*=\s*["\']?\S{8,}'),
}
def scan_file(path: pathlib.Path) -> list[dict]:
findings = []
for lineno, line in enumerate(path.read_text(errors="replace").splitlines(), 1):
for name, pattern in SECRET_PATTERNS.items():
if pattern.search(line):
findings.append({"file": str(path), "line": lineno, "type": name})
return findings
Incident Response Workflow
Respond to and contain security incidents.
Workflow: Handle Security Incident
- Identify and triage:
- Validate incident is genuine
- Assess initial scope and severity
- Activate incident response team
- Contain the threat:
- Isolate affected systems
- Block malicious IPs/accounts
- Disable compromised credentials
- Eradicate root cause:
- Remove malware/backdoors
- Patch vulnerabilities
- Update configurations
- Recover operations:
- Restore from clean backups
- Verify system integrity
- Monitor for recurrence
- Conduct post-mortem:
- Timeline reconstruction
- Root cause analysis
- Lessons learned
- Implement improvements:
- Update detection rules
- Enhance controls
- Update runbooks
- Document and report
- Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented
Incident Severity Levels
| Level | Response Time | Escalation |
|---|---|---|
| P1 - Critical (active breach/exfiltration) | Immediate | CISO, Legal, Executive |
| P2 - High (confirmed, contained) | 1 hour | Security Lead, IT Director |
| P3 - Medium (potential, under investigation) | 4 hours | Security Team |
| P4 - Low (suspicious, low impact) | 24 hours | On-call engineer |
Incident Response Checklist
| Phase | Actions |
|---|---|
| Identification | Validate alert, assess scope, determine severity |
| Containment | Isolate systems, preserve evidence, block access |
| Eradication | Remove threat, patch vulnerabilities, reset credentials |
| Recovery | Restore services, verify integrity, increase monitoring |
| Lessons Learned | Document timeline, identify gaps, update procedures |
Security Tools Reference
Recommended Security Tools
| Category | Tools |
|---|---|
| SAST | Semgrep, CodeQL, Bandit (Python), ESLint security plugins |
| DAST | OWASP ZAP, Burp Suite, Nikto |
| Dependency Scanning | Snyk, Dependabot, npm audit, pip-audit |
| Secret Detection | GitLeaks, TruffleHog, detect-secrets |
| Container Security | Trivy, Clair, Anchore |
| Infrastructure | Checkov, tfsec, ScoutSuite |
| Network | Wireshark, Nmap, Masscan |
| Penetration | Metasploit, sqlmap, Burp Suite Pro |
Cryptographic Algorithm Selection
| Use Case | Algorithm | Key Size |
|---|---|---|
| Symmetric encryption | AES-256-GCM | 256 bits |
| Password hashing | Argon2id | N/A (use defaults) |
| Message authentication | HMAC-SHA256 | 256 bits |
| Digital signatures | Ed25519 | 256 bits |
| Key exchange | X25519 | 256 bits |
| TLS | TLS 1.3 | N/A |
See: references/cryptography-implementation.md
Tools and References
Scripts
| Script | Purpose |
|---|---|
| threat_modeler.py | STRIDE threat analysis with DREAD risk scoring; JSON and text output; interactive guided mode |
| secret_scanner.py | Detect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready |
For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly.
References
| Document | Content |
|---|---|
| security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security |
| threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation |
| cryptography-implementation.md | AES-GCM, RSA, Ed25519, password hashing, key management |
Security Standards Reference
Security Headers Checklist
| Header | Recommended Value |
|---|---|
| Content-Security-Policy | default-src self; script-src self |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | geolocation=(), microphone=(), camera=() |
For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation.
Related Skills
| Skill | Integration Point |
|---|---|
| senior-devops | CI/CD security, infrastructure hardening |
| senior-secops | Security monitoring, incident response |
| senior-backend | Secure API development |
| senior-architect | Security architecture decisions |
安全使用建议
This package is internally consistent with its stated purpose. Before installing/using it: (1) review the remainder of SKILL.md (truncated parts) to confirm it does not instruct uploading scan results or contacting external endpoints; (2) be aware that the secret scanner will read files you point it at — avoid scanning sensitive system directories or credential stores unless you intend to; (3) run the scripts in an isolated environment (local checkout or sandbox) and review their output before taking remediation actions; and (4) if you need the agent to run these tools autonomously, consider limiting its available filesystem scope to prevent broad scans.
功能分析
Type: OpenClaw Skill
Name: senior-security
Version: 2.1.1
The bundle is a comprehensive security engineering toolkit providing legitimate workflows for threat modeling, vulnerability assessment, and secure coding. The included Python scripts, 'secret_scanner.py' and 'threat_modeler.py', are well-structured tools for identifying hardcoded credentials and performing STRIDE/DREAD analysis, respectively, with no evidence of malicious behavior or data exfiltration. The documentation and instructions in 'SKILL.md' and the 'references/' directory align perfectly with the stated purpose of assisting a security professional and do not contain any harmful prompt injections or obfuscated code.
能力评估
Purpose & Capability
Name/description (threat modeling, vulnerability analysis, secret scanning) align with the included files: threat_modeler.py and secret_scanner.py plus comprehensive reference docs. There are no unrelated environment variables, binaries, or external services required that would be unexpected for this purpose.
Instruction Scope
SKILL.md defines workflows and triggers for security reviews and references local tools. The included secret_scanner.py is designed to scan local project files for secrets — this is expected for a secret-scanning tool, but it means the agent will need read access to any directories it is asked to scan. There is no instruction in the visible SKILL.md to transmit scan results to external endpoints, but you should verify the truncated portions of the docs for any steps that post results externally before running.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. Two Python scripts are bundled with the skill and will be available to run locally if the agent executes them; that is consistent with the skill description and not unexpected.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The secret-scanner contains regexes that match many cloud/provider keys (expected for a scanner) but the skill does not request those credentials itself.
Persistence & Privilege
always is false and model invocation is permitted by default. The skill does not request permanent agent-level privileges or modify other skills' configs in the provided files. Bundled scripts operate locally and do not request elevated system privileges in the visible code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install senior-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/senior-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
Initial release of senior-security: a comprehensive security engineering toolkit.
- Provides structured workflows for threat modeling (STRIDE), security architecture, vulnerability assessment, and secure code review.
- Includes practical tables and matrices for threat categorization, defense-in-depth planning, and OWASP Top 10 mapping.
- Offers guidance on secure authentication patterns and encryption strategies.
- Covers both automated and manual testing approaches for vulnerability discovery.
- Features extensive trigger support for security engineering activities.
元数据
常见问题
Senior Security 是什么?
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guida... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3147 次。
如何安装 Senior Security?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install senior-security」即可一键安装,无需额外配置。
Senior Security 是免费的吗?
是的,Senior Security 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Senior Security 支持哪些平台?
Senior Security 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Senior Security?
由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v2.1.1。
推荐 Skills